CHAPTER 6, PART 2
IBM & IBM COMPATIBLE MAINFRAME SECURITY
The increased level of scrutiny at the regulatory and media levels has mandated that USDA protect the integrity, confidentiality and availability of its assets.† IBM/IBM Compatible Mainframes process data for mission critical, departmental priority and sensitive systems in USDA and for IT service clients.†† Audits conducted in 2000 by the General Accounting Office (GAO), the USDA Office of Inspector General and independent contractors revealed that the implementation and administration of security on IBM mainframes does not meet the Federal Governmentís minimum security benchmarks for Automated Information Systems (AIS).† The audits also revealed a large amount of USDA assigned high level system privileges and that these environments lacked standardized administrative and technical controls.† Further, USDAís IBM and IBM Compatible Mainframe areas do not sufficiently assure that we can prevent or detect unauthorized use of our systems.
Currently, USDA employs three different security access control software systems in our IBM/IBM Compatible environments: Resource Access Control Facility (RACF) supplied by IBM, Top Secret Security (TSS) and Access Control Facility 2 (ACF2) supplied by Computer Associates.† These security access control packages provide the following standard features in the IMB/IBM Compatible environments:
a†††††††† The ability to restrict access to the computing environment to only preauthorized users or tasks;
b†††††††† The ability to control access to data, applications, and system software to only authorized users and at specific levels (i.e., read, write, delete, modify);
c††††††††† The ability to set general system-wide security parameters;
d†††††††† The ability to set user, data, and application specific security parameters;
e††††††††† The ability to audit any and all activities performed by the users and system;
f†††††††††† The ability to establish a centralized or decentralized security administration environment; and
†g††††††† The ability to control input to and output from the system.
The purpose of the policy below is to establish and implement standardized security policy and procedures that apply without regard to the type of security access software utilized within the IBM and IBM Compatible Mainframe computing environments.
a†††††††† It is USDA policy that technical and administrative controls will be established and maintained on all Automated Information Systems (AIS) which process, store or transmit Sensitive but Unclassified (SBU) information to:
(1) ††††† Ensure individual accountability by uniquely identifying and authenticating each individual system user;
(2)†††††† Validate the usersí access authorizations before allowing access to information or processes;
(3)†††††† Maintain an valid audit trail of user security related events; and
(4)†††††† Prevent unauthorized access to a userís residual data by ensuring all storage areas (disk, tape, etc.) are overwritten or data rendered inaccessible by a new program gaining that space.† Storage areas being disposed of must be degaussed or physically destroyed before disposal.
Policy Exception Requirements Ė Agencies will submit all policy exception requests directly to the ACIO for Cyber Security.† Exceptions to policy will be considered only in terms of implementation timeframes; exceptions will not be granted to the requirement to conform to this policy.† Exceptions that are approved will be interim in nature and will require that each agency report this Granted Policy Exception (GPE) as a Plan of Action & Milestone (POA&M) in their FISMA reporting, with a GPE notation, until full compliance is achieved.† Interim exceptions expire with each fiscal year.† Compliance exceptions that require longer durations will be renewed on an annual basis with an ††† updated timeline for completion. †CS will monitor all approved exceptions.
3††††††††† SECURITY STANDARDS
a†††††††† Mainframe and Server Security.† The security systems on all UDSA AIS shall be configured to ensure that: no access is obtained unless explicitly granted; the least level of access is granted and maintained at all times; and access is granted ††††††††††††††††††††††††††††††††††††††††††
†††††††††† to data, system and application programs only on a need-to-know basis.
The following standards provide the authorized minimum security standards for the USDA systems: IBM Resource Access Control Facility (RACF), Computer Associates (CA) Top Secret Security, CA-Access Control Facility (ACF2), MVS, VM, Customer Information
Control System (CICS), Time-Sharing Option (TSO), Database Management System (DBMS) and other technical manuals and appropriate project office developed applications documentation.
Each agency, that runs an IBM mainframe environment within the USDA domain, that processes, stores, and/or transmits USDA data, shall develop specific technical guidelines for appropriate implementation of their security system (RACF, CA-Top Secret, CA-ACF2).† These guidelines shall be submitted to ACIO, Cyber Security for review and approval.
