Now that we’ve gone through verifying that your system has no known integrity vulnerabilities, users are validated in a manner that will minimize the chance of someone stealing their identity and located all the sensitive data on your systems, remediating the copies that should not have been there in the first place, it is time to focus on who has access to your organization’s sensitive data.
It is important to realize that datasets and database tables can contain more than one type of sensitive information and, sometimes, the additional information was added after the dataset was originally created.
Now, I’ve been focusing on individual’s sensitive data, but the sensitive data on your systems could include your organization’s financial information, future plans, intellectual property, etc. Although there are a lot of data repositories to categorize, this must be done. The only product for the mainframe in this area is DataSniff from Xbridge Systems, although, without it, a good start could be categorizing datasets by their names – e.g. the financial datasets begin with the high level index FINANCE, etc.
Way back in the late 1990’s, my former co-developer of ACF2, Eberhard Klemens asked me to join his company, EKC, Inc., and aid with the direction and development of its products. One of the products I worked on with Tom Carneal was the EKC Security Reporting Facility. Tom did the reporting portion and I developed a categorization process so that someone in charge of PAYROLL could easily obtain security violation and logging reports of all ACF2 and RACF SMF journal records that applied to his or her area. I also developed the E-SRF Access Analysis program that produced a list of all those with access to a specific dataset under ACF2 and RACF. This functionality later was added to ACF2 and Top Secret by CA and to the Vanguard and zSecure suites for RACF, so, it will be available on your systems.
The next step should be, for each category, to develop a list of users who should have access to this type of data. This could be done by taking some sample datasets, listing the users with access and meeting with the appropriate management to determine if everyone on the list should have access, etc. Basically, you are then developing a list of users, blessed by management, to have access to a certain category of data. Then, the access lists for all datasets in that category of data can be created and compared to the “blessed” list.
As you can see, this is a long and arduous process and that is why, at Xbridge Systems, we had Steve Beaver create a pair of add-on utilities, for ACF2 and RACF, to do this, producing a report of the users who have access without being on the “blessed” list. Then, it would be relatively easy for the compliance staff to either get permission to add the user to the “blessed” list or have them removed from the access list.
Next, Part 5 – Monitoring Access to Sensitive Data