HG74: How to Audit RACF

(3 Days, 24 CPE Credits; $1825)

Please click: Here for Registration Form

For more information on seminar dates, locations, and hotels, and how to register, please click here:
Schedule/Registration/Locations/Hotels for IS Audit Training

This class shows you how to audit RACF (Resource Access Control Facility), the most widely used information security

software for IBM mainframe computers. (RACF is part of IBM's Secureway Security Server line of products.)

You will learn in clear, simple terms how RACF provides information security for MVS, OS/390, and z/OS, including security for CICS, USS (UNIX under MVS), TCP/IP, and the Websphere Internet Server. The class provides a structured approach to auditing any RACF implementation quickly, easily, and effectively.

HG74: You Will Learn:

  • What RACF is and How to Audit it
  • How RACF Relates to Other System Software
  • Where the control points are and how to evaluate them
  • The Two Key Printouts to Evaluate a RACF Implementation
  • What data to collect and how to interpret it
  • How to conduct the audit, from planning and scoping through follow-up
  • What all the related buzzwords and acronyms mean
  • How to conduct the audit rapidly and efficiently, with maximum benefit to your organization

The workbook is a valuable reference, and includes a complete audit program.

Who Should Attend HG74?

Class Outline

   Table of Contents and Class Outline: HG74: How to Audit RACF
I     Concepts and Keywords                                       
          A.     Introduction                                      
                     A Working Example                       
                     Audit Rules                                   
          B.     How Information Security Works  --  Two Aspects  
          C.     How RACF Security Works -- the Details           
          D.     The Two-by-five Audit Approach:                  
          E.     The Big 5 Questions                              
          F.     Data Sources and Tools                           
          G.     Control Objectives                               
          H.     The Audit Program                                

II.     Action Plan                                               
          Scoping, Planning and Basic Data Gathering              
          The Five-Step Audit Program                             
                     A.     Access to the System                  
                     B.     Access to Data                        
                     C.     Access to Resources                  
                     D.     Authority to Change Rules            
                     E.     Separation of Authority              
          Wrap-up, Working Papers, and Follow-Up                 

III   Forms and Reference                                        
          A.     Basic Security Model                            
          B.     Forms to Summarize RACF Implementation          
          C.     Audit Plan                                      
          D.     Model Documents                                 
          E.     RACF Fundamentals                               
          F.     SMF Data and the RACFRW                         
          G.     RACF Database Unload Utility Guide              
          H.     RACF Audit Checklist                            
          I.     SETR LIST Guide                                 
          J.     DSMON Guide                                     


Please note that these seminars are available for In-House Sessions.

You can save more money by learning about our seminar Discounts

Return to Top of Page         Return to Home Page

Stu Henderson offers MVS security audits, consulting, seminars, articles, and other information sharing related to information security and auditing. His consulting includes: security reviews, risk assessments, RACF implementation assistance, and Information Technology audit technical counseling.
His most popular seminars provide: RACF training, mainframe audit training including MVS and z/OS audit training. His RACF seminars include: "Effective RACF Administration", "Advanced RACF Administration", and "UNIX (USS) for RACF Administrators".
His audit seminars include: "How to Audit MVS, RACF, ACF2, TopSecret, CICS, DB2, and MQ Series Security" and the follow-on "How to Audit z/OS with USS, TCP/IP, FTP, and the Internet"
Information on class location and schedules, as well as articles, links and other useful information sharing may be found on his website at www.stuhenderson.com