On Friday, 09/25/2009 at 07:13 EDT, Thomas Kern <[email protected]> wrote:
> Now can IBM present this type of materials to the organizations that > train, manage and certify system auditors? Does IBM have any audit > training classes, not just for z/VM but for any/all computer systems? If those organizations wish to teach its members how to audit z/VM systems, I would think the course/agenda managers would come to IBM or the consultant community and specifically ask for educators/presenters. Or the auditors would take it upon themselves to ask "Where can I get educated on z/VM?" As to IBM classes on auditing, it's safe to say that there are none that teach z/VM auditing. It is highly unlikely that any are given for other platforms becuase IBM does have "best practices" security standards for z/VM and other operating systems (aka GSD 331) that may be able to be provided as part of an IBM services contract. The z/VM part of GSD 331 has been built based on decades of IBM's own experiences, whether running systems for itself or its clients. Acquisition of these standards requires a confidentiality agreement. Over time, I expect the z/VM parts of GSD 331 to focus more heavily on business processes and implementation issues, rather than the policy-level requirements. Example: z/VM documentation says "Do not define users with a password of NOPASS." GSD 331 would tell you how to configure CP and/or your fave directory manager/ESM to prevent it or detect it. The challenge is to provide enough information so that people can understand the security risks in the system without undermining or destroying the "z/VM security consultant" business in the process. The Secure Configuration Guide was the first z/VM publication to go through the "GSD 331 barrier." Alan Altmark z/VM Development IBM Endicott
