Professional Documents
Culture Documents
ISACA®
With more than 86,000 constituents in more than 160 countries, ISACA (www.isaca.org) is a recognized worldwide
leader in IT governance, control, security and assurance. Founded in 1969, ISACA sponsors international
conferences, publishes the ISACA Journal®, and develops international information systems auditing and control
standards. It also administers the globally respected Certified Information Systems Auditor™ (CISA ®) designation,
earned by more than 60,000 professionals since 1978; the Certified Information Security Manager ® (CISM®)
designation, earned by more than 10,000 professionals since 2002; and the new Certified in the Governance of
Enterprise IT™ (CGEIT™) designation.
Disclaimer
ISACA has designed and created z/OS Security Audit/Assurance Program (the “Work”), primarily as an
informational resource for audit and assurance professionals. ISACA makes no claim that use of any of the Work
will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures
and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same
results. In determining the propriety of any specific information, procedure or test, audit/assurance professionals
should apply their own professional judgment to the specific circumstances presented by the particular systems or IT
environment.
Reservation of Rights
© 2009 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified,
distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical,
photocopying, recording or otherwise) without the prior written authorization of ISACA. Reproduction and use of
all or portions of this publication are permitted solely for academic, internal and noncommercial use, and
consulting/advisory engagements, and must include full attribution of the material’s source. No other right or
permission is granted with respect to this work.
ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
E-mail: info@isaca.org
Web site: www.isaca.org
ISBN 978-1-60420-084-3
z/OS Security Audit/Assurance Program
Printed in the United States of America
Expert Reviewers
Gary S. Baker, CA, Deloitte & Touche, Canada
Per Gøbel Jensen, CISA, CISM, VP Securities Services, Denmark
Larry Marks, CISA, CGEIT, CFE, CISSP, CSTE, PMP, Resources Global Professionals, USA
Reinhard Erich Voglmaier, GlaxoSmithKline Spa – Pharmaceuticals, Italy
Assurance Committee
Gregory T. Grocholski, CISA, The Dow Chemical Company, USA, Chair
Pippa G. Andrews, CISA, ACA, CIA, Amcor, Australia
Richard Brisebois, CISA, CGA, Office of the Auditor General of Canada, Canada
Sergio Fleginsky, CISA, ICI, Uruguay
Robert Johnson, CISA, CISM, CISSP, Executive Consultant, USA
Anthony P. Noble, CISA, CCP, Viacom Inc., USA
Robert G. Parker, CISA, CA, CMC, FCA, Deloittte & Touche LLP (retired), Canada
Erik Pols, CISA, CISM, Shell International - ITCI, Netherlands
Vatsaraman Venkatakrishnan, CISA, CISM, CGEIT, ACA, Emirates Airlines, UAE
Table of Contents
I. Introduction.........................................................................................................................................4
II. Using This Document..........................................................................................................................5
III. Controls Maturity Analysis..................................................................................................................8
IV. Assurance and Control Framework......................................................................................................9
V. Executive Summary of Audit/Assurance Focus.................................................................................11
VI. Audit/Assurance Program..................................................................................................................13
1. Planning and Scoping the Audit.....................................................................................................13
2. Preparatory Steps...........................................................................................................................15
3. Operating System Configuration...................................................................................................18
4. PARMLIB.....................................................................................................................................20
5. Appendages...................................................................................................................................26
6. Configuration Change Management..............................................................................................39
7. System Backups.............................................................................................................................42
VII. Maturity Assessment.........................................................................................................................43
VIII. Assessment Maturity vs. Target Maturity—z/OS Only....................................................................48
I. Introduction
Overview
ISACA has developed the IT Assurance FrameworkTM (ITAFTM) as a comprehensive and good-practice-
setting model. ITAF provides standards that are designed to be mandatory, and are the guiding principles
under which the IT audit and assurance profession operates. The guidelines provide information and
direction for the practice of IT audit and assurance. The tools and techniques provide methodologies,
tools and templates to provide direction in the application of IT audit and assurance processes.
Purpose
The audit/assurance program is a tool and template to be used as a road map for the completion of a
specific assurance process. The ISACA Assurance Committee has commissioned audit/assurance
programs to be developed for use by IT audit and assurance practitioners. This audit/assurance program is
intended to be utilized by IT audit and assurance professionals with the requisite knowledge of the subject
matter under review, as described in ITAF, section 2200—General Standards. The audit/assurance
programs are part of ITAF, section 4000—IT Assurance Tools and Techniques.
Control Framework
The audit/assurance programs have been developed in alignment with the IT Governance Institute ®
(ITGITM) framework, Control Objectives for Information and related Technology (COBIT®)—specifically
COBIT 4.1—using generally applicable and accepted good practices. They reflect ITAF, sections 3400—
IT Management Processes, 3600-IT Audit and Assurance Processes, and 3800—IT Audit and Assurance
Management.
Many organizations have embraced several frameworks at an enterprise level, including the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Framework. The
importance of the control framework has been enhanced due to regulatory requirements by the US
Securities and Exchange Commission (SEC) as directed by the US Sarbanes-Oxley Act of 2002 and
similar legislation in other countries. They seek to integrate control framework elements used by the
general audit/assurance team into the IT audit and assurance framework. Since COSO is widely used, it
Step 1 is part of the fact gathering and pre-fieldwork preparation. Because the pre-fieldwork is essential to
a successful and professional review, the steps have been itemized in this plan. The first-level steps, e.g.,
1.1, are in bold type and provide the reviewer with a scope or high-level explanation of the purpose for
the substeps.
Beginning in step 2, the steps associated with the work program are itemized. To simplify the use of the
program, the audit/assurance program describes the audit/assurance objective—the reason for performing
the steps in the topic area. The specific controls follow and are shown in blue type. Each review step is
listed below the control. These steps may include assessing the control design by walking through a
process, interviewing, observing or otherwise verifying the process and the controls that address that
process. In many cases, once the control design has been verified, specific tests need to be performed to
provide assurance that the process associated with the control is being followed.
The maturity assessment, which is described in more detail later in this document, makes up the last
section of the program.
