What type of security testing do you have done?

Key Resources, Inc. is now delivering a mainframe z/OS product that does vulnerability scans. Up until now, it was the assumption that the mainframe z/OS Operating System was absolutely secure in this area because of the IBM Integrity Statement. Well, there are integrity issues with the z/OS Operating System and especially Indepedent Software Vendor supplied code and even installation developed and added code. Although the most secure platform around, the z/OS system still has vulnerabilities which must be discovered and addressed. See www.vatsecurity.com for more information.

While there are many software solutions to this question before you go and assess all of your "external" threats make sure you have a rock solid "internal" (your employees, vendors, contractors, visitors) security plan for your network. We test client security programs on a regular basis and it is very common to find poor work practices that expose the network to security threats from inside the client site.

Very basic exposures such as computers logged on and left in the open access mode when no one is around, one user allowing an unauthorized user to access the net from their work station but not monitoring exactly what the unauthorized user is doing in the system, remote access by employees from high risk networks or locations, a total lack of physical security on drives, flash drives, external hard drives and downloads that are taken off site and then brough back on site.

No matter what protection you put into your system, if a trained intruder has unlimited time to work on penetrating your system, it will eventually happen. When people can take an entire drive or a copy of a drive off site and study it for days, weeks, or months without your IT security being able to monitor live activity, they will find a way through your security software. If they are allowed to bring on site drives that are preloaded with data and then insert that drive into the network at any port, you are going to have trouble.

Implement hard core physical security practices and enforce them. Compartmentalize both your data and your security software solutions so that it is very hard to visualize your entire security solution program. Use a high quality software solution but be prepared to change aspects of the solution or to a new solution if you detect ongoing penetration attemps that begin to show success in penetrating layer or areas of your network.

My company focuses on compliance testing. We have been heavily invested with testing General Computer Controls as they relate to the Sarbanes Oxley federal mandate for public companies. These reviews concentrate on three main areas of concern, Security, Change Management, and Operations.

Our methodology is based on The Control Objectives for Information and related Technology (CobiT®) developed by the IT Governance Institute.