The Importance of the z/OS Mainframe System Security Plan (SSP) and Standardized Security Controls
Project and Program: Enterprise Data Center
, Security and Compliance
, SHARE Fort Worth 2020
Security is one of the most important concerns in our IT world. Auditors audit to written policy. Too many organizations lack a z/OS Mainframe System Security Plan (NIST Control PL-2) where the organization has formally documented: all standard controls (PCI, HiTrust, NIST, GDPR, PII, HIPAA), how those controls are implemented, standard definitions involving least privileged, authorized roles of users, authorized access for those standardized roles, and how other policy based controls are implemented within their Mainframe platform. Ask yourself: Where are all of my Mainframe Controls documented? If you have PCI, NIST, GDPR and other control requirements - how have you documented the implementation within the Mainframe for each of those Controls? Where do you have your Mainframe Platform Roles defined and allowed access for each role? Wouldn’t it be nice to have a single living document to provide auditors with clarity on which controls are implemented, how those control requirements are met on the z/OS Mainframe, how to review and audit (internal and external) and such? The z/OS Mainframe SSP should contain all standard controls implemented at the LPAR/SysPlex Level, regardless if there are zero ‘applications’ or dozens of ‘Applications’ running on the Mainframe Platform.-Steve Hosie-Broadcom, Inc.
Back to Proceedings File Library