The audit/assurance plan wrap-up—those processes associated with the completion and review of work
papers, preparation of issues and recommendations, report writing and report clearing—has been
COBIT Cross-reference
The COBIT cross-reference provides the audit and assurance professional with the ability to refer to the
specific COBIT control objective that supports the audit/assurance step. The C OBIT control objective
should be identified for each audit/assurance step in the section. Multiple cross-references are not
uncommon. Processes at lower levels in the work program are too granular to be cross-referenced to
COBIT. The audit/assurance program is organized in a manner to facilitate an evaluation through a
structure parallel to the development process. COBIT provides in-depth control objectives and suggested
control practices at each level. As the professional reviews each control, he/she should refer to C OBIT or
the IT Assurance Guide: Using COBIT for good-practice control guidance.
COSO Components
As noted in the introduction, COSO and similar frameworks have become increasingly popular among
audit and assurance professionals. This ties the assurance work to the enterprise’s control framework.
While the IT audit/assurance function has COBIT as a framework operational audit and assurance
professionals use the framework established by the enterprise. Since COSO is the most prevalent internal
control framework, it has been included in this document and is a bridge to align IT audit/assurance with
the rest of the audit/assurance function. Many audit/assurance organizations include the COSO control
components within their report and summarize assurance activities to the audit committee of the board of
directors.
For each control, the audit and assurance professional should indicate the COSO component(s) addressed.
It is possible but generally not necessary to extend this analysis to the specific audit step level.
The original COSO internal control framework contained five components. In 2004, COSO was revised
as the Enterprise Risk Management (ERM) Integrated Framework and extended to eight components. The
primary difference between the two frameworks is the additional focus on ERM and integration into the
business decision model. ERM is in the process of being adopted by large enterprises. The two
frameworks are compared in figure 1.
Figure 1—Comparison of the COSO Internal Control and ERM Integrated Frameworks
Internal Control Framework ERM Integrated Framework
Control Environment: The control environment sets the tone of an Internal Environment: The internal environment encompasses the
organization, influencing the control consciousness of its people. It is tone of an organization, and sets the basis for how risk is viewed and
the foundation for all other components of internal control, providing addressed by an entity’s people, including risk management
discipline and structure. Control environment factors include the philosophy and risk appetite, integrity and ethical values, and the
integrity, ethical values, management’s operating style, delegation of environment in which they operate.
authority systems, as well as the processes for managing and
developing people in the organization.
Objective Setting: Objectives must exist before management can
identify potential events affecting their achievement. Enterprise risk
management ensures that management has in place a process to set
objectives and that the chosen objectives support and align with the
entity’s mission and are consistent with its risk appetite.
Event Identification: Internal and external events affecting
achievement of an entity’s objectives must be identified, distinguishing
between risks and opportunities. Opportunities are channeled back to
management’s strategy or objective-setting processes.
The original COSO internal control framework addresses the needs of the IT audit and assurance
professional: control environment, risk assessment, control activities, information and communication,
and monitoring. As such, ISACA has elected to utilize the five-component model for these
audit/assurance programs. As more enterprises implement the ERM model, the additional three columns
can be added, if relevant. When completing the COSO component columns, consider the definitions of
the components as described in figure 1.
Reference/Hyperlink
Good practices require the audit and assurance professional to create a work paper for each line item,
which describes the work performed, issues identified and conclusions. The reference/hyperlink is to be
used to cross-reference the audit/assurance step to the work paper that supports it. The numbering system
of this document provides a ready numbering scheme for the work papers. If desired, a link to the work
paper can be pasted into this column.
Issue Cross-reference
This column can be used to flag a finding/issue that the IT audit and assurance professional wants to
further investigate or establish as a potential finding. The potential findings should be documented in a
work paper that indicates the disposition of the findings (formally reported, reported as a memo or verbal
finding, or waived).
Comments
The comments column can be used to indicate the waiving of a step, or other notations. It is not to be used
in place of a work paper describing the work performed.
The IT Assurance Guide Using COBIT, Appendix VII—Maturity Model for Internal Control, in figure 2,
provides a generic maturity model showing the status of the internal control environment and the
establishment of internal controls in an enterprise. It shows how the management of internal control, and
an awareness of the need to establish better internal controls, typically develops from an ad hoc to an
optimized level. The model provides a high-level guide to help COBIT users appreciate what is required
for effective internal controls in IT and to help position their enterprise on the maturity scale.
The maturity model evaluation is one of the final steps in the evaluation process. The IT audit and
assurance professional can address the key controls within the scope of the work program, and formulate
an objective assessment of the maturity levels of the control practices. The maturity assessment can be a
part of the audit/assurance report and can be used as a metric from year to year to document progression
in the enhancement of controls. However, it must be noted that the perception as to the maturity level may
vary between the process/IT asset owner and the auditor. Therefore, an auditor should obtain the
concerned stakeholder’s concurrence before submitting the final report to the management.
At the conclusion of the review, once all findings and recommendations are completed, the professional
assesses the current state of the COBIT control framework and assigns it a maturity level using the six-
level scale. Some practioners utilize decimals (x.25, x.5, x.75) to indicate gradations in the maturity
model. As a further reference, COBIT provides a definition of the maturity designations by control
objective. While this approach is not mandatory, the process is provided as a separate section at the end of
the audit/assurance program for those enterprises that wish to implement it. It is suggested that a maturity
assessment be made at the COBIT control level. To provide further value to the client/customer, the
professional can also obtain maturity targets from the client/customer. The sections can be summarized
using the graphic presentation (section VIII) describing the achievement or gaps between the actual and
targeted maturity levels. If this is used, it should be noted that this assessment addresses z/OS only, as
there are generally other operating systems in the enterprise.
ISACA has long recognized the specialized nature of IT assurance and strives to advance globally
applicable standards. Guidelines and procedures provide detailed guidance on how to follow those
standards. IS Auditing Standard S15 IT Controls, and IS Auditing Guideline G38 Access Controls are
relevant to this audit/assurance program.
Utilizing COBIT as the control framework on which IT audit/assurance activities are based, aligns IT
audit/assurance with good practices as developed by the enterprise.
The COBIT IT control process DS9 Manage the configuration from the Deliver and Support (DS) domain,
addresses good practices for ensuring the integrity of hardware and software configurations. This requires
the establishment and maintenance of an accurate and complete configuration repository. DS5.3 Identity
management and DS 5.4 User account management address user identity and the IT control processAI6
Refer to the IT Governance Institute’s COBIT Control Practices: Guidance to Achieve Control
Objectives for Successful IT Governance, 2nd Edition, published in 2007, for the related control practice
value and risk drivers.
