Mission critical applications and data for most large organizations still reside on IBM mainframes. Yet, cybersecurity of the mainframe has largely been ignored in recent years because of a common misperception that the mainframe environment is stable and static. In reality, many organizations never fully completed their cybersecurity implementations while others have not properly maintained or updated controls to take advantage of recent enhancements. RSH Consulting's professional services can be invaluable in addressing these vital concerns.

We excel in implementing and enhancing RACF. This has always been our core service and is the area of greatest strength and depth in the background and experience of our consulting staff. Follow the links below to learn more about how RSH can help you:

Security Reviews & Audits

An essential starting point in any effort to enhance RACF is a thorough examination of your current implementation. Our reviews encompass every aspect of RACF controls -- user identification and authentication, dataset protection, monitoring, general resource protection, and security administration.

Evaluating RACF options and profiles is only a part of what RSH delivers. We look beyond RACF to examine security policies, administrative practices and procedures, and the security-related interfaces and configuration parameters in other system software because they substantially influence the effectiveness of RACF and your overall mainframe security. We are often able to identify and help resolve organizational and procedural roadblocks to the implementation of sound controls.

For organizations subject to the provisions of the Sarbanes-Oxley Act, we focus on controls specific to your financial application along with the overall RACF controls. Of particular interest to us are the protections afforded databases, transactions, and resources related to these systems.

Our review efforts are aided by an extensive set of in-house developed software tools. However, we firmly believe software alone cannot substitute for thoughtful analysis. A hallmark of our reviews is the intense effort we devote to thoroughly understanding the unique nature and complexities of each client's system environment and implementation of RACF. This enables us to uncover subtle vulnerabilities that have left them unknowingly exposed.

Our reports are unmatched for their breadth and depth of information. We use them as a tool for knowledge transfer. Every report offers both practical recommendations and implementation advice. We also make it a point to praise good control practices as well as identify concerns.

... return

Mentor & Advisor

Are you faced with the task of trying to:

• Lock down Started Tasks

• Implement PROTECTALL

• Curtail OPERATIONS authority

• Merge RACF databases

• Protect z/OS Unix (a.k.a. Unix System Services)

• Guard CICS commands

• Improve RACF performance

• Refine storage administration authorities

• Develop RACF exits

• Control JES and SDSF

• Activate the latest RACF features

• Meet the requirements of HIPAA, SOX, and PCI

• ... etc.

We can provide just the right amount of timely, helpful advice, suggestions, and guidance needed to kick-start your efforts, maintain your momentum, and keep you on track. A few minutes with our knowledgeable staff can save you hours of research and frustration. Plus, we can alert you to potential problems and any pitfalls to avoid before you stumble on them.

... return

Policies & Management

Ensuring everyone understands the ground rules can make a huge difference in whether RACF is properly implemented and maintained. It is not uncommon for us to trace the source of technical control problems back to policy deficiencies. We will work with your security, technical support, and audit staffs to craft policies and standards that will encompass your entire mainframe software environment and address everyone's needs and views. Our extensive document templates and prior experience can make short work of this effort.

We can also help you establish or improve your overall security management program. Our services include developing general security policies, establishing data ownership, designing naming conventions, and helping to justify additional security staff and resources.

... return

Architecture & Automation

Ill-conceived or haphazardly maintained group architectures and naming conventions can be a nightmare to administer. We can unscramble the current structure and devise a new one that eases your burden. We are especially adept at redesigning and refining large-scale implementations of RACF using role-based access control concepts.

This effort ordinarily involves determining resource ownership, defining a group hierarchy compatible with your organizational structure, establishing or revising profile naming conventions, migrating existing users into the new architecture, and adjusting group administrator authority.

To support new or existing architectures, we can create automated tools to assist you with RACF administration and help to maintain quality assurance. This often includes building software interfaces with your Human Resources system to automatically manage user creation, termination, transfer, and authority. This service is particularly valuable if you are planning to implement user provisioning software as it prepares your RACF for an easier installation.

We can also develop RACF reports unique to your organization to assist with common administrative tasks and control monitoring. Our favorite software tool is REXX, which facilitates rapid development and is simple to maintain.

... return

Synchronize & Merge

Regardless of whether you are planning to consolidate RACF databases or implement RACF Remote Sharing Facility (RRSF), the effort to synchronize and harmonize independent RACF databases and implementations can be a complex process. It requires identifying and resolving differences and mismatches in RACF tables, SETROPTS options, group structures, profiles, segments, and permissions. It may necessitate changes to such items as Started Task USERID assignments, Unix System Service permissions, and configuration parameters within JES and other system software.

RSH has both the experience and software to help you complete this effort successfully and with a minimum of difficulties. We can assist you every step of the way -- from initial planning and analysis to implementation of changes and final activation. We have software tools designed to pinpoint critical profile differences, and we can offer you effective recommendations for addressing them. The experience we have gained in past projects allows us to recognize potential roadblocks in advance and determine which situations may turn out to be more complex than anticipated. This enables us to help you set realistic milestones and to reach those milestones on time and within budget.

... return

Post-Conversion Assistance

If you are about to convert to RACF from another security product, you will soon be entering a period of frustration as you struggle to meet normal work demands while trying to learn and adjust to RACF. Rather than spending hours and hours researching and troubleshooting issues, let us help you. With just a quick phone call or email, our RACF experts can give you an instant answer to a question, time-saving advice, and one-on-one training on anything from command syntax to safely making major changes that could impact system operations. It usually only requires a few hours a week, and many issues can be resolved in minutes. We will help you make best use of your time while you get up to speed on RACF.

Once you are past the initial adjustment period, you are likely to notice your new implementation of RACF is far from ideal. The typical conversion builds a RACF that simply mimics the behavior of the prior product and rarely takes full advantage of RACF's security capabilities and performance enhancing features. Let RSH assist you with refining your new implementation to bring it into proper alignment with RACF best practices. We can even expand the implementation to cover resources that may not have been fully protected under your prior product.

... return

Enhancement & Assistance

We can help you with almost any RACF implementation task imaginable and our role and services can be very flexible to meet your specific needs. Moving beyond mentoring and advising, our staff can assume responsibility for specific projects to implement new controls or refine existing ones. We can perform the work entirely on our own or as members of a team combined with individuals from your staff. Whatever the role, one of our primary objectives is knowledge transfer. We want you to have a clear understanding of what we did and why so that you can maintain the controls thereafter.

Protecting z/OS Unix involves a complex blend of FACILITY BPX-prefixed profiles, UNIXPRIV profiles, PROGRAM profiles, SURROGAT profiles, OMVS UIDs and GIDs, SETROPTS logging options, PARMLIB BPXPRMnn parameters, /etc configuration file parameters, and permission bits, extended Access Control Lists (ACLs), and audit bits for Unix files and directories. Few organizations fully comprehend how these controls function or how best to implement them. As the leading specialists in protecting z/OS Unix, we can help you properly configure Unix and RACF to provide the level of protection your organization requires.

... return