Agency guidelines must, at a minimum, state how the following information system protections are to be employed within all IBM/IBM Compatible environments:
b†††††††† System Resources.† The system owner will coordinate with the operating system programmer(s), operator(s), engineer(s), Information System Security Program Managers (ISSPM) and System Security Administrators to identify all system resources, components, datasets, and connections that are to be protected by the security system or other internal mechanism and their level of protections.
No users will be profiled with access privileges at the operating system level using the default system user logon identification.† The operating system level default logon shall be REVOKED or SUSPENDED and have all system-level accesses removed from it.†
The purpose of the FIRECALL Logon(s) is to allow on-duty systems support personnel required access to the system and associated resources in the event of failure, either after-hours or when systems support personnel with the required access cannot be contacted in a timely manner.† System access privileges assigned to the FIRECALL Logon(s) shall be at the minimum level required to allow trouble-shooting, disaster recovery, and return the system to operational status.
Access to the emergency use Logon(s) shall be kept strictly on a need to know basis.† Each site shall establish policy and procedures for controlling access to this logon and auditing its use. Each use of the emergency use Logon(s) shall be audited by the system.† The computer operations manager who accessed it shall notify the system security administrator in writing immediately the next workday of the use of the emergency use Logon(s).† The memo shall include the
reasons for use and who used it.† The system security administrator shall immediately change the password (which may be set to never expire) on the emergency use Logon(s) and reseal it in an envelope and return it to the locked
storage cabinet.† On a daily basis, the security administrator
will run an audit report on the Emergency Use Logon(s
†††††††††† to verify their status and use history.
administrator shall make it impossible for these user Logon IDs to† access the system, data, or resources without overt action by the† security administrator to reinstate Logon privileges.† The maximum interval for non-use of a user Logon ID prior to deactivation shall be 30 days for general users and 15 days for privileged users.† Users who require a longer interval of non-use prior to revocation should be handled individually or placed in separate groups for administrative purposes; written justification should be kept on file by the security administrator for the longer interval.
Maximum lifetime for a password is 60 days for general users; and 30 days for privileged users (e.g., Security Administrators, programmers, auditors, engineers).† Password history for each user shall be maintained systemically.† The setting shall not be less than 5.† Usersí logon shall be automatically revoked by the system after three (3) consecutive unsuccessful password attempts.† As a routine courtesy, the users may be notified by
the system in advance that their password will expire.† System passwords, such as for started tasks and batch jobs can be
set to never expire, however, access to these resources must be protected and audited by the security system.
Logons and passwords shall not be automated through use of functions keys, scripts, or other methods where logons and passwords may be stored on systems.† Exceptions are pass-through communications and system calls.† All vendor supplied (default) passwords, including those for software
packages and maintenance accounts, are to be changed as soon as a system or product has been installed.
h††††††††† Discretionary Access Controls (DAC).† The system shall define and control access between named users and system components (e.g., files, datasets, and programs).† The system or network users may be provided the capability to specify who (by individual user or users, group, etc.) may have access to their data.† The system or network shall be configured to ensure that users without specific authorization are not allowed access to data or resources.
Discretionary Access Controls are used to implement security policy that ensures that no one can access our computers without being authorized.† No one will be permitted access to computer data without being explicitly authorized.†† No one will access resources (i.e., data, programs, libraries, remote connections, etc.) without being duly authorized.† No one can change the access rules or profiles without being explicitly authorized.†† There will be adequate separation of authority and duty for computer system and security administration.†† No process or function can be initiated on the system without verification of authorization.† Security software controls will be implemented and maintained on USDA systems to provide access only if explicitly granted and
at the least level of access that is necessary for the function.†† Software controls will assure that access is granted to data and resources only on a need-to-know basis.† No System Started Procedures, Tasks, Batch Jobs, or Programs will be allowed to bypass the security checks or change the ĎProblem Program Stateí of an application or program to the Supervisor State unless specifically authorized in writing by the Accrediting Authority.
