Windows and Unix computers don’t have a single security mechanism you can easily invoke with various software packages and administer with a single person. So it’s harder on these platforms to hold a data security officer accountable for all security settings.

When evaluating the security of any computer platform, don’t just consider controls over who can use the system and who can access data. Ask for a list of what types of resources can be protected, which ones are protected, and how many different tools are used to provide the protection.

Identify what resource types, beyond data sets, you need to protect on the computer, and then evaluate how well each platform matches your requirements.

3. How auditable is it?

The z/OS system software has three major sources of audit records: System Management Facility (SMF) data, the system log (SYSLOG), and the MVS logger. A typical mainframe will record literally millions of audit records daily to these automated data sources. Security staff and auditors can specify exactly which events are to be logged to these sources, and how the resulting audit trail is reported and evaluated. Typical events to be logged include: access to data sets, access to the system, violations (access attempts rejected by the security software), changes to security rules, and any changes to system options. This data is used to report security incidents, to hold people accountable for what they do on the system, to demonstrate that controls are working, for problem management, for chargeback, and for other purposes.

Audit information can be used for cost reduction and security improvement. What do you think it costs your company when you forget your password and have someone reset it? Various sources have estimated the cost to reset a single password at between $50 and $85. Many organizations use audit data to track the number of times this happens. Tracking trends in such events as password resets can help security administration identify where to direct improvement efforts, both to improve security and to cut costs.

Using audit information for chargeback to individual departments helps prevent unauthorized usage. (You will find a fascinating, true description of a major computer crime that was first detected because of a 75 cent discrepancy in the computer chargeback system in The New York Times bestselling book, The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage by Clifford Stoll.) Windows computers support several types of audit log (security, system, application, and so on). Unix computers also support a variety of audit logs. Mainframe computers have significantly greater speed and capacity in terms of processing power, input/output, and storage than Unix and

Windows computers. Because of this, mainframes generate and store more log records than the other platforms. This may not be a useful comparison, since a mainframe also supports more users and more work. We know of no practical study comparing the exact logging capabilities of these platforms. However, when deciding which platform to use, you should determine what purposes you want to address with log data (such as security monitoring, cost reduction, problem management, capacity planning, and so on as previously described). Then ask for a comparison of the platforms in terms of how well they will help you meet those purposes. Ask for specific examples of specific logging reports that illustrate the comparison.

Ask your staff what they’re doing to identify trends, outliers, spikes, and patterns in audit data. This is much more likely to pay off than just “reviewing the items in the violations report.” Peter Drucker, the management guru, said you can’t manage something if you can’t measure it. This applies to both the efficiency and quality of your information security.

Ask your staff whether the number of password resets is increasing or decreasing, and how much it costs you. Or ask them what groups of users have the most violations each month. When evaluating different types of computer, ask for a comparison based on the audit data available, the reports produced from it, and specific actions that can be taken based on analysis of the audit data.