Every day, after you get your first cup of coffee, do you scan the mainframe security system violation and logging reports looking for abnormal behavior, strange activity, etc.? Given the size of these, do you do a thorough job of it? How much time has elapsed from the time any activity occurred to the time you got to this?
When I first developed these reports for ACF2 (dataset and resource) we had systems that ran at a rate of a few MIPS – maybe 10-20. The current IBM z13™ will process 110,000 MIPS. The volume of processing has grown exponentially and so has the volume of security incidents – either loggings or violations – produced each day. Remember that the violations and loggings are there to highlight activity which may affect sensitive data – either the organization’s sensitive data or the z/OS system itself – for, if the z/OS system is modified illicitly, this may be the vehicle for actually accessing or modifying sensitive data by bypassing the z/OS security system controls. In case you didn’t realize this – if someone can modify the z/OS system and libraries by doing something as simple as link editing a program with the Authorized Program attribute and storing it in an Authorized Library, they can then execute that program and utilize that authorization with relatively simple code to bypass whatever controls you have in place in ACF2, RACF or Top Secret.