This is a short extract from the first draft of an article I'm writing for z/Journal about maturing the mainframe security function. This section deals with a necessary cultural shift in the control of mainframe data.
"Organisations carry lots of sensitive data, typically the mainframe will host thousands of customer account records, and in some cases this will include financial data such as credit card details and even PINs. All of this is valuable information for which criminal gangs will pay, even as much as $15 for a single set of “identity data” including address, DOB and social security number. The infamous “lost disks” containing the UK government’s 25 million child benefit claimants were estimated to be worth £1.5bn on the black market (http://bbc.in/cqAgvP, 2007)
"This means we must lock down our sensitive production data, even from browsing. Access must only be allowed via the applications that use the data, via legitimate transactions. However many RACF administrators have been brought up to prevent data modification, and might view READ access as fairly benign. Some shops allow READ access to production data fairly widely to facilitate production support. It takes a major cultural change to wean your IT staff off wide-ranging READ access, and further effort still to achieve the desired state of least-privilege access."
The full article should be in the December issue, but why not subscribe now and read some excellent stuff in the current issue by Ray Overby, Alan Radding and others, including a closer look at the zEnterprise.
READ is not benign