All information system security environments will be carefully established and periodically verified to ensure need-to-know access is maintained.† Each agency will conduct an annual review of user access privileges to verify continuing access requirements.† A systematic analysis of access configuration should be performed whether setting up the security system
for the first time or conducting a top-to-bottom review and
verification of access controls.† A review team should be designated that includes systems personnel as well as individuals from the business function.† This group could include but is not limited to the application manager or owner, system programmers, system administrators, security administrators and database administrators, business function manager.† All access points and resources that are connected to the system should be identified (e.g. CPUs, applications, remote ports, remote job entry sites, TSO, CICS, DASDVOL, databases, batch jobs, started tasks, etc.).†† Each of the access points and resources requires a call to the security software so that only specifically defined users and resources can use the system.† All users with TSO logon are required to be defined to the security system.† All started tasks shall have a User ID or Access Identification (ACID) associated with them and must be identified to the security system.† Business owners should determine who must have access to resources to perform their jobs (e.g., programmers, system administrators, security administrators, database administrators, end-users).†
Access profiles for users and resources should be developed based on similar access requirements (e.g., test system, production code maintenance, application access only, etc.)†† Access privileges should be specified based on: no access unless explicitly granted, need-to-know, and least level of privilege.† The Delegation of Authority for the administration (centralized vs. decentralized) should be determined for the system including the security function.† The power a user needs while connected to a specific functional group, whether it be group level controls for administration or only read access to specific datasets should be determined.†† Business owners should determine dataset and resource access rules and profiles (universal access and permission lists).† The agency administering the operating system should ensure that System Started Tasks, Procedures, and Programs are prevented from bypassing security checks and auditing, unless specifically authorized by the DAA.
i†††††††††† Minimum Systemic Controls.† All logon/logoff activity, program calls, uses of system privileges, security command violations will be logged by the system.† All security related actions/commands will also be logged.†
†All resources classes activated on a given IBM system will be identified to the security system and all failed access attempts and changes to the resource shall be logged.† Controls will be established and maintained to ensure that all batch jobs executed on the system are associated with a valid User ID or ACID.† All datasets must be defined to the security system to ensure that only authorized users can gain access.† Internal policy and procedures must be established by each agency to ensure that unauthorized access to a userís residual data cannot be obtained.† Within production parameters the security systemís OBJECT REUSE function should be activated.† If this function cannot be implemented without undue impact on system processing overhead, then the agency must document and implement mechanisms it has in place to ensure that residual data and applications cannot be compromised.†† If the security systemís OBJECT REUSE function is not activated then a exception must be obtained from the OCIO.† Datasets stored on current RAID DASD technology do not require the OBJECT REUSE function as deleted datasets are not recoverable.† Datasets stored on tape must be protected from unauthorized access by using a security management system or tape management system or both.†† All data storage devices shall be rendered unreadable by degaussing, overwriting (5-7 times with random 1ís and 0ís) or complete physical destruction prior to disposal.
Access by inactive users should be suspended by the system after 30 days (maximum).† Password syntax must indicate 6-8 characters, alpha-numeric (shall be enforced by the security† system).† All system default passwords must be redefined by the installation.† All remote accesses to the system must be defined to the security system. †All accesses to APF libraries shall be specifically defined (no universal access).† All installation defined program exits must be reviewed by the
Office of Cyber Security and approved in writing by the agency DAA.
j†††††††††† Minimum System Resources to be Protected.† The following list of system resources must be secured:
(1) Started Tasks (must be audited)
(2) APF Libraries (must be defined to the security system and access strictly limited to need-to-know)
(7) SMF data
(8) Security system exits††††††††
(9) JES2 Spool display software
(10) All TSO authorized accesses (must be strictly controlled and audited for unauthorized access)
(11) All BATCH Jobs (must be subjected to security checks for submission by authorized users)
(12) No programs shall be allowed to bypass security checks without the written authorization of the DAA
(13) All SVCs (whether user defined or site-modified vendorĖsupplied shall be documented)
(14) All operating system, application, resource, and security exits must be documented and approved by the DAA
(15) LINKLIST libraries
(16) System Catalogs
(18) System-level product installation libraries
(19) JES SPOOL dataset
(21) System backup files
(23) System commands
(24) System console devices (e.g. password controlled screen lock, physical controls)
k††††††††† Review of Audit Reports.† The SSA will review Security (Command Violations) Reports daily.† Suspicious activity shall be referred to the agency IT manager and ISSPM for review and disposition.†
Each USDA site operating an IBM mainframe system shall assign a† Security System Administrator (SSA), and backup security system† administrators as necessary for that system.† The SSA has overall† responsibility for administration and maintenance of the† implementation of the user and group access profiles for systems under his or her jurisdiction.
Maintenance and modifications to these environments (system or† application), other than user profiles, are to be directed and controlled by a formal configuration management/change transmittal system.