1
Scope limitation—Identity management as it relates to technical services users having access to the operating
system only
2
Scope limitation—User account management as it relates to users accessing system functions
z/OS is IBM’s most recent release of its long-running Multiple virtual storage (MVS) operating system
and is a standard operating system used on large-scale mainframe computers.
The typical enterprise mainframe is a capable of supporting multiple operating environments. The Logical
Partition (LPAR) segments a high-capacity hardware configuration into multiple independent operating
units, having separate operating system configurations (images) and complete separation from other
images. This feature facilitates the separation of production, test and development environments; separate
internal and external environments; and isolated web, database and other special purpose environments.
Each image is a distinct operating environment, requiring a separate audit/assurance process. They may
be grouped together, but the configurations need to be reviewed individually, since they are often
configured differently.
Scope—The review will focus on configuration of the relevant z/OS images within the organization, and
the controls over critical operating system (z/OS) libraries, exits to the operating system and supervisor
calls (SVCs). The selection of the applications/functions and specific images will be based upon the risks
introduced to the organization by these systems.
The mainframe environment is complex and utilizes numerous subsystems. Excluded from this review are
the:
Systems network configuration (e.g., System Network Architecture [SNA])
Online processing configuration (e.g., Customer Information Control System [CICS], Information
Management System-Data Communication [IMS DC])
Access control software (e.g., Resource Access Control Facility [RACF], Access Control Facility 2
[ACF2], Top Secret)
Database management systems (e.g., Database 2 [DB2], IMS)
System performance utilities
{The remainder of this paragraph needs to be customized by the audit/assurance professional to describe
which images and applications within the enterprise will be reviewed.}
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
e Cross- Comments
Control Activities
COBIT Hyper- reference
Monitoring
Audit/Assurance Program Step Cross- link
reference
COSO
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
e Cross- Comments
Control Activities
COBIT Hyper- reference
Monitoring
Audit/Assurance Program Step Cross- link
reference
COSO
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
e Cross- Comments
Control Activities
COBIT Hyper- reference
Monitoring
Audit/Assurance Program Step Cross- link
reference
1.6.1 Identify the drivers for a successful review. (This should exist in the assurance
function’s standards and procedures.)
1.6.2 Communicate success attributes to the process owner or stakeholder and obtain
agreement.
1.7 Define required assurance resources.
The resources required are defined in the introduction to this audit/assurance program.
1.7.1 Determine audit/assurance skills necessary for review.
1.7.2 Determine estimated total resources (hours) and timeframe (start and end dates)
required for review.
1.8 Define deliverables.
The deliverable is not limited to the final report. Communication between the audit/assurance teams
and the process owner is essential to assignment success.
1.8.1 Determine the interim deliverables, including initial findings, status reports, draft
reports, due dates for responses and the final report.
1.9 Communications
The audit/assurance process is clearly communicated to the customer/client.
1.9.1 Conduct an opening conference to discuss the review objectives with the executive
responsible for operating systems and infrastructure.
PREPARATORY STEPS
2.1 Obtain and review the current organization chart for the operating system’s
configuration and security functions.
2.1.1 Identify the key staff and stakeholders.
COSO
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
e Cross- Comments
Control Activities
COBIT Hyper- reference
Monitoring
Audit/Assurance Program Step Cross- link
reference
3
This is a sensitive utility and may not be available to the audit/assurance professional. If it is available, it should be used with great caution.
© 2009 ISACA. All rights reserved. Page 16
z/OS Security Audit/Assurance Program
COSO
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
e Cross- Comments
Control Activities
COBIT Hyper- reference
Monitoring
Audit/Assurance Program Step Cross- link
reference
4
This may take some time to generate, but it is prudent to ask for it at the start of the audit and compare with actual exits installed on the z/OS environment. Caution: This
may result in large print jobs. Soft copies may be more prudent.
© 2009 ISACA. All rights reserved. Page 17
z/OS Security Audit/Assurance Program
COSO
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
e Cross- Comments
Control Activities
COBIT Hyper- reference
Monitoring
Audit/Assurance Program Step Cross- link
reference
COSO
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
e Cross- Comments
Control Activities
COBIT Hyper- reference
Monitoring
Audit/Assurance Program Step Cross- link
reference
5
System datasets are those used during the IPL process; datasets used for supporting subsystems of z/OS, such as distribution libraries; SMF datasets; and Local Product Agent
(LPA) imagery library and Authorized Program Facility (APF) libraries.
© 2009 ISACA. All rights reserved. Page 19
z/OS Security Audit/Assurance Program
COSO
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
e Cross- Comments
Control Activities
COBIT Hyper- reference
Monitoring
Audit/Assurance Program Step Cross- link
reference
COSO
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
e Cross- Comments
Control Activities
COBIT Hyper- reference
Monitoring
Audit/Assurance Program Step Cross- link
reference
4.1.2 Identify the high-level qualifier (i.e., SYS1, SYS2, SYSn) for each z/OS image under
review.
4.1.2.1 Identify those datasets with these high-level qualifiers and review the level of
ESM (RACF) protection for each.
4.1.2.2 Determine that the SYSn high-level qualifier is only used for system datasets.
4.1.2.3 If there are other dataset high-level qualifiers for system datasets, then run
RACF list profile commands for each.
4.1.2.4 Determine that all system datasets are not accessible by users outside the
scope of technical support, operations, STC and other subsystem IDs
(required for their job function or processing). Authorized users typically
have update or write access, but it should be based upon need.
4.1.2.4.1 Determine if requests for and review of users having access to the
system datasets is documented and approved by a technical
support manager, and if the access permissions are routinely
reviewed and reapproved.
COSO
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
e Cross- Comments
Control Activities
COBIT Hyper- reference
Monitoring
Audit/Assurance Program Step Cross- link
reference
4.1.2.5 Review the RACF global access control (GAC) table for the dataset class.
Verify that there is no entry for system datasets (e.g., APF, SYSn, Linklist,
distribution libraries) that might allow access of greater than READ. 6
4.1.2.6 Verify that datasets considered system level, such as APF, SYSn, Linklist,
are not user datasets. High-level qualifiers of these libraries should not be for
individual TSO user IDs.
4.1.2.7 In a shared DASD environment, verify that APF and system data sets are
protected on all LPARs or CPUs that have access to them.
4.1.2.7.1 Verify that test LPARs that typically have a lower level of
protection do not have access to production APF or system
datasets on shared volumes that exceed what would have
otherwise been controlled in production.
