Mainframe audit

From Wikipedia, the free encyclopedia

This article may require cleanup to meet Wikipedia's quality standards.
Please discuss this issue on the talk page or replace this tag with a more specific message.
This article has been tagged since January 2006.

The definition of a mainframe computer is not clear-cut and may vary depending on what reference is used. Most people associate a mainframe with a large computer; but mainframes are getting smaller all the time. The terms mainframe and enterprise server are converging.

The advent of the supercomputer has also eradicated the notion that a mainframe is defined simply by its size. Supercomputers are generally used for their speed and complexity, while mainframes are used for storing large volumes of sensitive data.

One definition states that:

Mainframes used to be defined by their size, and they can still fill a room, cost millions, and support thousands of users. But now a mainframe can also run on a laptop and support two users. So today's mainframes are best defined by their operating systems: Unix and Linux, and IBM's z/OS, OS/390, MVS, VM, and VSE. Mainframes combine four important features: 1) Reliable single-thread performance, which is essential for reasonable operations against a database. 2) Maximum I/O connectivity, which means mainframes excel at providing for huge disk farms. 3) Maximum I/O bandwidth, so connections between drives and processors have few choke-points. 4) Reliability--mainframes often allow for "graceful degradation" and service while the system is running. (Software Diversified Services).

Other properties particular to mainframes include:

  • The ability to handle a large number of users simultaneously.
  • Being able to distribute large workloads that can be handled by the machine over different processes and input and output devices.
  • Output is sent to a terminal through a program running on the mainframe, and nothing else goes over the line. This helps make mainframe data more secure (The History of Computing Project, April 27, 2005).

Contents

[edit] The history of mainframe systems

The mainframe computing age got its start in 1939 with the creation of the Atanasoff Berry Computer (ABC Computer) in Iowa. Though not a computer in the modern sense, as it lacked general controls or purpose, it was the first proposal to use electronics for calculation and/or logic.

The first computer in the modern sense was the ENIAC, created in 1942 and was used to compute World War II ballistic firing tables. This machine was very large and consisted of 30 separate units weighing a combined 30 tons and during operation consumed almost 200 kilowatts of electrical power. As technology improved mainframes became more prevalent, faster, efficient, and were able to hold more memory and do more complex calculations. As a result of this mainframe usage grew during the 1950’s, 60’s, and 70’s. Mainframes developed during that time include the UNIVAC and the IBM 360 (The History of Computing Project, April 27, 2005). Beginning in the early 1980’s demand for mainframes began to lower as companies felt that smaller computers (Such as IBM PCs) could accomplish similar goals at a lower cost, while giving users greater access to their systems. During this time IBM was left as the only major player as other companies were squeezed out or abandoned their mainframe operations. In the late 1990’s demand reemerged as companies found new uses for them because of their reliability for critical operations and their flexibility in being able to run several operations at once. IBM currently has over 80% of the market and current mainframes include the S/390 and the zSeries 890 and the zSeries 990 which are about the size of a dishwasher and can host up to 32 Giga-bytes of memory. These mainframes can also process hundreds of million instructions per second (MIPS) (The History of Computing Project, April 27, 2005).

[edit] How are mainframes currently used?

Generally mainframes are used by large corporations and government agencies to handle processing and protection of large volumes of data. Examples include sales transactions and customer inquiries. They are also used for computation intensive applications such as analyzing seismic data and flight simulation and as “Super-servers” for large client/server networks and high volume websites. Other uses include data mining and warehousing, and electronic commerce applications (O’Brien, 2002).

[edit] What are the components of a mainframe?

The components of a mainframe can vary widely, depending on the type and its role in the organization. Generally, there are four main components of the mainframes that are important for the purposes of our discussion. These are:

  1. The Operating System: This is: “the main guts” and “ensures that other applications are able to use memory, input and output devices and have access to the file system.” Types of operating systems vary greatly but common examples of these include Unix, and MVS (Multiple Virtual System), and O/S 390. Generally this is managed by an organization’s systems technicians (The Henderson Group, October, 2001). (Interview, 2005).
  1. The Security Server: This help prevent unauthorized access and manipulation. Security software such as ACF2, RACF, and Top Secret are needed to help secure an MVS operating system. This software identifies who the user is, and whether that user can perform a given function (The Henderson Group, January, 2002).
  1. System Products: These are performance tools of the operating system. This includes VTAM (Virtual Telecommunication Access Method), which manages data flow between terminals and applications (Or between applications) and supports multiple teleprocessing applications, and Netview, a distributed network management system. This also includes database management and administration tools (Also called DB2 Utilities) and the database manager. Another item of note that fits this category is TCP (Transmission Control Protocol) which is the protocol for managing applications over IP (Internet Protocol). IP provides message routing, but not applications (Software Diversified Services, No Date).
  1. Application System: A decision support system. It provides graphics, statistical functions, business modeling, and forecasting. These are usually customized by the users depending on the goals of an organization (Software Diversified Services).

