- Paperback: 543 pages
- Publisher: IT Governance Institute (December 1, 2003)
- Language: English
- ISBN-10: 1893209393
- ISBN-13: 978-1893209398
- Package Dimensions: 8.9 x 6 x 1.1 inches
- Shipping Weight: 1.6 pounds
- Average Customer Review: Be the first to review this item
- Amazon Best Sellers Rank: #10,135,047 in Books (See Top 100 in Books)
Enter your mobile number or email address below and we'll send you a link to download the free Kindle App. Then you can start reading Kindle books on your smartphone, tablet, or computer - no Kindle device required.
To get the free app, enter your mobile phone number.
OS/390-Z/OS Security, Audit and Control Features Paperback – December 1, 2003
z/OS has evolved from its first introduction in 1964 when it was known as S/360, then MVS (multiple virtual system) and more recently OS/390. During the mid-1980s, with the introduction of client-server and open systems, much was written claiming that the mainframe was dead. The stand-alone mainframe is clearly a thing of the past, but the IBM mainframe is very much alive. This book offers an excellent approach to auditing and securing the z/OS-OS/390 operating environment. Native z/OS-OS/390 security has never been an acceptable way to secure this operating system and relies extensively on external security managers (ESMs), such as IBM's Resource Access Control Facility (RACF)-now called SecureWay Security Server, CA-ACF2 and CA-TopSecret to augment its security. This book focuses on z/OS-OS/390 from an RACF perspective but provides substantial information and guidance on auditing this operating system also secured by CA-ACF2 and CA-TopSecret.
z/OS-OS/390 security constructs have not changed significantly over the years. This book, however, provides up-to-date descriptions of these constructs and an approach to ensure they are working effectively. The initial chapters describing z/OS-OS/390 internals provide a good basis for understanding the bread and butter of the operating system's security. The storage protection, IPL nucleus initialization program for initial program load, authorized program facility, supervisor calls, program properties table, job entry subsystem, time-share option and OS/390 UNIX system services sections hit the mark quite well.
The strength of this book is the appendices, which make up about 40 percent of its content. The figures and exhibits are also good real-world examples of exits, parameters, system utilities and assembly code that facilitate the audit of z/OS-OS/390.
The book requires the reader to have a working knowledge of OS/390 internals. Although the book was clearly written with IS auditors and systems programmer professionals in mind, it is a valuable reference guide for those who need to understand the operating system's basic security structure.
The MVS-z/OS-OS/390 audit work program is a valuable guide, designed to be used with or without the use of an automated OS/390 assessment tool. The book provides a list of automated assessment tools such as CA-Examine, Consul/eAudit and Vanguard Analyzer. However, online OS/390 utilities and service aids are predominantly used in the audit of this operating system.
This book is related to a JES2 OS/390 environment under the control of IBM's RACF security product. The RACF chapter is a good primer for RACF functionality and provides a case study in the audit of OS/390. Although RACF, CA-ACF2 and CA-TopSecret have functional differences in their security architecture, the RACF example can easily be translated to include similar CA-ACF2 and CA-TopSecret features.
z/OS-OS/390 has evolved over time to be a glorified files server, but it remains the leading operating system for large institutions' platforms for high-volume legacy application systems of record (SOR). With the advent of the US Health Insurance Portability and Accountability Act and Sarbanes-Oxley Act, z/OS-OS/390 remains a high-risk area of focus. z/OS-OS/390 and ESM security remain robust; however, they do require the same level of security and audit attention that they did in the past. Experience has shown that all these ESM security features, while strong, are still installation-selectable. The effectiveness of z/OS-OS/390 security and control is still peculiar to the installation for any given institution.
Overall, this is a clear, concise and well-defined depiction of z/OS-OS/390 security, audit and control. The book is long overdue and a must-read for those interested in ensuring the security, audit and control of z/OS-OS/390. --ISACA Journal, Volume 5, 2005
No customer reviews
|5 star (0%)|
|4 star (0%)|
|3 star (0%)|
|2 star (0%)|
|1 star (0%)|