MASE Data Security Auditing and Compliance Software for z/OS RACF

The purpose of MASE is to tame the imposing problem of IBM z/OS computer security and system integrity auditing. MASE replaces ad hoc audit methods with a disciplined, standardized approach. Once implemented, MASE performs a complete security audit daily – automatically.

MASE automatically performs a thorough audit on IBM Mainframes running z/OS (MVS) and RACF. MASE produces a security and audit scorecard that reports deviations from installation specific security standards and IBM best practices. MASE reports on all the important RACF security system parameters, profiles and privileges, making IBM RACF analysis and reporting easy while assuring that z/OS integrity is maintained.

Standards Based System Auditing

MASE enforces an iterative approach. Specifications for a secure system are established, deviations from specifications are measured, and then specifications are automatically updated.

With MASE the cost of zOS installation security reporting and compliance is reduced while integrity is increased.
When discrepancies between standards and implementation are detected, corrections are applied through repeated cycles of policy updates and improvements. Standards on related facilities and systems are synchronized.

Operational Standards

The foundation of an effective, complete system security and integrity audit process is the creation of a thorough set of standards. Policy statements will not do the job – specific standards are required.

For instance, on z/OS the policy might be: “Only security officers and selected system programmers shall be granted system security privileges.” For policy compliance to be measured and evaluated the policy has to be operationalized as a standard. In this case the standard would list every user qualified to have these privileges based on the policy. Then the state of the security system can be evaluated by determining discrepancies from this list.

MASE provides a quick way to develop baseline standards that are very specific, containing thousands of items. For example, items in the standards include datasets that are considered sensitive, users having system privileges, and modules that are permitted to have the security bypass parameters. The automatically generated standards must undergo review. Once the standards are validated they are stored in the MASE database and used as the baseline against which the actual data on the mainframe is measured.

Continuous Audit

MASE uses the z/OS operating system's existing features and exploits IBM's reporting mechanisms for RACF to perform a thorough security and integrity analysis in minutes rather than days.

MASE is split into mainframe and server processes. The mainframe process periodically captures information regarding access protection and system integrity for each RACF database and each z/OS facility and system image. This information is sent from each mainframe to the MASE/zOS Server. The MASE Server stores the information and evaluates it based on a set of installation specific standards. The MASE server triggers a discrepancy whenever there is a difference between the installation specific standard and the actual security parameter or privilege on the mainframe. MASE also reports on deviations from IBM best practices. The MASE client software makes discrepancies easy to review with all data available in Excel for custom analysis.

MASE results in improved security and system integrity. Many installations use MASE to perform a daily self-audit that assures that RACF is protecting vital system resources and is controlling what users can do on the operating system. 

MASE also assures that the installation easily meets internal and external auditing requirements. MASE is often used to assure Sarbanes-Oxley compliance.

MASE performs the following functions in support of a continuous audit of RACF and z/OS:

  • MASE automates the process of developing and managing security standards. A system extract is used to populate an initial load of the MASE standards. These can be edited within MASE and supplemented by manually entered standards.

  • Once the standards are validated, MASE gathers daily extracts of all required security information from each monitored system. These extracts are gathered on the mainframe and then converted and loaded into the MASE database.

  • As each daily extract is loaded into MASE, a deviation analysis is automatically performed. The result is a series of summary and detailed discrepancy reports. These reports list all items that do not meet standards and all discrepancies that have been resolved. MASE also reports on deviations from IBM best practices.

  • MASE manages the process of resolving discrepancies. MASE is used to acknowledge or close discrepancies.

  • When Standards are updated MASE synchronizes the standards across all related facilities and systems.

  • MASE provides Excel based reports for audits and easy analysis of historical trends.

MASE continuous audit and policy compliance software for RACF measures compliance with repeatable, defined, and managed processes. The result is better security and cleaner audits with much lower costs.