Upload
ca-technologies
View
189
Download
0
Embed Size (px)
Citation preview
World®’16
TheImportanceofMainframeSecurityEducationMr.SteveHosie - President,CISSP,CISM- CyberSecurity.Services
MFX173S
MAINFRAMEANDWORKLOADAUTOMATION
2 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.
Thecontentprovidedinthis CAWorld2016presentationisintendedforinformationalpurposesonlyanddoesnotformanytypeofwarranty. The informationprovidedbyaCApartnerand/orCAcustomerhasnotbeenreviewedforaccuracybyCA.
ForInformationalPurposesOnlyTermsofthisPresentation
3 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Abstract
Educationisthefoundationofeffectivemainframesecurity,andtosecurethemostmission-essentialassetsinthebusiness,mainframeteamsmustbeproperlyeducatedonthegreaterindustrystandardsandthesecurityproductstheymanage.Ifteamslacktheappropriatetraining,howdoesanyoneknowiftheirsensitivemainframedataisactuallysecure?Thissessionwilldiveintotheimportanceofmainframesecurityeducationatalllevelstoenableteamstobettersecuremainframeapplications,providewaystosimplifymainframesecuritydocumentationandsharebestpracticesforincreasingcollaborationandmainframesecurityeducation.
SteveHosieCyberSecurity.ServicesPresident,CISSP,CISM
4 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Agenda
VALUEFORSTAKEHOLDERS
IDENTIFYTHEWHOANDWHY
WHATLEVELOFEDUCATION- MAINFRAMELPARORAPPLICATION
THE“MISSINGLINK”
EDUCATIONLINKS
1
2
3
4
5
5 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ValuetoStakeholders
§ Inadequateandineffectivesecuritycontrolshaveleftindividualsandcorporationsmorevulnerabletoillegalactivitiessuchascomputerfraud,abuse,theftandtheunauthorizeddisclosure,modification,ordestructionofinformation
§ Lackoftrainingguaranteesinadequatesecuritycontrolswillbeimplementedduetosuchbasicsas“notknowinghowtoeffectivelyutilizetheMainframeSecuritytools”toprotectyourdata
6 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ValuetoStakeholders
§ IfyourCyberSecurityteamarenoteducatedinhowtofullyandproperlyutilizetheMainframeSecuritytools– howcanyoubeassuredyourdataisproperlyprotected?
§ AsyourCyberSecurityteam– whatarethetop10mostcriticalresources,whataccesslevelsareheldbywhomandwhenwasthelastreportreviewedforthoseresources
§ JustbecauseanAuditorfailedtoknowwheretolook,whatquestionstoask– doesthatmeanyourdataisprotected?
7 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ValuetoStakeholders
§ InvestingintheeducationofyourMainframeCyberSecuritystaffforproperutilizationoftheMainframeSecuritytoolsisadirectinvestmentinprotectingyourdata
8 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
WhoAretheMainframeSecurityAdministrators
§ WhoperformsMainframeSecurity-– z/OSSystemCyberSecurityTeamMembers
§ IndividualswhoareresponsibleforCyberSecuritycontrolsoverthez/OSSystemleveland3rd partysoftwareproducts– EnsuringSecurityControlshaveproperlyandfullysecuredtheSecureMainframe
Platformbaseduponwelldocumentedz/OSSecurityStandards
– WithoutEducation,howwouldresponsibleteammembersknowhowtofullyandproperlyutilizingallsecurityproductfeaturesensuringthez/OSPlatformhasbeenproperlysecured?
z/OSSystemorApplication
9 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
WhoAretheMainframeSecurityAdministrators
§ WhoperformsMainframeSecurity?– z/OSMainframe“Customer”ApplicationCyberSecurity
TeamMembers§ IndividualswhoareresponsibleforCyberSecuritycontrolsovertheApplicationsandactualapplicationdata(Sensitive,PII,HIPAA,PCI,etc)– WithoutpropereducationonhowtoutilizetheMainframeSecurityproductsto
protecttheactualdataandapplicationsprocessingontheMainframePlatform–isyourdataprotected?Howwouldyouknow?