4.1.2.8 Determine TSO and batch privileges with READ-only access to all z/OS
system libraries, APF libraries, link list, JES2 procedure libraries and system
programmer user libraries.
4.1.2.9 Determine the systemwide RACF auditor attribute or equivalent in other
ESM (external security manager, i.e., CA-ACF2 or CA-TSS).
PARAMETER LIBRARY (PARMLIB)
Audit/assurance objective: PARMLIB configuration controls should be in effect to limit access to
the PARMLIB; only authorized entries should be in the PARMLIB; and instructions for PARMLIB
overrides or use of alternate PARMLIBs should be explicitly documented.
DS9.1 X
5.1 PARMLIB datasets and parameters
DS9.2
Control: Only authorized modules are included in the PARMLIB IPL instructions.
6
The risk associated with GAC entries lies in the fact that they allow access overrides to RACF profiles. This means that a RACF profile (discrete or generic) may say that no
access is allowed, whereas the GAC may override it. An additional risk is the lack of audit trail records, since no SMF records are generated for accesses granted due to GAC
entries.
© 2009 ISACA. All rights reserved. Page 22
z/OS Security Audit/Assurance Program
COSO
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
e Cross- Comments
Control Activities
COBIT Hyper- reference
Monitoring
Audit/Assurance Program Step Cross- link
reference
DS9.3
5.1.1 Compile a list of the PARMLIBS that constitute the PARMLIB concatenation for this
z/OS image.
5.1.1.1 Analyze the options available at IPL time by ascertaining:
Will the IEA101A prompt be issued?
If not issued, what are the procedures and practices for responding to this
prompt?
5.1.1.2 Run the appropriate tools to obtain an analysis of PARMLIB. Create a map,
starting with LOADxx, to each IEASYSxx member and all other PARMLIB
members pointed to by director parameters.
5.1.1.2.1 Determine that all members are properly authorized and required
for the system.
5.1.1.2.2 Determine if nonexistent PARMLIB members referenced by
director parameters are needed (for default members, the system
default values may be acceptable).
5.1.1.2.3 Determine if the OPI parameter (OPI=YES) allows the operator to
override parameters during IPL.7
5.1.1.2.4 Determine the purpose for IPL-related PARMLIB members not
specifically referenced by a director parameter. Note: Some
members normally found in PARMLIB, e.g., IKJTSO and
TSOKEY members, are not processed at IPL time.8
7
The risk of having the OPI parameter set to YES is that of delegation control authority of the IPL process to a larger number of people, and also gives rise to the need for
additional controls of the individual IPLs that are performed.
8
Having more members in PARMLIB than are actually required may give rise to confusion and possible mistakes at IPL time.
© 2009 ISACA. All rights reserved. Page 23
z/OS Security Audit/Assurance Program
COSO
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
e Cross- Comments
Control Activities
COBIT Hyper- reference
Monitoring
Audit/Assurance Program Step Cross- link
reference
DS9.1 X
6. Alternate system parameter lists
DS9.2
Control: Alternate PARMLIB lists are documented with explicit instructions on their
DS9.3
use.
6.1.1.1 Verify that computer operations instructions state when it is necessary to use
alternate system parameter lists, LOADxx members or overrides during IPL.
6.2 Authorized program facility (APF)
Audit/assurance objective: Only operating system-related programs and installation preapproved
nonoperating systems programs requiring access to restricted operating system components should
be included in the APF.9
7. APF authorized datasets DS9.2
Control: Only datasets that are vendor supplied or locally developed and approved are X X
DS9.3
APF authorized.
7.1.1.1 Review link listed (LNKLST) data sets that are also APF authorized. 10
7.1.1.2 Load modules with the AC(1) indicator should be reviewed to determine that
they are vendor supplied and required for respective system applications.
7.1.1.3 Determine if nonvendor APF authorized datasets are reviewed and explicitly authorized by
management. Determine if the authorization is reviewed regularly.
7.1.1.4 Review APF libraries and identify APF indicated programs. If the module
appears to be in-house or installation written, request program
documentation, including the source code and possibly an assembly listing
(with PRINT NOGEN).11
9
The APF is used to identify programs that can execute sensitive supervisor service calls (SVCs), restricted macro instructions (e.g., MODESET), and privileged machine
instructions (e.g., LPSW).
10
The risk of compromising z/OS integrity is generally increased, with a higher number of APF authorized load modules.
11
In case the program is inadequately documented, and no reasonable justification for the existence and functions of the module can be found, a code review may be required.
The enterprise should have written documentation as to the purpose and a documented management approval. Review the source code to verify that the programs perform only
© 2009 ISACA. All rights reserved. Page 24
z/OS Security Audit/Assurance Program
COSO
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
e Cross- Comments
Control Activities
COBIT Hyper- reference
Monitoring
Audit/Assurance Program Step Cross- link
reference
7.1.1.5 Verify that the APF libraries are protected via the access control software.
8. Monitoring access to APF library DS9.1
Control: The SMF utility is configured to report unauthorized AFP access or related DS9.2 X X
activities. DS9.3
8.1.1.1 Determine a reasonable period of time for which SMF data should be studied
in order to identify attempts by unauthorized programs to issue restricted
SVCs and all attempts by authorized programs to use programs not residing
in an APF library.
8.1.1.2 Use audit software or the SMF reporting tool to identify SMF type 4 records
for jobs or system events that have abended with codes “047” or “036.”
8.1.1.3 Determine if information security, computer operations and technical services
have procedures for follow-up of such SMF activity.
8.1.1.4 Review follow-up activity to determine the types of incidents and the actions
taken following an incident.
8.2 Program properties table (PPT)
Audit/assurance objective: Only approved APF programs should be listed in the PPT and those
programs have legitimate business reasons for being on the list.12
DS9.1 X X
9. PPT entry properties
DS9.2
Control: PPT entries are authorized and monitored to ensure that only approved
the documented functions requiring APFauthorization and that the functions do not violate systems integrity or bypass system security.
12
The PPT only specifies the name of the program to be granted special privileges, i.e., there is no linking of the program name to any specific program library; therefore, the
properties defined in PPT entries are assigned to APF-authorized programs based on their names only. Unapproved APF programs carrying the same name as a program on the
PPT list will automatically obtain the special privileges defined in the properties, from the beginning of its execution, without having to request these privileges at all. It may
thus be possible for bogus programs to acquire special privileges by simply having the same name as programs legitimately included in the PPT, provided that they are placed in
APF libraries.
