The Importance of Mainframe Security Education

World®’16

TheImportanceofMainframeSecurityEducationMr.SteveHosie - President,CISSP,CISM- CyberSecurity.Services

MFX173S

MAINFRAMEANDWORKLOADAUTOMATION

Thecontentprovidedinthis CAWorld2016presentationisintendedforinformationalpurposesonlyanddoesnotformanytypeofwarranty. The informationprovidedbyaCApartnerand/orCAcustomerhasnotbeenreviewedforaccuracybyCA.

ForInformationalPurposesOnlyTermsofthisPresentation

Abstract

Educationisthefoundationofeffectivemainframesecurity,andtosecurethemostmission-essentialassetsinthebusiness,mainframeteamsmustbeproperlyeducatedonthegreaterindustrystandardsandthesecurityproductstheymanage.Ifteamslacktheappropriatetraining,howdoesanyoneknowiftheirsensitivemainframedataisactuallysecure?Thissessionwilldiveintotheimportanceofmainframesecurityeducationatalllevelstoenableteamstobettersecuremainframeapplications,providewaystosimplifymainframesecuritydocumentationandsharebestpracticesforincreasingcollaborationandmainframesecurityeducation.

SteveHosieCyberSecurity.ServicesPresident,CISSP,CISM

Agenda

VALUEFORSTAKEHOLDERS

IDENTIFYTHEWHOANDWHY

WHATLEVELOFEDUCATION- MAINFRAMELPARORAPPLICATION

THE“MISSINGLINK”

EDUCATIONLINKS

ValuetoStakeholders

§ Inadequateandineffectivesecuritycontrolshaveleftindividualsandcorporationsmorevulnerabletoillegalactivitiessuchascomputerfraud,abuse,theftandtheunauthorizeddisclosure,modification,ordestructionofinformation

§ Lackoftrainingguaranteesinadequatesecuritycontrolswillbeimplementedduetosuchbasicsas“notknowinghowtoeffectivelyutilizetheMainframeSecuritytools”toprotectyourdata

ValuetoStakeholders

§ IfyourCyberSecurityteamarenoteducatedinhowtofullyandproperlyutilizetheMainframeSecuritytools– howcanyoubeassuredyourdataisproperlyprotected?

§ AsyourCyberSecurityteam– whatarethetop10mostcriticalresources,whataccesslevelsareheldbywhomandwhenwasthelastreportreviewedforthoseresources

§ JustbecauseanAuditorfailedtoknowwheretolook,whatquestionstoask– doesthatmeanyourdataisprotected?

ValuetoStakeholders

§ InvestingintheeducationofyourMainframeCyberSecuritystaffforproperutilizationoftheMainframeSecuritytoolsisadirectinvestmentinprotectingyourdata

WhoAretheMainframeSecurityAdministrators

§ WhoperformsMainframeSecurity-– z/OSSystemCyberSecurityTeamMembers

§ IndividualswhoareresponsibleforCyberSecuritycontrolsoverthez/OSSystemleveland3rd partysoftwareproducts– EnsuringSecurityControlshaveproperlyandfullysecuredtheSecureMainframe

Platformbaseduponwelldocumentedz/OSSecurityStandards

– WithoutEducation,howwouldresponsibleteammembersknowhowtofullyandproperlyutilizingallsecurityproductfeaturesensuringthez/OSPlatformhasbeenproperlysecured?

z/OSSystemorApplication

WhoAretheMainframeSecurityAdministrators

§ WhoperformsMainframeSecurity?– z/OSMainframe“Customer”ApplicationCyberSecurity

TeamMembers§ IndividualswhoareresponsibleforCyberSecuritycontrolsovertheApplicationsandactualapplicationdata(Sensitive,PII,HIPAA,PCI,etc)– WithoutpropereducationonhowtoutilizetheMainframeSecurityproductsto

protecttheactualdataandapplicationsprocessingontheMainframePlatform–isyourdataprotected?Howwouldyouknow?

