Privileges and Entitlements   
(OS/390 specific but can be used across all platforms)


Control Point Ref #: priveaab
A formal process in place for requesting the establishment of an
ID and additional access capabilities

Audit Steps
1) Ensure that a process is in place that requires the
following items be included within an access request form
prior to establishing an ID or changing the access levels
assigned to an existing ID:

o signed by the requestor and the requestor's manager

o identify the specific resources, access levels,
facilities, and attributes required if a template of
user access requirements by job function is not

o identify the templates by job function that should be

o requests that are made to resources not within the
requestor's defined area of responsibility are approved
by the owners of the resource

2) Ensure that this process is being adhered to by selecting a
sample of user IDs and ensuring that a request form is
present and the above information is included in the
request form.

F1 - Info Screen Ref #: priveaab
A formalized process needs to be in place for requesting an ID
and the resources that it requires. A request form should be in
place which is authorized by the requestor's manager.

To alleviate the amount of paper work, most installations
establish profiles by job function of the resources and
privileges that are required so that the request form is only
used to specify the ID profile that should be established.

Requesting access to resources involves many decisions which
includes if the person is authorized access to the resources for
their job function. As we discussed in another control point,
owners should identified for each resource type which are
responsible for the integrity of the resources. The owner is the
appropriate person to make the decision if an individuals access
is appropriate to a resource that they own but in some
installation the requestor's manager is considered the
appropriate person to make that decision. Regardless, if the
owner of the resource or the requestor's manager makes the
decision, the security administer should never be the one to make
the decision since they would not be familiar enough with the
operating environment to make the decision.

Audit Step Info
The request form should be detailed enough to identify all of the
resources and Security System privileges that a person should be
granted. This can be done by specifying all resource types on
the form (datasets, volume, commands, facilities, transactions,
attributes) or leaving a blank area for the authorizer to fill
in. However, it is better to use a form which details the
resources since the authorizer might not be familiar with the
syntax of the resources that the user requires access to.

Control Point Ref #: priveaac
Users access is reassessed when their job function changes and
deleted immediately upon their employment termination

Audit Steps
1) Determine if terminated employees still have accounts on the

1.1) Determine the process that is used to prevent terminated
employees from gaining access to the system (e.g., delete
account, disable account).

1.2) Ensure that terminated employees IDs were deleted or
suspended in a timely manner.

2) Determine the employees that have changed job functions and
review an access listing to ensure that it is commensurate
with their job function.

F1 - Info Screen Ref #: priveaac
A process should be in place for departments or Human Resources
to notify the security administrator when an individual changes
job functions or terminates their employment in order for their
access levels to be changed according to the requirements of the
new job function or removed from the system when an employee
terminates their employment.

Audit Step Info
Unless an employee was recently terminated or changed job
functions it would be difficult to systematically identify if
their access was terminated in a timely manner.

The overall exposure of a terminated employee whose ID was not
suspended in a timely manner is dependant on their ability to
physically access the center where terminals are located or the
availability of dial-up access.

Control Point Ref #: priveaaf
Management performs an annual evaluation of access assignments to
ensure they are still appropriate

Audit Steps
Ensure that management performs an evaluation of the following
assignments to ensure that they are still appropriate:

o owners of resources

o resources that they have access to (e.g., datasets,
volumes, CICS transactions, and programs)

o sensitive privileges

F1 - Info Screen Ref #: priveaaf
Although a user's access to specific resources go through an
approval process when they are initially established, the changes
within an environment might require changes in the users access
levels. Therefore, a periodic evaluation of the overall access
assignments must be performed in order to ensure that they are
still applicable.

It is important to understand that the security administrators
are not the ones who authenticate the legitimacy of a user's
access. A process may be in place for the security administrator
to match the individual's job function to a matrix of typical
access requirements that the job function requires. However, if
the individuals job function changes, and the security
administrator is not made aware of this, their abilities to
detect inappropriate assignment of entitlements would be

Audit Step Info
The frequency of the management review is recommended as an
annual process but is clearly a decision that should be made
within each company. The decision should be made based on the
following factors:

o number of users
o frequency of turnover
o frequency of changes in job functions
o number of products (system software & application software)
that is implemented over a given period of time
o risk of the system

Control Point Ref #: priveaag
An owner is assigned for all resource types to ensure that all
actions that occur to a resource are reviewed by the appropriate

Audit Steps
1) Ensure that a list is in place which identifies the owners
of the following types of resources:

o Development programs

o Production programs

o Production data sets

o System datasets

o CICS transactions for each application

2) Determine if the owners that have been assigned should be
the ones responsible for the resource.

F1 - Info Screen Ref #: priveaag
Resources that are controlled by the security system are utilized
by various departments within your installation. These
departments have primary responsibility for the integrity of
these resources, therefore they should be the ones to identify
the individuals that should have access to them and be the ones
notified in the event that access is granted to individuals that
normally are not allowed access to the resource.

It is important to ensure that the owner of the resource is the
proper owner. For example application programmers should not be
the owner of production data sets.
Copyright 1991 - 2000, Audit Serve, Inc. All rights reserved. All Audit
Programs are copyrighted and may not be posted electronically or
redistributed unless written permission is granted by Audit Serve, Inc.
The Audit Programs may be used for internal use within organizations.
Audit Programs may not be resold.

AuditNet - The Global Resource for Auditors

Audit Vision

Since 1991
Join 3,500 other subscribers



Free Audit Serve Seminars Posted Online

25 minute extract from the seminar entitled "Alternate Control Design Approaches for z/OS" presented by Mitch Levine in London (at the Churchill War Rooms) March, 2018 which would be of interest to IT Audit, Security and GRC personnel

General Data Protection Regulation Seminar

Copyright © 2015. All Rights Reserved.