RACF - Audit and Compliance Roadmap

This course is designed for auditors, compliance monitors, and RACF administrators seeking to identify vulnerabilities in RACF-protected z/OS mainframe systems and bring the systems into compliance with legally mandated security requirements. Much more than just a simple -how to audit- class, this technically-rich course will show you how to find and address serious security exposures of the kinds commonly found during RSH's RACF audits. By the end of class, you will have gained a solid understanding of RACF, an awareness of implementation -best practices-, and a comprehensive knowledge of the tools and techniques for evaluating the status of RACF protection. Better still, you will be reviewing RACF reports from your own system during class and immediately identifying control concerns.

• IT Auditors seeking to perform more effective audits
• Compliance Monitors who want to ensure the security staff or outsource service provider has properly implemented RACF
• RACF Managers & Administrators who want to find and fix control concerns before the auditors arrive

Familiarity with the mainframe, RACF, and using TSO

On completing this course, students will have learned:

• RACF's components, primary functions, and access authorization logic
• RACF configuration SETROPTS options
• Use of RACF commands for gathering information
• How to limit powerful authorities like OPERATIONS
• Protection of high-value, security-sensitive resources
• Options governing event logging and reporting
• Security administration tasks and authorities
• How to generate and interpret RACF DSMON reports

RACF Concepts
Introduction to RACF
Profiles & relationships

Users
Identification & authentication
Password composition & options
User profile contents & segments
RACF commands and reports for users

Groups
Concepts, hierarchy, & functions
Group profile contents & segments
RACF commands and reports for groups

Resource Protection
Concepts
Resource profiles - generic & discrete
OPERATIONS & privileged access authorities
Access permissions & authorization process

Datasets
Dataset basics & protection
Dataset profiles & contents
PROTECTALL & TAPEDSN control options
RACF commands and reports for datasets

General Resources
Resource types, names & protection
General Resource profiles & contents
RACF commands and reports for resources

JES-related Controls
Started Task identification
Batch job controls (e.g., SURROGAT)

DASD Storage Administration
STGADMIN FACILITY profiles
DASDVOL profiles

System Product Controls
z/OS Unix BPX & UNIXPRIV profiles
TSO authorities and logon resource protection
CICS transaction & command protection

Logging & Reporting
System Management Facilities (SMF)
SETROPTS & profile monitoring options
Reporting tools

Administrative Authorities
System & Group level SPECIAL & AUDITOR
Group connect authorities
Class authorization and FIELD profiles
Policies, standards, and staffing

RACF Configuration
Exits & customization
Database backup and maintenance

RACF Audit Plan, Process, & Tools