Security administration is an independent responsibility and shall not be assigned to a System/Application Programmer, Database Administrator, System Administrator, or System Operator.† Security personnel must, however, work closely with all system administration personnel to maximize system performance and security.†
a†††††††† The Associate CIO, Cyber Security will:
(1) Conduct periodic security assessments on IBM/IBM Compatible mainframe computing systems;
(2) Review mainframe computer system security guidelines and standards;
(3) Review mainframe computer system security plans;
(4) Review and coordinate requests for deviations and exceptions pertaining to mainframe computer systems with the Associate CIO for IRM; make recommendations regarding exceptions to CIO and
(5) Review mainframe computer system Certification and Accreditation documentation.
b††††††††† The Agency Chief Information Officer will:
(1) Ensure that sufficient resources are applied to the IT security function to ensure that mainframes and servers have mandated protection;
(2) Ensure all personnel acknowledge in writing the system security requirements and their responsibilities pertaining to security;
(3) Ensure that separation of duties among IT staff is maintained to avoid a conflict of interest;
(4) Ensure a list of SBU systems and applications (operational and under development) at the site is maintained, providing the name and a brief description;
(5) Ensure that certification and accreditation activities and documentation (i.e., risk assessment, security plan, disaster recovery plan, privacy impact assessment, trusted facilityís manual, etc.) are complete and maintained;
(6) Ensure that the most current copy of the signed certification and accreditation report for each system and application is on file;
(7) Ensure a file copy of all approved exceptions to an information systemís security requirements is maintained and available;
(8) Ensure that security tests and evaluations are performed for each agency information system being developed or maintained;
(9) Ensure software is in compliance with copyright agreement and software license;
(10) Review audit reports of accounting, adjustments, and other Critical financial functions and coordinate review of any suspicious activities with the CS program;
(11) Ensure that audit trails are appropriately reviewed; IT managers will notify the SSA within 3 working days of action taken on suspected security violations;
(12) Ensure that functional security reviews are conducted;
(13) Assure that any moves or changes to an information system are coordinated with the system security function;
(14) Maintain documentation that details the information systems hardware and software configurations at each facility;
(15) Ensure that appropriate technical, administrative, physical, and personnel security requirements in the specifications for acquisition or operations of information systems are documented, reviewed and approved by the management official responsible for security at the facility operating the information system;
(16) Ensure security requirements (which include personnel and physical security) are incorporated in the planning phase and continued during each phase of the life cycle;
(17) Ensure that the system development project plan††††††††††††††††††††††††††††††† includes: when and how the security requirements will be identified; security safeguard development efforts during the project design phase; security test criteria during the testing phase and accreditation and certification effort during the acceptance phase;
(18) Ensure that security requirements, features, and techniques are:
(a) Incorporated during the planning and conceptual phase for all new systems, applications and telecommunications systems that store, process, transfer, or communicate sensitive but unclassified (SBU) information;
(b) Defined and approved prior to acquiring or starting formal development of all information systems and applications and reviewed throughout the life cycle;
(c) Kept current throughout the entire life cycle of the system or application;
(d) Precise enough to allow tests to be designed that will determine if security requirements are satisfied;
(e) Reviewed by all organizations involved in the use and operation of the information system or application; and
(f) Included as part of the management control†† process for SSI information systems and applications.
(19) Ensure that system design reviews are:
(a) Conducted to ensure that the proposed design meets the security specifications and the review findings are approved prior to detailed design and programming;
(b) Initiated prior to placing an information system or application into operation to ensure that the proposed system complies with approved security specifications;
(c) Included as part of the management control process for SSI information systems and applications; and
(d) Documented and records of the results maintained.
(20) Ensure testing of security features is:
(a) Conducted by a third party who acts independently of the development organization, in addition to development testing;
(b) Performed periodically to assure that security features work as claimed in the systemís documentation;
(c) Conducted to ensure that there are no obvious ways for an unauthorized user to bypass or defeat security features of the information system or network;
(d) Conducted to ensure that the proposed information system or application meets the approved security specifications prior to placing the information system or application into operation;
(e) Performed after installation of an information system or product;
(f) Included as part of the management control process for SSI system and information; and
(g) Documented and the results maintained.†
(21) Ensure that all system software development, experimentation, testing and debugging is performed in an information system dedicated for these purposes and does not contain or use ďliveĒ data; and
(22) Ensure that tests are performed to evaluate the security related code;††† ††† †††††††††
(23) Grant users access to sensitive but unclassified data on a need-to-know basis and cancel access when no longer needed;
(24) Assign and periodically review user access permissions so that capabilities such as authorizing, recording, issuing, and receiving are assigned to different individuals to minimize the possibility of fraud, waste and abuse;
(25) Periodically review usersí access profiles for required changes;
(26) Annually certify that profiles and accesses for each employee have been reviewed and are appropriate; and††
(27) Ensure audit trails and reports are reviewed regularly for irregular activity.