– Howwouldthoseresponsibletoprotectyourdatabeabletoprovideassuranceiftheydonotknowhowtoutilizethesecurityproduct?

z/OSSystemandMainframeApplicationCyberSecurityTeams

WhoElseShouldReceiveTraining-

§ WhoelseperformsMainframeSecurity-

– z/OSSystemlevel“HelpDesk”

– z/OSAuditors

– z/OSApplicationAuditors

WhatLevelofTraining

§ Trainingonz/OSMainframeSecurityModelandoverviewofMainframeSecurityProducts

§ CA-ACF2,CA-AUDITOR,CACLEANUP,CATOPSECRETandothersuchz/OSMainframeSecurityproducts

– Alllevels:§ Managementofz/OSSystemTeams,§ Management/OwnersofCustomerApplications/data,§ ManagementoverthevariousMainframeCyberSecurityTeams,§ CyberSecurityteammembers- z/OSSystemlevelandApplication/datalevels

§ Auditors

z/OSSystemorApplication

WhatLevelofTraining

§ Trainingonz/OSMainframeSecurityProductBasics–§ BasicsonhowtouseCA-ACF2,CA-AUDITOR,CACLEANUP,CATOPSECRETandothersuchz/OSMainframeSecurityproducts

– z/OSSystemProgrammers– z/OSSystemLevelCyberSecurityteammembers– z/OSApplicationCyberSecurityteammembers– HelpDesk/CustomerService– Auditors

z/OSSystemandApplicationCyberSecurityTeams,MainframeAuditors,HelpDesk

WhatLevelofTraining

§ Trainingonz/OSMainframeSecurityProductSetupandAdvanced–

§ InDepthconfigurationsettings,advancedfundamentalsonhowtouseCA-ACF2,CA-AUDITOR,CACLEANUP,CATOPSECRETandothersuchz/OSMainframeSecurityproducts

– z/OSSystemProgrammers– z/OSSystemLevelCyberSecurityteammembers

z/OSSystemProgrammersandz/OSSystemCyberSecurityTeams

WhatLevelofTraining

§ Trainingonhowtoreview,documentandproperlysecureCustomerApplicationsandDataonz/OSMainframes–

– CyberSecurityteammembersresponsibleforthesecuritycontrolsatthez/OSSystemlevel

– CyberSecurityteammembersresponsibleforthesecurityofthecustomerapplicationsanddatalevels

– Management/ownersofCustomerApplicationsanddata– MainframeApplicationAuditors

z/OSSystemCyberSecurityTeams,ApplicationCyberSecurityteams,Auditors

The“MissingLink”inMainframeSecurityEducation

– MainframeApplicationLevelSecurityTrainingisoftenthe“Missinglink”.It’softenonlytrainedinthebasicsyntaxofthesecurityproduct,butnothowtoeffectivelyreviewandimplementcontrolsinrelationshiptotheApplicationordatatheyareresponsiblefor

– Applicationanddatalevelsecuritycontrols– whatcontrolsshouldbedocumented,implementedandvalidated?

– DoestheApplicationCyberSecurityteamknowhowtoeffectivelyusethesecurityproducts?

– WherecantheyobtainApplicationLevelCyberSecuritytrainingonhowtoutilizetheMainframeSecuritytoolsfortheirapplication?

TheApplicationLayer

The“MissingLink”inMainframeSecurityEducation

– HowtoblendSecurityproductssyntaxwithappropriateapplicationofCyberSecurityConceptswithinthez/OSMainframeEnvironment.

– Command“syntax”toknowingwhichaccesscontrolsareappropriate– Knowingwhichaccessisnotappropriatetogrant– KnowingwhatarethecriticalresourcesSystemandApplication(s)– Howtomonitoraccess– Somuchmore.– Ittakesyearsoflearning,educationanddedicationtobecomea

MainframeCyberSecurityProfessional.– ~InMemoryofMichaelEsberger,MainframeSecurityProfessionaland

Educator1950– 2016.