A company's mainframe is usually located in the data center, which is a facility used to house large amounts of computer equipment and data. Because of the large amounts of sensitive data available access is usually restricted.

[edit] How are mainframes audited?

The purpose of a mainframe audit is to provide assurance that processes are being implemented as required, the mainframe is operating as it should, security is strong, and that procedures in place are working and are updated as needed. This often would also entail the auditor making recommendations for improvement.

[edit] Understanding the mainframe, the entity and its environment

Generally this includes but is not limited to an understanding of the following:

  • The type of mainframe, its features, usage, and its purpose in the organization.
  • Nature of the entity.
  • Organization’s external factors such as regulatory requirements and the nature of its industry.
  • Organization’s management, governance, and objectives and strategies.
  • Entity’s business processes.
  • Organization’s performance compared to the industry and its benchmarking procedures (Messier, 2003).

This information can be obtained by conducting outside research, interviewing employees, touring the data center and observing activities, consultations with technical experts, and looking at company manuals and business plans.

[edit] Identify risks and evaluate them

General:

Passwords: Who has access to what, and are employees protecting their passwords properly? Are there written policies and procedures in place stating how this is accomplished and are they enforced. Are passwords timed out? Evidence of implementation can be obtained by requesting employee manuals, evaluating the software and user histories, and by physical observation of the environment. (Gallegos, F., 2004).

Are cables adequately protected from damage and sniffing between the Network and the Data Center? This can be achieved by proper routing of the cables, encryption linkage, and a good network topology (Software Diversified Services). Physical observation of where the cables are routed and confirmation of the security procedures should be obtained. Tests of controls should be conducted to determine any additional weaknesses.

Does the mainframe have access to an Uninterrupted Power Supply? If so confirmation should be obtained that it exists, is available, and is adequate to meet the organizations needs.

Environmental controls: Are physical controls such as power badges for access, fire suppression devices, and locks in place to protect the data center (and the mainframe inside) from theft, manipulation or damage? A physical observation should be conducted and employee reference manuals should be examined to confirm this assurance. For all items the level of risk should be assessed and that assessment should be used to determine the general or specific audit procedures used.

[edit] The Operating System

Because this is needed to run all the other applications it is the most important and critical area to be examined.

What controls are in place to make sure the system is continually updated? Is the software configured to do it, or is it done by the system technicians, or both. Examination of company procedures should be conducted and computer assisted audit techniques need to be employed to make a determination.

Many of the individuals responsible for maintaining the system have elevated privilege. Controls should be in place to deter unauthorized manipulation or theft of data, and processes and procedures are needed and a risk/benefit analysis should be conducted by the organization to determine who should have access to a specific application. Proper segregation of duties also needs to be verified. The company’s internal controls need to be tested to determine if they are effective and recommendations should be made to improve any deficiencies. Samples of entries into the system should be examined to verify that the controls are effective and unauthorized and/or suspicious voided transactions need to be investigated (Gallegos, 2004).

The operating system should leave a full audit trail so that assurances by management can be verified. Any deficiencies in this area will depending on the circumstances either probably require more audit investigation and work, or the inability of the audit team to rely on management’s assurances.

Are there any processes on the system that could needlessly compromise other components? Tests and procedures need to be conducted to determine if this is the case.

Procedures and measures need to be in place to minimize the risk of unauthorized access through Backdoors in the system, such as the Program Properties Table (PPT). An audit of an MVS needs to confirm that all entries through this door are appropriate and were done with proper authorization. In addition there should be an accurate audit trail that can be followed. This can often be accomplished by examining the Bypass Password and the Privilege Protect Key in the system, and by examining entries for reasonableness. Mainframe companies such as IBM provide information that can help determine if PPT entries are reasonable. A software tool such as CA-Examine can also be helpful in this endeavor (The Henderson Group, October, 2001).

