Information Security Training
from the Henderson Group 		This page is:
AUDIT TRAINING: HG75: MVS

Quick Links:

HOME PAGE

CONTACT US

INFOSEC TRAINING

IT AUDIT TRAINING

NEWSLETTERS AND USER GROUPS

ARTICLES PRIVACY STATEMENT

ABOUT US

OTHER INFO SOURCES


HG75: How to Audit MVS Security


(1 Day, 8 CPE Credits; $410)


  • This class is currently not scheduled. It can be presented in-house or to ISACA chapters. You may want to consider HG64 which has similar material combined with other topics.
This class shows you how to audit security for MVS (Multiple Virtual System), the most widely used operating system for IBM mainframe computers. (MVS is the core of the OS/390 and z/OS system software packages.)

IBM mainframes and the MVS operating system are flourishing in greater numbers than ever before. Now that they are being connected to the Internet, many of the security assumptions we have relied on ("Well, anyone can read this data, but it's only our employees who can get into the system anyhow") are no longer valid.

This class shows you how to evaluate your organization's MVS security. It explains the three hardware controls which form the basis of all MVS security, how MVS uses the hardware controls, and why IBM gave us backdoors to these controls. You will learn how back doors are often left uncontrolled, how such back doors can be hacked (including a specific example of a common hackers' approach), and how to control the back doors.

You will learn a systematic approach to auditing all this, and to making practical, recommendations for improvement in MVS security.

You will learn:

  • How MVS security works and why there are backdoors
  • How the hardware controls work, what backdoors exist, and how to find them
  • Where the control points are and how to evaluate them
  • What data to collect and how to interpret it
  • How to conduct the audit, from planning and scoping through follow-up
  • What all the related buzzwords and acronyms mean
  • How to conduct the audit rapidly and efficiently, with maximum benefit to your organization
The workbook is a valuable reference, and includes a complete audit program.

For more information on seminar dates, locations, and hotels, and how to register, please click here:
Schedule/Registration/Locations/Hotels
Return to Top of Page

Return to Home Page




Who Should Attend HG75?
  • Information Techology auditors who will be auditing MVS
  • Financial auditors who want to learn more about IT auditing

Please note that you can save money by holding these classes in-house. Call Stu at (301) 229-7187 for details.

Note also the classes we offer for Information Security Training, as listed on the left under QUICK LINKS.
Return to Top of Page

Return to Home Page

"This class met every one of my expectations, and has greatly enhanced my technical understanding of MVS." ---Tom Gibson, Dow Corning

"Stuart Henderson explains technical subjects in a manner that all types of audiences will enjoy (technical, non- technical, users, administrators)."
---Glenn Carr, MDOT MVS/ISC 


     Table of Contents and Class Outline: HG75: How to Audit MVS

I     Concepts and Keywords . . . . . . . . . . . . . . . . . . . . . . . . .  3
          A.     Introduction . . . . . . . . . . . . . . . . . . . . . . . .  3
                   (Explanation of MVS, VTAM, TSO, CICS, LPAR, CPU, Sysplex
                   SAF, and others) 
          B.     How MVS Security Works  --  Two Aspects. . . . . . . . . . . 22
          C.     How MVS Security Works -- the Details. . . . . . . . . . . . 23
                     Hardware Controls. . . . . . . . . . . . . . . . . . . . 24
                               Supervisor State Versus Program State  . . . . 36
                               Protect Keys . . . . . . . . . . . . . . . . . 39
                               Address Spaces . . . . . . . . . . . . . . . . 42
                     How MVS Uses the Hardware Controls . . . . . . . . . . . 48
                     Backdoors. . . . . . . . . . . . . . . . . . . . . . . . 52
                     IBM's Integrity Statement for MVS. . . . . . . . . . . . 87
                     System Symbols . . . . . . . . . . . . . . . . . . . . . 88
          D.     Control Objectives . . . . . . . . . . . . . . . . . . . . . 89
          E.     The Audit Program. . . . . . . . . . . . . . . . . . . . . . 90

II.     Action Plan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
          A.     Scoping, Planning and Basic Data Gathering . . . . . . . . . 93
                     Key Sources of Information for an MVS Audit. . . . . . . 95
          B.     Identify What Backdoors Exist. . . . . . . . . . . . . . . .110
          C.     Identify Authorized Backdoors and Compare. . . . . . . . . .124
          D.     Evaluate Change Control and Security Software
                     Rules. . . . . . . . . . . . . . . . . . . . . . . . . .125
          E.     Evaluate Assurance Over Each Backdoor. . . . . . . . . . . .126
          F.     Summarize. . . . . . . . . . . . . . . . . . . . . . . . . .127
          G.     Wrap-up, Working Papers, and Follow-Up . . . . . . . . . . .128

III   Forms and Reference . . . . . . . . . . . . . . . . . . . . . . . . . .130
          A.     Basic Security Model . . . . . . . . . . . . . . . . . . . .131
          B.     Forms to Summarize MVS Images. . . . . . . . . . . . . . . .136
          C.     Audit Plan . . . . . . . . . . . . . . . . . . . . . . . . .141
          D.     Model Documents. . . . . . . . . . . . . . . . . . . . . . .151
          E.     SYS1.PARMLIB . . . . . . . . . . . . . . . . . . . . . . . .162

INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .183

Return to Top of Page

Return to Home Page