© 2009 ISACA. All rights reserved. Page 25
z/OS Security Audit/Assurance Program
COSO
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
e Cross- Comments
Control Activities
COBIT Hyper- reference
Monitoring
Audit/Assurance Program Step Cross- link
reference
13
Entries supplied by IBM are in a member in SYS1.LINKLIB (IEFSDPPT). These entries should never be modified. Use AMASPZAP to obtain a full overview of these
properties.
© 2009 ISACA. All rights reserved. Page 26
z/OS Security Audit/Assurance Program
COSO
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
e Cross- Comments
Control Activities
COBIT Hyper- reference
Monitoring
Audit/Assurance Program Step Cross- link
reference
9.1.1.8 Review the z/OS SYSLOG or SMF to determine if an override involving the
SET SCH command has occurred. The SET SCH command can be used to
dynamically modify the contents of the PPT by allowing the operator to
replace the current PPT definitions with another SCHEDxx member
specified on the command. The new PPT definitions take effect
immediately, without the need for an IPL.
10.1.1.1 Verify that only IBM-supplied SVCs are identified as IBM SVCs.
10.1.1.1.1 Use available utilities or tools to identify all IBM-supplied SVCs.
A hex-dump of the in-storage SVCTABLE can be used by using
the TSO TEST command. IBM SVCs typically range from 0 to
199. Entries that are not used by IBM will specify a load module
entry point with IGCERROR. These are empty entries not used
by the IBM z/OS base operating system. Type 1, 2 and 6 SVC
entries reside in the nucleus and are named IGCnnn. Types 3 and
4 reside in the link pack area and are named IGC00nnn.
10.1.1.2 Ensure that all SVCs reside in the appropriate storage areas as described by
the SVC type. For example: 81E18B08 C1008000—The first four bytes are
COSO
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
e Cross- Comments
Control Activities
COBIT Hyper- reference
Monitoring
Audit/Assurance Program Step Cross- link
reference
the entry point for this SVC (81E18B08). This is a type 3 or 4 SVC (C1 =
1100 0001). It also has a local lock (80 = 1000 0000).
10.1.1.3 Ensure that SVCs 107, 32, 39, 76, 83 and 85 are restricted SVCs. Restricted
SVCs require that the calling program be APF authorized. Byte 4 bit 4
should be set to “on.”
11. Installation SVCs
Control: Installation SVCs (nonIBM SVCs required for the operating environment DS9.1
internal operating system customizations or third-party software-required SVCs) are DS9.2 X X
approved and monitored. DS9.3
11.1.1.1 Identify the active SVC used by this operating system. (Installation SVCs
typically range from 200-255. These are defined in the IEASVCxx member
in PARMLIB.)
11.1.1.1.1 Verify each vendor product or installation application in use.
(Consider, but do not rely on, the comments for each SVCPARM
entry in the IEASVCxx member.)
11.1.1.2 Identify those SVCPARM entries for vendor products and ensure that the
REPLACE, TYPE and APF indicators are appropriate based on vendor
documentation.
11.1.1.3 Identify those SVCPARM entries for installation, written routines or
applications. There should be supporting documentation for each entry.
(Historically, there have been examples of enterprises having an
“authorizing SVC,” i.e., one that that grants the caller the ability to switch
from problem state to supervisor state and back, without requiring APF
authorization. Such an SVC requires very little code primarily because it
performs very little integrity checking. Use AMBLIST or other utilities or
© 2009 ISACA. All rights reserved. Page 28
z/OS Security Audit/Assurance Program
COSO
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
e Cross- Comments
Control Activities
COBIT Hyper- reference
Monitoring
Audit/Assurance Program Step Cross- link
reference
tools to find SVCs most commonly within the 200-255 range. Primarily look
for any SVC with a length of x‘40’, x‘64’ or less. Code analysis may be
assisted using the TSO TEST command.)
APPENDAGES
Audit/assurance objective: Appendages14 (application routines designed to handle the occurrence of
specific events during job processing and file access) should be documented, approved and monitored.
5.1 Use of appendages DS9.1
Control: The use of approved appendages is documented, subject to a review process and DS9.2 X X
its use is monitored. DS9.3
12.1.1 Determine if there are any appendages15 defined in IEAAPP00 in PARMLIB. Verify
if there are other appendages in other IEAAPPxx members of PARMLIB.
Appendages are named IGG019 plus two characters in the range WA-Z9. User
written appendages include:
ABEAPP—Abnormal-end procedures
CHEAPP—Channel-end procedures
EOEAPP—End-of-extent procedures
PCIAPP—Program-controlled interrupt procedures
SIOAPP—Start I/O procedures
12.1.2 Obtain written documentation on the purpose, origin (vendor), or installation
specification regarding the need for enterprise-added appendage code.
12.1.3 All appendages, given the nature of the system privileges required to execute, should
14
Appendages will be invoked irrespective of the executing program and/or identity of the user. All appendages execute as authorized programs in supervisor state and system
key "0" and therefore have access to sensitive SVCs and restricted macro instructions.
15
These appendages, when listed, can be used by any unauthorized (APF) user program. Otherwise, only programs authorized under APF or running under system protection key
(0-7) may use the EXCP appendages. If the installation does not use EXCP appendages, you need not create IEAAPP00. If the EXCP caller is not in running under a storage key
different from 8 or the job step is not APF authorized, the system verifies that the caller’s appendage names are listed. If the names cannot be found, the system issues a 913
abend. If, however, the caller is authorized, the system loads the appendages without inspecting the list.
© 2009 ISACA. All rights reserved. Page 29
z/OS Security Audit/Assurance Program
COSO
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
e Cross- Comments
Control Activities
COBIT Hyper- reference
Monitoring
Audit/Assurance Program Step Cross- link
reference
13.1.1.1 Verify that all vendor-supplied programs located in the LPA are for
management-authorized products and that LPA residency is recommended.
13.1.1.2 For installation written programs residing in any of the LPAs, request
documentation and management approval. In case documentation/approval
documents cannot be obtained, review the source code by requesting the
assembly listings to verify that the programs perform only the desired
functions and do not bypass system integrity/security.