– Howwouldthoseresponsibletoprotectyourdatabeabletoprovideassuranceiftheydonotknowhowtoutilizethesecurityproduct?
z/OSSystemandMainframeApplicationCyberSecurityTeams
10 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
WhoElseShouldReceiveTraining-
§ WhoelseperformsMainframeSecurity-
– z/OSSystemlevel“HelpDesk”
– z/OSAuditors
– z/OSApplicationAuditors
11 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
WhatLevelofTraining
§ Trainingonz/OSMainframeSecurityModelandoverviewofMainframeSecurityProducts
§ CA-ACF2,CA-AUDITOR,CACLEANUP,CATOPSECRETandothersuchz/OSMainframeSecurityproducts
– Alllevels:§ Managementofz/OSSystemTeams,§ Management/OwnersofCustomerApplications/data,§ ManagementoverthevariousMainframeCyberSecurityTeams,§ CyberSecurityteammembers- z/OSSystemlevelandApplication/datalevels
§ Auditors
z/OSSystemorApplication
12 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
WhatLevelofTraining
§ Trainingonz/OSMainframeSecurityProductBasics–§ BasicsonhowtouseCA-ACF2,CA-AUDITOR,CACLEANUP,CATOPSECRETandothersuchz/OSMainframeSecurityproducts
– z/OSSystemProgrammers– z/OSSystemLevelCyberSecurityteammembers– z/OSApplicationCyberSecurityteammembers– HelpDesk/CustomerService– Auditors
z/OSSystemandApplicationCyberSecurityTeams,MainframeAuditors,HelpDesk
13 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
WhatLevelofTraining
§ Trainingonz/OSMainframeSecurityProductSetupandAdvanced–
§ InDepthconfigurationsettings,advancedfundamentalsonhowtouseCA-ACF2,CA-AUDITOR,CACLEANUP,CATOPSECRETandothersuchz/OSMainframeSecurityproducts
– z/OSSystemProgrammers– z/OSSystemLevelCyberSecurityteammembers
z/OSSystemProgrammersandz/OSSystemCyberSecurityTeams
14 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
WhatLevelofTraining
§ Trainingonhowtoreview,documentandproperlysecureCustomerApplicationsandDataonz/OSMainframes–
– CyberSecurityteammembersresponsibleforthesecuritycontrolsatthez/OSSystemlevel
– CyberSecurityteammembersresponsibleforthesecurityofthecustomerapplicationsanddatalevels
– Management/ownersofCustomerApplicationsanddata– MainframeApplicationAuditors
z/OSSystemCyberSecurityTeams,ApplicationCyberSecurityteams,Auditors
15 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
The“MissingLink”inMainframeSecurityEducation
– MainframeApplicationLevelSecurityTrainingisoftenthe“Missinglink”.It’softenonlytrainedinthebasicsyntaxofthesecurityproduct,butnothowtoeffectivelyreviewandimplementcontrolsinrelationshiptotheApplicationordatatheyareresponsiblefor
– Applicationanddatalevelsecuritycontrols– whatcontrolsshouldbedocumented,implementedandvalidated?
– DoestheApplicationCyberSecurityteamknowhowtoeffectivelyusethesecurityproducts?
– WherecantheyobtainApplicationLevelCyberSecuritytrainingonhowtoutilizetheMainframeSecuritytoolsfortheirapplication?
TheApplicationLayer
16 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
The“MissingLink”inMainframeSecurityEducation
– HowtoblendSecurityproductssyntaxwithappropriateapplicationofCyberSecurityConceptswithinthez/OSMainframeEnvironment.
– Command“syntax”toknowingwhichaccesscontrolsareappropriate– Knowingwhichaccessisnotappropriatetogrant– KnowingwhatarethecriticalresourcesSystemandApplication(s)– Howtomonitoraccess– Somuchmore.– Ittakesyearsoflearning,educationanddedicationtobecomea
MainframeCyberSecurityProfessional.– ~InMemoryofMichaelEsberger,MainframeSecurityProfessionaland
Educator1950– 2016.
TheApplicationLayer
17 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
MainframeSecurityEducationLinks
– CAWorldprovidesunlimitedselfdirectedMainframeSecurityproductsviathelabsessions
– Searchhttp://www.ca.com/us/education-training.html
– AskCAtoprovidetheirselfdirectedMainframeSecurityProducttrainingviaonline(www)soyourCyberSecurityteamscanaccess
18 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
RecommendedSessions
SESSION# TITLE DATE/TIME
SCT22S CARoadmap:PrivilegedAccessManagement 11/16/2016at4:30pm
MFX172S TheKeytoComplyingWithNewRegulationsandStandards:ComprehensiveMainframeSecurity 11/16/2016at4:30pm
MFT175S GapsinYourDefense:HackingtheMainframe 11/17/2016at3:00pm
19 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
MainframeSecurityEducationInvestingMainframeSecurityEducationwillhelpguaranteeadequatesecuritycontrolsareproperlyimplementedbyCyberSecurityTeammembersknowinghavingobtainedtheknowledgeandunderstandingtoeffectivelyusetheMainframeSecuritytoolsinordertoensureprotectionofyourdata.
SummaryAFewWordstoReview
20 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Questions?
21 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Thankyou.
Stayconnectedatcommunities.ca.com
22 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
MainframeandWorkloadAutomation
FormoreinformationonMainframeandWorkloadAutomation,pleasevisit:http://cainc.to/9GQ2JI