To install click the Add extension button. That's it.

The source code for the WIKI 2 extension is being checked by specialists of the Mozilla Foundation, Google, and Apple. You could also do it yourself at any point in time.

How to transfigure the Wikipedia

Would you like Wikipedia to always look as professional and up-to-date? We have created a browser extension. It will enhance any encyclopedic page you visit with the magic of the WIKI 2 technology.

Try it — you can delete it anytime.

Install in 5 seconds
4,5
Kelly Slayton
Congratulations on this excellent venture… what a great idea!
Alexander Grigorievskiy
I use WIKI 2 every day and almost forgot how the original Wikipedia looks like.
Live Statistics
English Articles
Improved in 24 Hours
Added in 24 Hours
What we do. Every page goes through several hundred of perfecting techniques; in live mode. Quite the same Wikipedia. Just better.
Great Wikipedia has got greater.
.
Leo
Newton
Brights
Milds

Mainframe audit

From Wikipedia, the free encyclopedia

A mainframe audit is a comprehensive inspection of computer processes, security, and procedures,with recommendations for improvement.

YouTube Encyclopedic

  • 1/3
    Views:
    36 294
    15 458
    3 722
  • MCITP 70-640: Windows File Auditing
  • DEF CON 22 - Philip “Soldier of Fortran” Young - From root to SPECIAL: Pwning IBM Mainframes
  • The IBM z13s & z13 hardware and software stack explained

Transcription

Definition of mainframe

A mainframe computer is not easy to define. Most people associate a mainframe with a large computer, but mainframes are getting smaller all the time. The terms mainframe and enterprise server are converging. Supercomputers are generally used for their speed and complexity, while mainframes are used for storing large volumes of sensitive data. Mainframes are typically the most secure, efficient, and cost-effective computing option for organizations dealing with transactions on a large, enterprise-level scale.

Considerations

Organizations in different industries have different auditing and security requirements. Some factors affecting the organizations' requirements are: regulatory requirements and other external factors; management, objectives, and business practices; and the organizations' performance compared to the industry. This information can be obtained by conducting outside research, interviewing employees, touring the data center and observing activities, consultations with technical experts, and looking at company manuals and business plans.

Another consideration is the level of mainframe access employees have and if password policies are in place and followed. Evidence of implementation can be obtained by requesting employee manuals, evaluating the software and user histories, and by physical observation of the environment. (Gallegos, 2004).

Physical access is also an area of interest. Are cables adequately protected from damage and sniffing between the Network and the Data Center? This can be achieved by proper routing of the cables, encryption, and a good network topology. Physical observation of where the cables are routed and confirmation of the security procedures should be obtained. Tests of controls should be conducted to determine any additional weaknesses.

Does the mainframe have access to an adequate uninterruptible power supply? Are physical controls such as power badges for access, fire suppression devices, and locks in place to protect the data center (and the mainframe inside) from theft, manipulation or damage? Physical observation is necessary to ensure these requirements.

The Operating System

  • What controls are in place to make sure the system is continually updated?
  • Is the software configured to do updates, or is it done by the system technicians?
  • Controls should be in place to deter unauthorized manipulation or theft of data.
  • Proper separation of duties also needs to be verified. The company’s internal controls need to be tested to determine if they are effective.
  • Samples of entries into the system should be examined to verify that the controls are effective, while unauthorized and suspicious voided transactions need to be investigated. (Gallegos, 2004)
  • Are there any processes on the system that could needlessly compromise other components?
  • Procedures and measures need to be in place to minimize the risk of unauthorized access through Backdoors in the system, such as the Program Properties Table (PPT).
  • There should be an accurate audit trail that can be followed. (The Henderson Group, October, 2001)

Security server

  • Are proper separation of duties implemented and enforced, and are technology and procedures in place to make sure there is a continuous and accurate audit trail?
  • Controls need to be put in place to minimize the risk of unnecessary and unauthorized entry into the system, and the protection of passwords.
  • Computer-assisted audit techniques should be used to scan the system (continuous monitoring is ideal), with human observations conducted to verify procedures, such as to verify that protocols like separation of duties are being followed.
  • Security software such as RACF, ACF2, and Top Secret need to be constantly evaluated to verify that they are providing the necessary security and if additional protection such as new firewalls is needed. (The Henderson Group, August, 2002). These products are the mainframe's main access control mechanism and as such, special care should be applied when analyzing. Verify proper user types are in use and that the sharing of credentials is never accepted.

Application system

  • Is concerned with the performance and the controls of the system.
  • Is it able to limit unauthorized access and data manipulation?

Evaluate whether sufficient evidence was obtained

After performing the necessary tests and procedures, determine whether the evidence obtained is sufficient to come to a conclusion and recommendation.

How is the security of the mainframe maintained?

Mainframes, despite their reliability, possess so much data that precautions need to be taken to protect the information they hold and the integrity of the system. Security is maintained with the following techniques:

  • Physical controls over the mainframe and its components.
  • Encryption techniques.
  • Putting procedures in place that prevent unnecessary and unauthorized entries into a system and that input, output, or processing is recorded and accessible to the auditor. This is particularly important for people with elevated privilege.
  • Security Software such as RACF, ACF2, and Top Secret.
  • Constant testing of the security system to determine any potential weaknesses.
  • Properly protecting backdoor accesses.
  • Continual examination of the techniques to determine effectiveness.

To gauge the effectiveness of these internal controls an auditor should do outside research, physically observe controls as needed, test the controls, perform substantive tests, and employ computer assisted audit techniques when prudent.

References

  • Gallegos, F., Senft, S., Manson, D., Gonzales, C. (2004). Information Technology Control and Audit. (2nd ed.) Boca Raton, Florida: Auerbach Publications.
  • Messier jr., W., F. (2003) Auditing & Assurance Services: A Systematic Approach. (3rd ed.) New York: McGraw-Hill/Irwin.
  • Licker, M., D. (2003). Dictionary of Computing & Communications. New York: McGraw-Hill
  • Philip, G. (2000). The University of Chicago Press: Science and Technology Encyclopedia. Chicago, IL: The University of Chicago Press.
  • O’Brien, J., A., (2002). Management Information Systems: Managing Information Technology in the E-Business Enterprise. 5th ed. New York: McGraw-Hill/Irwin.

External links

This page was last edited on 27 April 2022, at 09:46
Basis of this page is in Wikipedia. Text is available under the CC BY-SA 3.0 Unported License. Non-text media are available under their specified licenses. Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc. WIKI 2 is an independent company and has no affiliation with Wikimedia Foundation.
Contact WIKI 2
Introduction
Terms of Service
Privacy Policy