Hi, Some topics that we had to address when performing mainframe security assessments:
Why you need the assessment for? If you need it for some certification / legal purpose, then there are cheap, not too technically advanced solutions out there. If you are actually looking into detecting and addressing security issues, then it gets complicated :) The possible range of services on this topic is huge. You should decide what you want to have, what kind of security assessment you are looking for - for example you have the "classic" mainframe security audits, more like security reviews, where some programs are used to list and catalog the authorizations, profiles, etc., interview personnel and determine the access needs, etc. You can alternatively look for a combination of the above and a penetration test, actively searching and exploiting security issues found in your environment. Or you can have a PT targeting the mainframe environment, where you can chose the "white box" (i.e. fully disclosed, insider view) or the "black box" (i.e. simulation of a real opportunistic attack) perspectives, each with its own pluses and minuses. Once you have decided what type of assessment you are looking for, you should define the scope of the project: are you looking into an o/s-only assessment (i.e. basic z/OS or z/VM components, maybe RACF, USS, and some "standard" subsystems), or maybe an application-oriented audit, where you select one or more applications that might be mainframe-only or might include other components to audit going from the o/s to the application layer (say you use the mf for banking, ATMs, credit card operations, you would select the subsystems and applications for the business critical operations in this respect). You could limit the assessment to one or more instances/LPARs, subsystems, ... include or not other components such as SE/HMC in the scope. Most often, event a narrowed-down scope gets to be too large for a complete security assessment, and a "limited" version is performed, either by limiting the total man/days to a fixed amount calculated based on a budget, or by sampling, reviewing the results, then shifting the focus to the areas found to be suffering from security issues. There will be plenty of companies claiming to do mainframe security assessments, coming from the penetration testing field, with little if any mainframe experience, who would fire some tools, maybe crash some things, give you an absurd, pointless report. Maybe it will be cheap, but useless. Before selecting a provider, make sure you talk to them, interview the auditors and make sure they are familiar with mainframes, maybe examine their research environment to see of they have a proper, recent mf environment to do testing, and check for specific references in the mainframe field, not just generic penetration testing. As for the costs, expect to pay in the range of 1500 - 2000 Euro for a man/day in EU. We've never had a project to perform a complete security assessment of a mainframe environment, maybe other had this and can share approximate sizing; usually we've seen application-oriented ones, o/s layer and basic subsystems, or by sampling. The size of such projects grossly goes from 40 to 100 man/days, depending on the actual scoping. This is very imprecise, but I guess you wanted to see some numbers as well. Regards, Costin -------------------------------------------- On Mon, 15/8/16, x ksi <[email protected]> wrote: Subject: Mainframe's security assessments costs To: [email protected] Date: Monday, 15 August, 2016, 1:51 Hey group. I was wondering if some of you could share some information about the costs various companies charged you for performing security assessment of your mainframes? At this point literally any information will be valuable (e.g. hourly rate, particular engagement cost, order of magnitude for this type of engagements etc.). From what I can tell there are companies providing such services but their prices seem to be a one big mystery. Having even a rough estimation would allow to better choose between various providers. Thank you in advance. Kind regards, Filip ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
