HG75: How to Audit MVS Security

(1 Day, 8 CPE Credits; $625)
  • Currently available for in-house sessions

Please click: Here for Registration Form

For more information on seminar dates, locations, and hotels, and how to register, please click here:
Schedule/Registration/Locations/Hotels for IS Audit Training

This class shows you how to audit security for MVS (Multiple Virtual System), the most widely

used operating system for IBM mainframe computers. (MVS is the core of the z/OS system software package.)

IBM mainframes and the MVS operating system are flourishing in greater numbers than ever before. Now that they are being connected to the Internet, many of the security assumptions we have relied on ("Well, anyone can read this data, but it's only our employees who can get into the system anyhow") are no longer valid.

This class shows you how to evaluate your organization's MVS security. It explains the three hardware controls which form the basis of all MVS security, how MVS uses the hardware controls, and why IBM gave us backdoors to these controls. You will learn how back doors are often left uncontrolled, how such back doors can be hacked (including a specific example of a common hackers' approach), and how to control the back doors.

You will learn a systematic approach to auditing all this, and to making practical, recommendations for improvement in MVS security.

HG75: You Will Learn:

  • How MVS security works and why there are backdoors
  • How the hardware controls work, what backdoors exist, and how to find them
  • Where the control points are and how to evaluate them
  • What data to collect and how to interpret it
  • How to conduct the audit, from planning and scoping through follow-up
  • What all the related buzzwords and acronyms mean
  • How to conduct the audit rapidly and efficiently, with maximum benefit to your organization

The workbook is a valuable reference, and includes a complete audit program.

Who Should Attend HG75?

  • Information Techology auditors who will be auditing MVS
  • Financial auditors who want to learn more about IT auditing

Class Outline

     Table of Contents and Class Outline: HG75: How to Audit MVS

I     Concepts and Keywords  
          A.     Introduction  
                   (Explanation of MVS, VTAM, TSO, CICS, LPAR, CPU, Sysplex
                   SAF, and others) 
          B.     How MVS Security Works  --  Two Aspects. 
          C.     How MVS Security Works -- the Details. 
                     Hardware Controls. 
                               Supervisor State Versus Program State  
                               Protect Keys 
                               Address Spaces 
                     How MVS Uses the Hardware Controls 
                     IBM's Integrity Statement for MVS. 
                     System Symbols 
          D.     Control Objectives 
          E.     The Audit Program. 

II.     Action Plan 
          A.     Scoping, Planning and Basic Data Gathering 
                     Key Sources of Information for an MVS Audit. 
          B.     Identify What Backdoors Exist.
          C.     Identify Authorized Backdoors and Compare.
          D.     Evaluate Change Control and Security Software
          E.     Evaluate Assurance Over Each Backdoor.
          F.     Summarize.
          G.     Wrap-up, Working Papers, and Follow-Up

III   Forms and Reference
          A.     Basic Security Model
          B.     Forms to Summarize MVS Images.
          C.     Audit Plan
          D.     Model Documents.
          E.     SYS1.PARMLIB


Please note that these seminars are available for In-House Sessions.

You can save more money by learning about our seminar Discounts

Return to Top of Page         Return to Home Page

Stu Henderson offers MVS security audits, consulting, seminars, articles, and other information sharing related to information security and auditing. His consulting includes: security reviews, risk assessments, RACF implementation assistance, and Information Technology audit technical counseling.
His most popular seminars provide: RACF training, mainframe audit training including MVS and z/OS audit training. His RACF seminars include: "Effective RACF Administration", "Advanced RACF Administration", and "UNIX (USS) for RACF Administrators".
His audit seminars include: "How to Audit MVS, RACF, ACF2, TopSecret, CICS, DB2, and MQ Series Security" and the follow-on "How to Audit z/OS with USS, TCP/IP, FTP, and the Internet". They also include "How to Audit TCP/IP Security" and "How to Audit UNIX and Windows Security".
Information on class location and schedules, as well as articles, links and other useful information sharing may be found on his website at www.stuhenderson.com