13.1.1.3 Perform a duplicate program search of the LPAs and link list in the order of
concatenation. Look for differences in the duplicate program names in
module length, link edit date and whether the AC(n) is different. Only the
first occurrence of the program name will ever be executed. 17
13.2 System management facility (SMF)
Objective: The SMF should be enabled and system activity recorded by SMD should be monitored
regularly.18
16
The LPA controls the job pack area, fixed link pack area, modified link pack area, pageable link pack area and link list libraries (in order of concatenation), which are used to
locate the program on the “EXEC PGM=” JCL card. This search sequence can be modified by the use of JOBLIB and STEPLIB DD statements.
17
Investigating the existence of duplicate programs does not lead to information that assists the auditor in determining who has update access to the libraries in question. The
existence of duplicate entries in a production environment only reveals poor housekeeping practices. The suggested use of a production system LPA for testing, hopefully, never
comes to pass. It will always be the recommendation to use a separate LPAR/z/OS image for testing.
© 2009 ISACA. All rights reserved. Page 30
z/OS Security Audit/Assurance Program
COSO
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
e Cross- Comments
Control Activities
COBIT Hyper- reference
Monitoring
Audit/Assurance Program Step Cross- link
reference
DS9.1
14. SMF Configuration
DS9.2 X X
Control: The SMF configuration is set to record significant system activities.
DS9.3
14.1.1.1 Use the appropriate tools and to review current SMF settings. One can also
review the current SMF PARMLIB member pointed to by the SMFxx
director parameter in IEASYSxx; i.e., SMFPRMxx.
14.1.1.2 Ensure that SMF recording is ACTIVE.
14.1.1.3 Identify all SMF datasets being used for logging. These are traditionally
named SYS1.MANx, but may carry any name. Please refer to the
SMFPRMxx member of PARMLIB for names defined in the z/OS image
being audited.
14.1.1.4 Determine that SMF record types required by the enterprise are not being
excluded from logging. The list of critical SMF records should be DS9.2 X
determined based on the requirements of management, the current z/OS
environment and its related subsystems.
14.1.1.5 Use the IFASMFDP utility program to produce a summary report of all
records included within selected SMF datasets. Review to obtain an
overview of the number of SMF records collected for each type. Specifically
verify the absence of SMF record type 7. The existence of this record type
states that SMF records have been lost.
15. SMF exits DS9.1
Control: SMF exits are documented, approved and tested in accordance with DS9.2 X X
installation change management policy. DS9.3
18
SMF is used for the collection of system activity as well as ESM security events in SMF record types 80, 81 or 230. Incorrect settings of SMF parameters can cause records to
not be logged. SMF exits can also selectively or completely suppress SMF logging. Failure to log record types required by the enterprise may result in lack of information for
performance measurement, accounting, (security) event tracking and an incomplete audit trail. When an external security manager (RACF, CA-ACF2 or CA-Top Secret) is
used, the corresponding SMF records must be enabled.
© 2009 ISACA. All rights reserved. Page 31
z/OS Security Audit/Assurance Program
COSO
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
e Cross- Comments
Control Activities
COBIT Hyper- reference
Monitoring
Audit/Assurance Program Step Cross- link
reference
15.1.1.1 Identify all SMF exits active for jobs, started tasks, TSO logons or other
actions. Request a copy of assembly listings without PRINT NOGENs for
code review.
15.1.1.2 Verify that the exits perform only the documented functions and do not
bypass system integrity/security.
15.1.1.3 Verify that the SMF change management adheres to installation change
management policy.
16. SMF Reporting DS9.1
Control: SMF data are retained, include the necessary data for and are controlled in a DS9.2 X X
manner to support security forensics activities. DS9.3
16.1.1.1 Review the procedure for dumping the active SMF datasets.
16.1.1.1.1 Ensure that none of the records collected in the primary SMF
datasets is eliminated in the dumping process.
16.1.1.1.2 Review possible exits that may be activated in the dumping process
since these may selectively eliminate SMF records based on criteria
found within the records themselves (e.g., user ID, jobname).
16.1.1.2 Verify the procedures for storing SMF records. Ensure that the necessary
SMF records are stored in a secure and tamper-proof manner. Further ensure
that the storage cycle is in compliance with the business requirements of the
enterprise and with applicable legislation.
16.1.1.3 Verify that applicable tools exist for creating the reports required by the
enterprise. Such tools should be able to cater to the need for reports raised by
the daily business activities and the ad hoc reports required by, e.g., the
security staff and the auditors.
16.1.1.4 Verify that reports necessary to the business operations of the enterprise are
COSO
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
e Cross- Comments
Control Activities
COBIT Hyper- reference
Monitoring
Audit/Assurance Program Step Cross- link
reference
17.1.1.1 Verify that all z/OS subsystems defined in IEASSNxx are authorized and
documented products.
17.1.1.2 Identify any subsystem names that are installation defined. Ensure that
complete documentation and management approval exists.
COSO
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
e Cross- Comments
Control Activities
COBIT Hyper- reference
Monitoring
Audit/Assurance Program Step Cross- link
reference
18.1.1.2 Match the JES2 member in PARMLIB to the S JES2 system messages in
the z/OS SYSLOG. If there is a difference or if overrides are present, obtain
operator procedures and management approval to explain the deviations.
18.1.1.3 Review the MSTJCL00 member in PARMLIB and ensure that the JES2
start-up procedure resides in the first library in the IEFPDSI DD statement.
18.1.1.4 Verify ESM security controls over the PROCLIB dataset concatenation.
These datasets should not contain any user or test datasets.
18.1.1.5 Look for duplicate JCL procedure names in the PROCLIB concatenation
list. The first occurrence of a procedure within the PROCLIB concatenation,
referred to by an “EXEC PROC” JCL statement, will be the one executed.
Reconcile the need for the duplicate names since this may introduce integrity
and processing vulnerabilities.
18.1.1.6 If this is a RACF installation, ensure that the JES-BATCHALLRACF
option is active. Display this parameter using the RACF SETROPTS LIST
command. This prevents any job from executing in the z/OS environment
without a valid RACF user ID.
19. JES2 datasets DS9.2 X
Control: The JES2 datasets are configured for maximum security.
19.1.1.1 Identify the dataset(s) used to house the JES2 parameters. This is defined in
the HASPPARM DD statement in the JES2 start-up procedure. Usually the
sequence “JES2PARM” is part of the dataset name. Notice, however, that the
dataset(s) involved may be either sequential, or member(s) of partitioned
datasets. Most installations use a PDS member, and have the member name
as a variable of &MEMBER pointed to in the MEMBER= name in the PROC
statement. An alternate member (&ALTMEM) is also defined.