c††††††††† The agency Information System Security Program Manager/Designate will:
(1) Ensure that security orientations are given to users prior to their use of an information system;
(2) Ensure users acknowledge, in writing, that they understand the information system security rules;
(3) Notify userís management, Cyber Security and the System Administrator of any unusual user activity or security violations;
(4) Annually conduct a complete review of usersí access privileges to verify continuing access requirements;
(5) Maintain a copy of the user access request form for each user accessing the information system;
(6) Ensure all information system users and USDA contractors have prior approval and the appropriate level of background investigation at least initiated before granting them access to information systems;
(7) Ensure that management verifies information system userís employment with Personnel/Human Resources prior to granting access to computer systems and data;
(8) Ensure all personnel who install, operate, maintain, or use an information system have authorized access and are familiar with documented security practices before granting them access;
(9) Coordinate and implement a security training and awareness program;
(10) Selectively audit actions of one or more users based on an individualís identity;
(11) Inspect and monitor user files only with the Designated Accrediting Authority (DAA) approval;
(12) Periodically monitor a systemís use by reviewing audit trails;
(13) Develop and coordinate audit procedures with other internal control procedures required under OMB Circular No. A-123, Management Accountability and Control;
(14) Review the use of audit trails and audit reports;
(15) Use audit trail capabilities to ensure system integrity and examine a systemís audit log regularly and report abnormalities to the Agency IT Manager;
(16) Perform technical reviews of security certification documentation (e.g., Security Plans, Risk Assessments,† Disaster Recovery Plans) to ensure they are sufficient and complete;
(17) Conduct annual security compliance reviews as well as random security checks for each information system under their authority to ensure security procedures and requirements are in compliance with agency directives;
(18) Review system and related software security vulnerabilities and ensure that appropriate countermeasures and patches are applied;
(19) Evaluate the effectiveness and impact of security measures and features and report any existing or potential problem areas to the appropriate DAA;
(20) Distribute necessary directives that implement Departmental information system security policies to be used at remote facilities and terminal areas, and monitor their implementation;
(21) Prepare and submit a written report to the appropriate DAA of all technical security exceptions, outline the risks and vulnerabilities that could result from granting exceptions and identify other alternatives;
(22) Coordinate or participate (as required by the Agency IT Manager) in the preparation of disaster recovery and† business resumption plans for each essential or critical information system; and
(23) Periodically reviews the approved Configuration Management (CM) documentation that details the information systems hardware and software in the Program Library for all agency information systems to ensure that systems and applications are accredited and documentation is complete.†††††††††
d†††††††† Agency System Security Administrators/Designates (responsible for† administration of security software) will:
(1) Assign the initial user identifications and passwords with organization security coordinator;
(2) Add, delete, or modify user access in coordination with user organization security coordinators and agency IT Management;
(3) Maintain a master list of system users;
(4) Verify and maintain a current hardware, application, and software inventory for systems under their authority;
(5) Ensure access to software systems is strictly controlled;
(6) Review system and related security vulnerabilities; the SSA will review the Security (command violations) Report for all AIS on a daily basis; all suspicious activity will be flagged, researched and referred to the IT Manager and agency ISSSPM for review;
(7) Evaluate the effectiveness and impact of system or application security measures and report any existing or potential problem areas to the appropriate DAA through the agency ISSPM;
(8) Ensure that the ISSPM is informed of any major changes to systems hardware or software;
(9) Initiate proactive or corrective countermeasures if a security problem develops in accordance with DM3500-1, USDA Computer Incident Response Procedures Manual;
(10) Promote security awareness with system and application users;
(11) Coordinate customer engineer access for design applications and system changes;
(12) Generate audit trails and distribute to the appropriate agency IT Managers and user organization security coordinator;
(13) Ensure that all personnel who install, operate, maintain, or†† use an information system have authorized access and are† familiar with documented security practices before granting† system access; and
(14) Ensure that systemís software packages are properly stored and protected.