Vanguard Security 2010 Track Information
 |
Enhancing Security Using Federal Standards
This track offers an in depth education on the security controls standards by NIST and their relevance to mainframe environments, as well as the comprehensive review of the mainframe configuration controls published by the Defense Information Systems Agency. In addition, this track correlates the requirements of FISMA and HIPAA to NIST standards and DISA configuration controls.
- FISMA Compliance and NIST Standards. What it means for mainframe environments
- DISA-STIGs: What They Are and Why You Should Care About Them
- DISA STIG configuration controls for Mainframes
- Addressing security vulnerabilities [z/OS Operating System]
- Addressing security vulnerabilities [JES2]
- Addressing security vulnerabilities [RACF]
- Addressing security vulnerabilities [ZUSS]
- Addressing security vulnerabilities [ACP]
- Addressing security vulnerabilities [SDSF]
- HIPAA, HITECH and z/OS: Are you ready?
- Next Generation Risk Management and Information Security
- Risk and Vulnerability Management (formerly known as Accreditation & Certification)
NIST 800-37 and z/OS - Using Vanguard Configuration Manager to pass DISA STIGs Assessments
FISMA Compliance and NIST Standards. What it means for mainframe environments
Steven Ringelberg
Although NIST publishes general security control guidance (via 800-53) it is not always apparent that mainframe systems are being managed to the required line of security controls nor is it clear that the FISMA reporting adequately covers the mainframe environment. This session is designed to connect the dots for FISMA and the mainframe. How do OMB directives apply? Which NIST standards come into play? Which configuration controls come into play? How do you report on compliance to FISMA?
DISA-STIGs:
What They Are and Why You Should
Care About Them
Steven Ringelberg
Do you know what a DISA STIG is?
Do you know why they are important, why you should use them, and how they can impact you as a security professional?
This session will introduce you to the DoD DISA (Defense Information System Agency) Security Technical Implementation Guides (STIGs).
We will cover the history of STIGs; discuss why the government is using them, and why they are also important for non-government entities.
The speakers will talk about the impact of the DISA STIGs on the security of your z/OS system.
This session is intended to serve as an introduction to the rest of the DISA Track sessions
DISA STIG configuration controls for Mainframes
Brian Marshall
In today’s high threat climate, the DoD DISA STIG controls for the mainframe are important to your security.
We will explain the different STIG categories, delve into the meaning of the test results, and show you the impact they have on your mainframe system.
Addressing security vulnerabilities for a z/OS Operating System
Dick Morales
There is a real need for more secure controls to address vulnerabilities for z/OS.
We will teach you to quickly identify thousands of potential security exposures that exist on your z/OS system (based on the DISA STIG guidelines).
We will cover the security vulnerabilities as they relate to your APF authorized libraries, the Program Properties table, Link Pack Area Libraries, Linklist, SMF settings, and RACF database placement. Improper setup, use or authority to these libraries and datasets is a significant security exposure. See how improper setup, use or authority to these libraries and datasets creates a significant security exposure.
You will learn to evaluate Category 1 and 2 security vulnerabilities, learn why the DISA z/OS controls exist, and review the recommended remediation controls you need to implement in order to comply with the DoD standards.
Addressing security vulnerabilities for JES2
Jeff Pyka
This session will highlight the 15 potential Category 1 and Category 2 DoD DISA STIG security exposures related to JES2 that may exist on your system.
JES2 is a subsystem that could be used to gain access to your system via Remote Workstations and Nodes.
We will discuss the DoD DISA STIGS that protect the NJE and RJE nodes, the internal readers, the JES input sources, the JES writer resources, the JES output devices, the JES Spool, System Commands and Surrogate users.
Improper protection of these resources is security vulnerability. You will review the controls that exist to identify the vulnerabilities and the remediation controls to help you comply with the DoD standard.
Addressing security vulnerabilities for RACF
Pierre Olivier
This session focuses on DISA STIG security vulnerabilities related to RACF that exist on your system.
You will learn how the DISA STIGs evaluate these RACF security vulnerabilities and exposures.
RACF is the preeminent and predominant security server for the z/OS. It could be vulnerable if it’s not setup properly with the correct global settings. This session will cover the SETROPTS settings and how they will help protect the overall integrity of your system.
