with Tags: z X
Just time before Montpellier to tell you there is some new System z related content at http://www.pirean.com/Systemz.htm including now four PDFs for download. These are
This is a short extract from the first draft of an article I'm writing for z/Journal about maturing the mainframe security function. This section deals with a necessary cultural shift in the control of mainframe data.
"Organisations carry lots of sensitive data, typically the mainframe will host thousands of customer account records, and in some cases this will include financial data such as credit card details and even PINs. All of this is valuable information for which criminal gangs will pay, even as much as $15 for a single set of “identity data” including address, DOB and social security number. The infamous “lost disks” containing the UK government’s 25 million child benefit claimants were estimated to be worth £1.5bn on the black market (http://bbc.in/cqAgvP, 2007)
"This means we must lock down our sensitive production data, even from browsing. Access must only be allowed via the applications that use the data, via legitimate transactions. However many RACF administrators have been brought up to prevent data modification, and might view READ access as fairly benign. Some shops allow READ access to production data fairly widely to facilitate production support. It takes a major cultural change to wean your IT staff off wide-ranging READ access, and further effort still to achieve the desired state of least-privilege access."
The full article should be in the December issue, but why not subscribe now and read some excellent stuff in the current issue by Ray Overby, Alan Radding and others, including a closer look at the zEnterprise.
I'm attending this next month:-
System z Security Event for Today and Tomorrow...
Note the dates have changed but the website still shows the old dates (in a GIF which is messy to edit, there's a lesson there for all webmasters!)
New dates are Tue 28th Sep to Fri 1st Oct 2010.
If you use LinkedIN then I've added the event here - please update if you're attending and maybe we can meet up.
Topics for the 4-day conference are
I continue to be amazed at the worrying stories of PCIDSS non-compliance in UK organisations, many of which are certain to have System z at the heart of their payment operations.
To that end I am writing a paper on how zSecure can help you achieve compliance with the PCIDSS (Payment Card Industry Data Security Standard) - which becomes mandatory for Level 1 merchants in the Visa and Mastercard schemes from next month. That will be available on Pirean.com soon but here are some highlights. The numbered list is the "Digital Dozen" - the twelve basic requirements of the PCIDSS, and the bullets describe briefly how zSecure can help you deliver against that requirement cost effectively.
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored cardholder data.
5. Use and regularly update anti-virus software.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security.
I'll let you know when the full doc is available, meantime check out my thoughts on compliance for System z in my earlier white paper here.