S 2.288 Drawing up a security policy for z/OS systems

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator, Head of IT

Before using z/OS systems, security policies for the z/OS system and particularly for the security system RACF (Resource Access Control Facility) must be planned and defined. The following recommendations must be taken into account:

• The z/OS systems must be integrated into the company- and/or government agency-wide security management.

• As described in safeguard S 2.30 Provisions governing the configuration of users and of user groups, a procedure for administering the users of the z/OS system and their IDs must be drawn up.

• A policy for using the emergency user must be drawn up (see safeguard S 6.93 Contingency planning for z/OS systems).

• A policy for the recovery of the RACF database under z/OS must be drawn up (see safeguard S 6.93 Contingency planning for z/OS systems).
• An authorisation process for accessing security-critical system resources such as APF files (Authorized Programming Facility), SVCs (SuperVisor Calls), etc. must be described and implemented.

• An audit procedure, as described in safeguard S 2.291 Security reporting and security audits under z/OS, and/or a monitoring procedure, as described in safeguard S 2.292 Monitoring of z/OS systems, must be established.

• An escalation and reporting procedure must be established. This procedure must define who detects and reports security violations and which countermeasures must be taken.

• Documentation about the design and the function of a business continuity system, as described in safeguard S 6.93 Contingency planning for z/OS systems, must be drawn up (only applicable to standalone systems).

• A checklist containing control questions should be drawn up capturing all important security-relevant settings of the z/OS system and defining their target values. This checklist can be used to draw up the work instructions for the system and RACF administrators. The auditor uses the checklist as a basis for auditing the system's security. At regular intervals, the checklist must be reviewed. Safeguards S 4.211 Use of the z/OS security system RACF and S 4.209 Secure basic configuration of z/OS systems can be used as a basis for such a checklist.

Review questions:

• Are security policies for the z/OS system and particularly for the security system RACF planned and defined before using z/OS systems?
• Is there an escalation and reporting procedure for security incidents in connection with z/OS systems?
• Is there a checklist containing control questions capturing all important security-relevant settings of the z/OS system and defining their target values?