z/OS Security Audit/Assurance Program 


z/OS Security Audit/Assurance Program   Download (Member Only, 2.2M)

  Provide feedback on this document
Knowledge Center  Visit the Audit Tools and Techniques Knowledge Center community
Knowledge Center  Visit the z/OS-OS/390 Knowledge Center community

The audit/assurance programs reflect the IT Assurance Framework (ITAF) sections 3400—IT Management Processes, 3600—IT Audit and Assurance Processes and 3800—IT Audit and Assurance Management and were developed in alignment with the Control Objectives for Information and related Technology (COBIT)—specifically COBIT 4.1.

Objective—The objective of the z/OS audit/assurance review is to provide management with an independent assessment relating to the controls addressing the configuration and security of the z/OS operations systems with the enterprise’s computing environment.

Scope—The review will focus on configuration of the relevant z/OS images within the organization, and the controls over critical operating system (z/OS) libraries, exits to the operating system and supervisor calls (SVCs). The selection of the applications/functions and specific images will be based upon the risks introduced to the organization by these systems.

z/OS systems are subject to identity management, the process of identifying and authenticating users and technical support administrators. Since this process is also addressed in the Identity Management Audit/Assurance Program, this review is limited to technical services access (access to the operating system’s configuration and security mechanisms) and general user controls (excluding users from access to operating system resources) and the Time Sharing Option (TSO) configuration. Refer to the Identity Management Audit/Assurance Program for controls relating to user identity.

IT audit and assurance professionals are expected to customize this document to the environment in which they are performing an assurance process. This document is to be used as a review tool and starting point. It may be modified by the IT audit and assurance professional; it is not intended to be a checklist or questionnaire. It is assumed that the IT audit and assurance professional holds the Certified Information Systems Auditor (CISA) designation or has the necessary subject matter expertise required to conduct the work and is supervised by a professional with the CISA designation and necessary subject matter expertise to adequately review the work performed.