There are 45 Category 1 and 2 vulnerabilities. Come to this session to find clarity on what they are and learn how you can make your mainframe be more secure.
Addressing security vulnerabilities for ZUSS
Brian Marshall
Join us for this session as we help you identify the numerous potential security risks that may exist on your system related to the z/OS UNIX System Services (ZUSS).
We will explain the DISA STIG standards covering ZUSS concentrating on the 26 Category 1 and Category 2 vulnerabilities.
Learn why Unix System Services provides an avenue for users to gain entry into your system and access datasets and resources that may otherwise not be available.
We will discuss the proper specification of UNIX parameter keywords and values and BPX resources in order to better secure your system.
Learn why the DISA ZUSS STIGS were established, how they will help you protect your system’s security, and the recommended remediation controls to help you comply with the DoD standard.
Addressing security vulnerabilities for ACP
Brian Marshall
This session will concentrate on the 31 Category 1 and Category 2 DISA STIG security exposures that exist on your mainframe related to the ACP (Access Control Panel).
We will discuss how to evaluate the security vulnerabilities and exposure risks. You will learn why the ACP STIGs concentrate on the access to sensitive datasets such as PPT modules, LINKLST, security server databases and backups, system related catalogs and other critical libraries.
We will show you how to change the controls to comply with the DISA STIGs.
Addressing security vulnerabilities for SDSF
Pierre Olivier
We will demonstrate how the approximately 30 Category 1 and Category 2 DISA STIG guidelines, covering SDSF (System Display and Search Facility), will evaluate the weaknesses and exposure on the mainframe system.
Securing SDSF is vital, since it protects system and user related data, such as the SYSLOG and the datasets on SPOOL which may contain sensitive data.
Certain ISFPARM definitions define global options and security for SDSF. Failure to properly specify these (AUTH, CMDAUTH, CMDLEV and DSPAUTH) could potentially compromise the integrity and availability of the z/OS operating system and data.
Certain ISFPARM definitions define global options and security for SDSF. Failure to properly specify these (AUTH, CMDAUTH, CMDLEV and DSPAUTH) could potentially compromise the integrity and availability of the z/OS operating system and data.
HIPAA, HITECH and z/OS: Are you ready?
Steven Ringelberg
The HITECH amendments to HIPAA expanded the scope of HIPAA. Who must comply with its requirements? What do the increased penalties mean for you? What will be the impact of increased enforcement powers granted to HHS on you? What is the most effective way to ensure that Personal Health Information subject to HIPAA is secured in accordance with the regulations published by HHS?
Next Generation Risk Management and Information Security
Dr. Ron Ross (NIST)
Based upon the content of NIST Special Publication 800-53, Revision 3, “Recommended Security Controls for Federal Information Systems and Organizations,” this session explains the background of the Federal Government Risk Management and Information Security Transformation. In addition, you will learn about the major changes to NIST Special Publication 800-53 in the latest version, revision 3. Finally, the session closes with a discussion of the Strategic Vision for Enterprise-wide Risk Management and its Relationship to NIST SP 800-53, rev. 3.
Risk and Vulnerability Management (formerly known as Accreditation & Certification) NIST 800-37 and z/OS
Dr. Ron Ross (NIST)
The National Institute of Standards and Technology characterizes its new guidance, released in February 2010, as transformational. Based upon the content of NIST Special Publication 800-37, revision 1, “Guide for Applying the Risk Management Framework to Federal Information Systems, a Security Life Cycle Approach,” this session addresses the move toward real-time monitoring of information systems. The session also explores the three-year collaboration with information security experts from the military, intelligence agencies and the private sector to create the guidance found in SP 800-37,rev 1. Finally, it will review how the six-step risk management framework aimed at building security into new technology can be employed to minimize risk in legacy systems.
Using Vanguard Configuration Manager to pass
DISA STIGs Assessments
Brian Marshall
If time and money is of the essence to you, you will want to attend this session.
If time and money is of the essence to you, you will want to attend this session.
We will introduce and demonstrate how you can become more productive, reduce your auditing costs, enhance your mainframe security, and deliver accurate and consistent DISA STIG compliance reports.