TheApplicationLayer

MainframeSecurityEducationLinks

– CAWorldprovidesunlimitedselfdirectedMainframeSecurityproductsviathelabsessions

– Searchhttp://www.ca.com/us/education-training.html

– AskCAtoprovidetheirselfdirectedMainframeSecurityProducttrainingviaonline(www)soyourCyberSecurityteamscanaccess

RecommendedSessions

SESSION# TITLE DATE/TIME

SCT22S CARoadmap:PrivilegedAccessManagement 11/16/2016at4:30pm

MFX172S TheKeytoComplyingWithNewRegulationsandStandards:ComprehensiveMainframeSecurity 11/16/2016at4:30pm

MFT175S GapsinYourDefense:HackingtheMainframe 11/17/2016at3:00pm

MainframeSecurityEducationInvestingMainframeSecurityEducationwillhelpguaranteeadequatesecuritycontrolsareproperlyimplementedbyCyberSecurityTeammembersknowinghavingobtainedtheknowledgeandunderstandingtoeffectivelyusetheMainframeSecuritytoolsinordertoensureprotectionofyourdata.

SummaryAFewWordstoReview

Questions?

Thankyou.

Stayconnectedatcommunities.ca.com

MainframeandWorkloadAutomation

FormoreinformationonMainframeandWorkloadAutomation,pleasevisit:http://cainc.to/9GQ2JI

The Importance of Mainframe Security Education

Technology

Transcript of The Importance of Mainframe Security Education

how can mainframe security management solutions … BRIEF CA Mainframe Security Management Solutions | September 2010 how can mainframe security management solutions from CA Technologies

MAINFRAME SECURITY & COMPLIANCE - dgtechllc.com

Rehost Development - Micro Focus · PDF filevirtual mainframe Rehost Development The reliability and security of mainframe environments have made rehosting development the natural

Fill your Mainframe Security Monitoring Gap via SIEM

Top 12 Mainframe Security Exposures and Lessons From … · Top 12 Mainframe Security Exposures and ... CICS, MQ Series ... Top 12 Mainframe Security Exposures and Lessons From A

Managing performance and security with Splunk on your IBM mainframe webinar

Splunking*the* Mainframe* · PDF fileUnderstand*the*importance*of*mainframe*datain*the*operaonal* intelligence*picture*!

Cyber security & Importance of Cyber Security

The State of Mainframe Security-or Lack Thereof - SHARE€¦ · Insert Custom Session QR if Desired. The State of Mainframe Security-or Lack Thereof Brian Cummings Mark Wilson Tata

Mainframe Security - It's not just about your ESM v2.2

Ten Things You Should not Forget in Mainframe Security

Managing the Top 5 Mainframe Security

A Mainframe Security Rosetta Stone – Translating … · Stone – Translating Between Mainframe Security Products Reg Harbeck ... • RACF • ACF2 • TSS ... • CICS • RACF:

Cyber security and the mainframe (v1.3)

Arcati Mainframe Yearbook 2007Arcati Mainframe Yearbook ... · IBM has standard Cloud Paks for data, application integration, automation, and multi-cloud management and security.

Mainframe Networking 101 Share Session€¦ · Mainframe Networking 101 Share Session. ... •Security Implementations ... •PRS3950 Avoiding the Pitfalls of an OSA-E3 or OSA-E4S

System Z Mainframe Security For An Enterprise

The Myth of Mainframe Security Session: 14812 - … Myth of Mainframe Security Session: 14812 ... In its current form, the IBM Statement of ... A don’t forget the mainframe is 50

SNA Mainframe Security – Because SNA Isn't Hacked, Instead It Is ...

The Myth of Mainframe Security - SHARE Myth of Mainframe Security . Glinda Cummings IBM Sr. Security Product Manager glinda@us.ibm.com Session: 16144

Splunkingthe Mainframe* · PDF fileUnderstandtheimportanceofmainframedataintheoperaonal intelligencepicture!