I can understand IBM desire to not ruin their own business line. It would be nice if my clients hired IBM as their outside auditors, but...
I did do a quick search on www.ibm.com for education and audit and found this class: http://www-304.ibm.com/jct03001c/services/learning/ites.wss/gb/en?pageTyp e=course_description&includeNotScheduled=y&courseCode=R2MTE AGB "This course has been designed and built for Auditors who come into conta ct (at any level) with IBM mainframe systems in their daily work. The course encompasses an overview of the z/OS mainframe computing environment, befo re focusing on the security implications of the environment, as relevant to auditors. Each stage of the course builds upon the previous one, enabling attendees to consolidate what has been learned and see how it will apply to their daily work. RSM will customise the course to reflect the particular business and technical needs of clients and the current skill levels of t he intended attendees." This is the level of introduction to auditing mainframes that I was think ing of. Now IBM should do a companion class of the same overview level for z/ VM, with VSE, Linux and z/OS guests. IBM should also offer this class in North America. /Tom Kern On Fri, 25 Sep 2009 13:32:32 -0400, Alan Altmark <[email protected] > wrote: >If those organizations wish to teach its members how to audit z/VM >systems, I would think the course/agenda managers would come to IBM or t he >consultant community and specifically ask for educators/presenters. Or >the auditors would take it upon themselves to ask "Where can I get >educated on z/VM?" > >As to IBM classes on auditing, it's safe to say that there are none that >teach z/VM auditing. It is highly unlikely that any are given for other >platforms becuase IBM does have "best practices" security standards for >z/VM and other operating systems (aka GSD 331) that may be able to be >provided as part of an IBM services contract. The z/VM part of GSD 331 >has been built based on decades of IBM's own experiences, whether runnin g >systems for itself or its clients. Acquisition of these standards >requires a confidentiality agreement. > >Over time, I expect the z/VM parts of GSD 331 to focus more heavily on >business processes and implementation issues, rather than the policy-lev el >requirements. Example: z/VM documentation says "Do not define users wi th >a password of NOPASS." GSD 331 would tell you how to configure CP and/o r >your fave directory manager/ESM to prevent it or detect it. > >The challenge is to provide enough information so that people can >understand the security risks in the system without undermining or >destroying the "z/VM security consultant" business in the process. The >Secure Configuration Guide was the first z/VM publication to go through >the "GSD 331 barrier." > >Alan Altmark >z/VM Development >IBM Endicott
