Giving Mainframe Ops the Tools They Need
As a Systems Programmer or Technical Operations Manager, you are undoubtedly the individual who knows the complexities of your systems. You know that response times are key.
But, is it possible you’re taking mainframe security for granted? Products like RACF, ACF2, and TopSecret are essential for establishing permissions and access control, but they aren’t a complete security solution. Integrity vulnerabilities on the OS-level have the potential to bring your organization to its knees, but too many mainframe teams aren’t scanning for them.
03 Provide VDRs
Provide VDRs to vendors
02 Review VDRs
Review each Vulnerability Detail Report (VDR) and add details to the Risk Management System
01 Initial Scan
Initial scan to base line the production systems using a hardening environment

04 Apply Patches
Apply code vulnerability patches obtained from vendors
05 Rescan
Rescan to verify the code vulnerability has been addressed
06 Maintenance Scan
Scan every time maintenance is applied
Questions to Ask to Determine Gaps
Question 1
Do you scan your Mainframe for configuration vulnerabilities?
Are you aware that code-based operating system and third-party software vulnerabilities exist on your mainframes?

Question 2
Are you aware of the IBM z/OS Statement of Integrity?
Have you read it and understand your responsibilities? Are you aware that the IBM z/OS Statement of Integrity only applies to the IBM code?
It does not apply to any ISV code or installation written code. You, the z/OS system owner, are responsible for verifying the integrity of any code you add to z/OS.
Question 3
You have a mainframe patch management policy and practice.
Does this practice include applying integrity patches from each of your software vendors?


Question 4
The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability, and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.
Are you aware that mainframe integrity vulnerabilities are not documented in the NIST National Vulnerability Database?
Question 5
Are you aware that it is your companies responsibility to score these vulnerabilities in your risk management system?

Key Resources Can Help
Key Resources, Inc. understands these challenges. We’ve developed a range of products and services to help mainframers in every industry, including financial services, healthcare and government, protect their most valuable IT assets.
Learn more about:
- z/Assure® VAP – the only product that automatically scans for and identifies vulnerabilities in mainframe operating system (OS) code. Learn More
- z/Assure® CAM – an automated tool that assesses mainframe security configurations and evaluates compliance. Learn More
- Integrity Assessment Services – helps enterprises discover their risk exposure and take steps to protect their business from the types of breaches that lead to financial harm or regulatory violations. Learn More