Giving Mainframe Ops the Tools They Need

As a Systems Programmer or Technical Operations Manager, you are undoubtedly the individual who knows the complexities of your systems. You know that response times are key.

But, is it possible you’re taking mainframe security for granted? Products like RACF, ACF2, and TopSecret are essential for establishing permissions and access control, but they aren’t a complete security solution. Integrity vulnerabilities on the OS-level have the potential to bring your organization to its knees, but too many mainframe teams aren’t scanning for them.

03 Provide VDRs

Provide VDRs to vendors

02 Review VDRs

Review each Vulnerability Detail Report (VDR) and add details to the Risk Management System

01 Initial Scan

Initial scan to base line the production systems using a hardening environment

Vulnerability Management Lifestyle

04 Apply Patches

Apply code vulnerability patches obtained from vendors

05 Rescan

Rescan to verify the code vulnerability has been addressed

06 Maintenance Scan

Scan every time maintenance is applied

Questions to Ask to Determine Gaps

Question 1

Do you scan your Mainframe for configuration vulnerabilities?

Are you aware that code-based operating system and third-party software vulnerabilities exist on your mainframes?

#
#

Question 2

Are you aware of the IBM z/OS Statement of Integrity?

Have you read it and understand your responsibilities? Are you aware that the IBM z/OS Statement of Integrity only applies to the IBM code?

It does not apply to any ISV code or installation written code. You, the z/OS system owner, are responsible for verifying the integrity of any code you add to z/OS.

Question 3

You have a mainframe patch management policy and practice.

Does this practice include applying integrity patches from each of your software vendors?

#
#

Question 4

The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability, and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.

Are you aware that mainframe integrity vulnerabilities are not documented in the NIST National Vulnerability Database?

Question 5

Are you aware that it is your companies responsibility to score these vulnerabilities in your risk management system?

#

Key Resources Can Help

Key Resources, Inc. understands these challenges. We’ve developed a range of products and services to help mainframers in every industry, including financial services, healthcare and government, protect their most valuable IT assets.

Learn more about:

  • z/Assure® VAP – the only product that automatically scans for and identifies vulnerabilities in mainframe operating system (OS) code. Learn More
  • z/Assure® CAM – an automated tool that assesses mainframe security configurations and evaluates compliance. Learn More
  • Integrity Assessment Services – helps enterprises discover their risk exposure and take steps to protect their business from the types of breaches that lead to financial harm or regulatory violations. Learn More