When discrepancies between standards and implementation are detected,
corrections are applied through repeated cycles of policy updates and improvements.
Standards on related facilities and systems are synchronized.
Operational Standards For instance, on z/OS the
policy might be: “Only security officers and selected system programmers shall
be granted system security privileges.” For policy compliance to be measured
and evaluated the policy has to be operationalized as a standard. In this case
the standard would list every user qualified to have these privileges based on
the policy. Then the state of the security system can be evaluated by
determining discrepancies from this list. MASE uses the z/OS operating system's existing features and exploits IBM's reporting mechanisms for RACF to perform a thorough security and integrity analysis in minutes rather than days. MASE is split into mainframe and server processes. The mainframe process periodically captures information regarding access protection and system integrity for each RACF database and each z/OS facility and system image. This information is sent from each mainframe to the MASE/zOS Server. The MASE Server stores the information and evaluates it based on a set of installation specific standards. The MASE server triggers a discrepancy whenever there is a difference between the installation specific standard and the actual security parameter or privilege on the mainframe. MASE also reports on deviations from IBM best practices. The MASE client software makes discrepancies easy to review with all data available in Excel for custom analysis. MASE results in improved security and system integrity. Many installations use MASE to perform a daily self-audit that assures that RACF is protecting vital system resources and is controlling what users can do on the operating system. MASE also assures that the installation easily meets internal and external auditing requirements. MASE is often used to assure Sarbanes-Oxley compliance. MASE performs the
following functions in support of a continuous audit of RACF and z/OS:
|