[edit] Security server

Because the security administrators who manage this not only have elevated privilege, but also model and create the user passwords, this area always takes high priority during an audit. Are proper segregation of duties implemented and enforced and is technology and procedures in place to make sure there is a continuous and accurate audit trail? Controls need to be put in place to minimize the risk of unnecessary and unauthorized entry into the system, and the protection of passwords. Computer assisted audit techniques should be used to explore the system, and on hand observations should be conducted to verify procedures, such as segregation of duties are being followed. Security systems such as RACF, ACF2, and Top Secret need to be constantly evaluated to verify that they are providing the necessary security and if additional protection such as new firewalls is needed. Before beginning an audit of these systems printouts should be obtained that provide detailed information pertaining to specific fields, the UID string, rules, and/or additional explanations. With this information security info can be more easily understood and make evaluating it much easier. (The Henderson Group, August, 2002).

[edit] System products

When auditing DB2 the auditor should be most concerned with whether security measures in the software are properly controlling who can use it, and which data can a user read or write. Controls by management should be in place to prevent unauthorized access or manipulation, and how many copies of the software are being used and what for. For VTAM the auditor’s concerns include whether the applicable security software is contacted when an employee logs in. This is to prevent terminated employees from entering the system, because the security software is updated immediately while other software generally is not. Because all connections to the system come through the VTAM the dataset describing the connections should be constantly monitored and examined. Internal controls over Backdoors into the system should be sufficient to minimize unauthorized entry and the auditor should determine what these controls are so they can be tested appropriately. Software tools such as CA-Examine and Consul can be used for this purpose and to find additional Backdoors. It should also be verified that certain sensitive network connections are encrypted, and that rules controlling the use of applids (Programs that terminals can be connected to) and terminals are adequate (The Henderson Group, January, 2002).

[edit] Application system

This area of the audit should be concerned with the performance and the controls of the system, its ability to limit unauthorized access and manipulation, that input and output of data are processed correctly on the system, that any changes to the system are authorized, and that users have access to the system. Evaluating internal controls and testing the software with computer assisted audit techniques; including vulnerability assessment tools should be accomplished to achieve these objectives (Gallegos, 2004)

These computer-assisted audit techniques for the mainframe and its supporting systems can in most cases be conducted from a simple 3270 terminal which has a connection to the network.

[edit] Evaluate whether sufficient evidence was obtained

After performing the necessary tests and procedures determine whether the evidence obtained is sufficient to come to a conclusion and recommendation. If the information is sufficient then a final report and/or recommendation can be completed. If the evidence is insufficient and material then further testing will be required, unless the information is unattainable, in which case a full report cannot be completed.s

[edit] How is the security of the mainframe maintained?

Mainframes, despite their reliability possess so much data that precautions need to be taken to protect the information it holds and the integrity of the system. To do this, internal controls must be put in place. These include:

  • Physical controls over the mainframe and its components.
  • Encryption techniques.
  • Putting procedures in place that prevent unnecessary and unauthorized entries into a system and that input, output, or processing is recorded and accessible to the auditor. This is particularly important for people with Elevated-Privilege.
  • Security Software such as RACF, ACF2, and Top Secret.
  • Constant testing of the security system to determine any potential weaknesses.
  • Properly protecting Backdoor accesses.
  • Continual examination of the techniques to determine effectiveness.

To gauge the effectiveness of these internal controls an auditor should do outside research, physically observe controls as needed, test the controls, perform substantive tests, and employ computer assisted audit techniques when prudent.

[edit] See also

[edit] References

  • Gallegos, F., Senft, S., Manson, D., Gonzales, C. (2004). Information Technology Control and Audit. (2nd ed.) Boca Raton, Florida: Auerbach Publications.
  • Messier jr., W., F. (2003) Auditing & Assurance Services: A Systematic Approach. (3rd ed.) New York: McGraw-Hill/Irwin.
  • Licker, M., D. (2003). Dictionary of Computing & Communications. New York: McGraw-Hill
  • Philip, G. (2000). The University of Chicago Press: Science and Technology Encyclopedia. Chicago, IL: The University of Chicago Press.
  • O’Brien, J., A., (2002). Management Information Systems: Managing Information Technology in the E-Business Enterprise. 5th ed. New York: McGraw-Hill/Irwin.

[edit] External links

Retrieved from "http://en.wikipedia.org../../../m/a/i/Mainframe_audit.html"