Ever stricter laws and guidelines are putting increasing pressure on corporate audit departments to further improve their IT security and optimize reporting. However, the laws and guidelines generally do not specify concrete IT measures that can be readily implemented. Instead, best practice approaches described in the BSI IT list of basic security measures apply. Companies are faced with the challenge of turning the measures listed there into concrete evaluation rules or policies. We provide hands-on recommendations on how to implement dynamic IT auditing and show you which requirements need to be met to be on the safe side.
What do you need to look out for when implementing the basic IT security measures?
In general, companies would do well to purchase audit software that delivers clearly defined control procedures in order to ensure that applicable compliance regulations and internal policies are being met. Control procedures part of standard packages should be designed in a way that ensures smooth integration into corporate z/OS environments. The solution must account for data from global RACF settings, the RACF database, SMF records as well as z/OS system settings. The control procedures should be both well documented and scalable. Furthermore, the software employed should provide for flexible expansion. Whenever a company sees the need for adding new control procedures, it is important that these can be created or purchased at short notice. Moreover, the system must be able to process large volumes of system data in a fast and efficient manner, such as analyzing event logs.
Analyzing Audit Reports
Effective evaluation is tied to the ability to generate audit reports, which, ideally, should provide a traffic light-style summary of check results that are automatically delivered to the respective persons in charge. Summary reports should allow companies to quickly determine whether deviations exist – and if they do, this information should enter into the detailed report. ‘Dynamic auditing’ enables companies to immediately identify critical states and events in their IT systems and to ensure continuous, documented monitoring.
The audit reports should allow for optimizing production workflows such that each relevant policy is complied with. This significantly improves the level of IT security and quality. Last but not least, the audit software should empower companies to handle rising audit workloads with a set number of employees.
The Discovery Product Generation now available provides companies with a single point of information for processing all relevant information from z/OS and non-z/OS sources based on comprehensive standard analyses and reports. Integrated monitoring of the z/OS and RACF system configurations is implemented according to the BSI list of basic security measures and the ISO 2700X security standard.
Upon request, we are happy to provide you with detailed information on control procedures for RACF settings, RACF database evaluations, RACF SMF evaluations and z/OS system configurations.