19.1.1.2 Verify ESM security controls over the dataset that houses the JES2
COSO
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
e Cross- Comments
Control Activities
COBIT Hyper- reference
Monitoring
Audit/Assurance Program Step Cross- link
reference
COSO
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
e Cross- Comments
Control Activities
COBIT Hyper- reference
Monitoring
Audit/Assurance Program Step Cross- link
reference
19.1.1.10 Identify any JOBCLASS that has the IEFUJP=NO statement. This
indicates that the SMF IEFUJP exit will not be taken when a job is purged
irrespective of the settings in SMFPRMxx member in PARMLIB. There
should be a documented reason for this parameter setting.
19.1.1.11 Determine if any JOBCLASS allows for BLP (bypass label processing).
BLP=YES allows magnetic tape labels to be bypassed during OPEN. This
could circumvent normal ESM dataset protection. Some installations do not
use this parameter and use the tape management system (e.g., CA-1) ESM
interface to control BLP.
19.1.1.12 Review the RJE definitions in the JES2 parameter member. All RJE
stations should have unique ESM user IDs assigned and possibly should
have restricted user IDs to limit their capabilities as their jobs are introduced
into the z/OS environment.
19.1.1.13 Determine if information security personnel review reports for SMF type
49 violations. The SMF record type 49 is written whenever a remote user
attempts to sign on with an invalid JES2 password.
DS9.1 X X
20. JES2 exits
DS9.2
Control: JES2 exits are documented and approved. DS9.3
20.1.1.1 Identify current JES2 exits. Use the following console command, or have a
computer operator to execute: $d exit(*), status=enabled,routines’?
20.1.1.2 Request an assembly listing without PRINT NOGENs for macro expansion.
Ensure that these exits do not compromise z/OS or ESM security controls.
20.1.1.3 Verify that JES2 exits have been approved and are fully documented and
tested.
COSO
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
e Cross- Comments
Control Activities
COBIT Hyper- reference
Monitoring
Audit/Assurance Program Step Cross- link
reference
21.1.1.1 Review TSO logon procedures. For a given user, the TSO logon procedure
name can be found in the TSO logon menu or the ISPF primary option menu.
Many installations have unique TSO logon procedures for groups of TSO
users.
21.1.1.2 TSO logon procedures are found in the JES2 defined PROCLIB
concatenation. Identify those TSO logon procedures used for this installation
and ensure that they undergo normal change control procedures.
21.1.1.3 Using ESM security software query or report facilities, determine that
system datasets used in the TSO logon procedures have adequate controls.
21.1.1.4 Review ESM security over key TSO system libraries:
Dataset Contents RACF UACC
SYS1.UADS TSO user profiles NONE
SYS1.CMDLIB TSO commands EXECUTE
SYS1.BROADCAST TSO messages UPDATE
SYS1.HELP TSO help READ
COSO
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
e Cross- Comments
Control Activities
COBIT Hyper- reference
Monitoring
Audit/Assurance Program Step Cross- link
reference
22.1.1.1 Identify TSO commands that require APF authorization. If any commands
are installationdefined, there should be documentation as to the purpose,
controls and management authorization.
22.1.1.2 Determine if ESM security software is used to control TSO command usage.
Sensitive TSO commands should be strictly controlled to authorized TSO
users based on a business need. They should also have proper management
authorization.
23. TSO user IDs DS5.3
X X
Control: TSO user IDs are administered in compliance with user security policies. DS5.4
23.1.1.1 TSO users should be defined to the ESM security software. In RACF, TSO
user profiles have a TSO segment that allows for TSO usage. If
SYS1.UADS is also used, there should be additional controls.
23.1.1.2 Using RACF, list all user IDs with TSO privileges. This can be done by
issuing the following RACF command at the command prompt: LISTUSER
* TSO.
23.1.1.3 Verify that proper documentation exists to ensure that authorization exists
for each user ID assigned (security administration group assistance may be
required).
23.1.1.4 If SYS1.UADS is used exclusively, use the ACCOUNT command at the
command prompt to list all TSO users:
ALLOC DA(SYS1.UADS) SHR
ACCOUNT
LISTIDS
Note: if SYS1.UADS is used exclusively, listing the UADS entry with the
ACCOUNT command will display the TSO password in the clear.
23.1.1.5 If both RACF and SYS1.UADS are used, take both outputs of the two
© 2009 ISACA. All rights reserved. Page 38
z/OS Security Audit/Assurance Program
COSO
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
e Cross- Comments
Control Activities
COBIT Hyper- reference
Monitoring
Audit/Assurance Program Step Cross- link
reference
COSO
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
e Cross- Comments
Control Activities
COBIT Hyper- reference
Monitoring
Audit/Assurance Program Step Cross- link
reference
24.1.1.1 Review any TSO exits that may exist in this z/OS environment. If no
adequate documentation exists, perform code review for any possible
security and integrity control vulnerabilities.
24.1.1.2 Review the following exits if installed:
IKJEFF10—TSO Submit Exit
IKJEFF53—TSO Output/Status/Cancel Exit
IKJEFLD—TSO Logon Pre-Prompt Exit
24.1.1.3 Verify that TSO exits have been approved and are fully documented and
tested.
24.2 System log (SYSLOG)
Audit/assurance objective: The SYSLOG should be configured to record significant system activity
and provide a forensic trail of operator activities.
25. z/OS commands issued at IPL DS9.1
Control: The SYSLOG provides a history of commands issued during the IPL of the DS9.2 X X
system and these commands are monitored to ensure compliance with policies and DS9.3
procedures.
25.1.1.1 The COMMNDxx, IEAABD00, IEADMP00, IEADMR00, IEASYSxx, and
SMFPRMxx members of PARMLIB contain z/OS commands issued at IPL
time.
25.1.1.2 Verify that these commands are reviewed regularly against stated policies
and procedures.
DS9.1
26. Console events
DS9.2 X X
Control: Console events are reviewed regularly and the appropriate events are recorded.
