“The increased pressure for developers and IT operations is to implement system changes at high velocity and this results in unhardened systems that are often put into production with default settings.”
-Gartner, Best Practices for Secure Policy Configuration Assessment, October 2016
Introducing z/Assure® Compliance Assessment Manager™
z/Assure® Compliance Assessment Manager (CAM) is an automated compliance assessment solution. CAM provides security and operations teams with a continuous method for identifying and alerting on instances in which critical operating system configuration parameters and ESM security settings drift from policy. The solution is security policy driven; while allowing you to benchmark your security settings against the current DoD DISA STIG & NIST standards.
z/Assure® CAM: A Step by Step Guide to Compliance
- Your first step is to input your companies security policy parameters into CAM. This machine readable version of your security policy will contain all of the information CAM needs to create a security baseline against current compliance standards.
- We will then extract your current production security and operating system parameter settings into CAM.
- z/Assure® CAM can then provide an ongoing review using the security policy baseline and OS parameter extract baseline.
- Remediation’s can then be made to resolve vulnerabilities.
- Your system will be monitored to ensure all remediation’s were a success and that no new vulnerabilities arose due to these alterations.
Where Do Mainframe Configuration Vulnerabilities Come From?
We’ve all heard the reasons why it’s not practical to manually monitor mainframe security configurations. Yet, organizations continue to believe Hackers can’t get to the mainframe, it’s too secure. For those mainframes with parameters configured incorrectly, that can leave your organization exposed, intermittent audits and assessments leaves a huge window of opportunity for attackers.
The top 5 configuration vulnerabilities found with CAM are:
Excessive Access to APF Libraries
User ID’s w/No Password Interval
Excessive Access to Production Batch Jobs
Started Task IDs not Defined as PROTECTED
FTP not Adequately Protected