DS9.3
26.1.1.1 Review selected system console events for operator-initiated overrides or
© 2009 ISACA. All rights reserved. Page 40
z/OS Security Audit/Assurance Program
COSO
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
e Cross- Comments
Control Activities
COBIT Hyper- reference
Monitoring
Audit/Assurance Program Step Cross- link
reference
F Any MODIFY
MODIFY Any MODIFY
FORCE FORCE a job
V NET Vary VTAM
VARY NET Vary VTAM
HALT NET Halt VTAM
Z NET Halt VTAM
NIP IPL 'NIP' Messages
S ACF2 Start CA-ACF2
S TSS Start CA-TOPSECRET
P ACF2 Purge CA-ACF2
P TSS Purge CA-TOPSECRET
ICH409I RACF Database Index Error
RVARY RACF Activate\Inactivate
SET APF = SET APF Parameters Member
SET SMF = SET SMF Parameters Member
SET SVC = SET SVC Parameters Member
SET LNK = SET LNK Parameters Member
T APF = SET APF Parameters Member
T SMF = SET SMF Parameters Member
T LNK = SET LNK Parameters Member
T SVC = SET SVC Parameters Member
T CLOCK SET System Clock
T DATE SET System Date
SETSMF= SETSMF Parameters
SS = SETSMF Parameters (abbreviated)
© 2009 ISACA. All rights reserved. Page 41
z/OS Security Audit/Assurance Program
COSO
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
e Cross- Comments
Control Activities
COBIT Hyper- reference
Monitoring
Audit/Assurance Program Step Cross- link
reference
COSO
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
e Cross- Comments
Control Activities
COBIT Hyper- reference
Monitoring
Audit/Assurance Program Step Cross- link
reference
26.1.1.3 Determine the frequency and process for reviewing SYSLOG and escalating
unusual activity.
26.2 z/OS exits
Audit/assurance objective: System exits should be documented, approved and well-tested using
installation change procedures. Access to systems exits should be monitored.
27. System exits DS9.1
Control: System exits are monitored and controlled according to installation change DS9.2 X X
management policies and procedures. DS9.3
27.1.1.1 System exits already identified in previous individual audit steps should be
reviewed to ensure that no exits circumvent or provide special privileges to
jobs or users that might introduce security and integrity vulnerabilities to the
operating system environment.
27.1.1.2 Dead code in assembler code is that which is never referenced, commented
out or branched around in normal processing. If indicated by other findings,
review exit code process flow to ensure that dead code is not assumed to be
effective.
27.1.1.3 Since system exits are deviations of normal processing, all exits should be
properly documented as to purpose, use, prolog of exit changes, author, date,
© 2009 ISACA. All rights reserved. Page 43
z/OS Security Audit/Assurance Program
COSO
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
e Cross- Comments
Control Activities
COBIT Hyper- reference
Monitoring
Audit/Assurance Program Step Cross- link
reference
COSO
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
e Cross- Comments
Control Activities
COBIT Hyper- reference
Monitoring
Audit/Assurance Program Step Cross- link
reference
30.1.1.1 Determine the sign-off process prior to a change moving into production
includes the following:
30.1.1.1.1 Technical support indicating completion of testing, quality
assurance, documentation.
30.1.1.1.2 IT operations, indicating acceptance of documentation,
scheduling changes, backup changes, runtime changes, etc.
30.1.1.1.3 Information security, indicating acceptance of information
security changes.
DS9.2 X X
31. Management monitoring of configuration changes/upgrades
DS9.3
Control: Management reviews program changes to ensure that only authorized
AI6.1
operating system configuration changes are included in the modification process.
AI6.2
AI6.4
COSO
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
e Cross- Comments
Control Activities
COBIT Hyper- reference
Monitoring
Audit/Assurance Program Step Cross- link
reference
AI6.5
31.1.1.1 Determine how management reviews the changes to ensure that only
authorized changes have been implemented.
31.1.1.2 Determine if SMR/E is in use for configuration edits.
31.1.1.3 Verify compliance with change procedures.
31.2 Change management governance
Control Objective: Change management process is subject to management oversight to ensure
consistent and timely processing of changes.
32. Operating system change summaries DS9.2
Control: Management receives timely reports, summarizing change management DS9.3
X X X X
activities, key performance indicators and escalation of issues requiring management AI6.1
attention. AI6.4
32.1.1.1 Identify the reports management receives and the frequency and scope of
the reports.
32.1.1.2 Determine if service level agreements (SLA) are in use. If so, verify that the
reports summarize SLA attainment and/or deficiency.
32.1.1.3 Determine the escalation process for change management processes
operating outside of normal conditions.
SYSTEM BACKUPS
33.1 System backups
Audit/assurance objective: The systems should be backed up on a regular basis in a manner to
minimize data loss in the event of hardware or software failure, or a physical incident.
DS4.9 X
34. Backup procedures
Control: Appropriate backup procedures are in effect to ensure backups on schedule,
executed automatically and include the necessary files to ensure the capability of
© 2009 ISACA. All rights reserved. Page 46
z/OS Security Audit/Assurance Program
COSO
CommunicationInformation and
Risk Assessment
Referenc Issue
Control Environment
e Cross- Comments
Control Activities
COBIT Hyper- reference
Monitoring
Audit/Assurance Program Step Cross- link
reference
The maturity assessment is an opportunity for the reviewer to assess the maturity of the processes reviewed. Based on the results of audit/assurance review, and the
reviewer’s observations, assign a maturity level to each of the following C OBIT control practices.
Referenc
Assessed Target e
COBIT Control Practice Comments
Maturity Maturity Hyper-
link
AI6.1 Change Standards and Procedures
1. Develop, document and promulgate a change management framework that specifies the
policies and processes, including:
• Roles and responsibilities
• Classification and prioritization of all changes based on business risk
• Assessment of impact
• Authorization and approval of all changes by the business process owners and IT
• Tracking and status of changes
• Impact on data integrity (e.g., all changes to data files being made under system and
application control rather than by direct user intervention)
2. Establish and maintain version control over all changes.
3. Implement roles and responsibilities that involve business process owners and appropriate
technical IT functions. Ensure appropriate segregation of duties.
4. Establish appropriate record management practices and audit trails to record key steps in the
change management process. Ensure timely closure of changes. Elevate and report to
management changes that are not closed in a timely fashion.
5. Consider the impact of contracted services providers (e.g., of infrastructure, application
development and shared services) on the change management process. Consider integration
of organizational change management processes with change management processes of
service providers. Consider the impact of the organizational change management process
on contractual terms and SLAs.
4
DS9.2 Identification and Maintenance of
AI6.4 Change Status Tracking and Reporting
Configuration Items
3
Target
DS5.4 User Account Management Assessment