Many organizations have found that the overall security of their systems slowly deteriorates over longer periods. This is mainly due to changes being made to the system and to the security definitions. New applications and systems need to be implemented, existing systems need to be changed, and quite often people need some "temporary" access that is never removed again.

An external auditor or consultant may provide a measure of the current efficiency and quality of your security implementation. Quite often, many issues will be reported that are known to the security staff, but that have been put on low priority due to other, more urgent requirements. An independent security review can help you re-focus on the most pressing security issues. 

A typical security review consists of several phases. During the first phase the reviewer  will use a regular USERID that has authorizations similar to that of e.g. a data entry clerk or application programmer. Using this USERID,  the reviewer will explore some simple ways of gaining higher authorization. This is a form of "ethical hacking". However, in our experience, it is much more time efficient if the reviewer has access to some dedicated system analysis tools. During the second phase, the reviewer will use such tools to gain a quick insight in the overall system integrity. The tools will help to quickly analyze about 50-60 different areas for potential exposures. As each area may involve checking up to 200 individual items, it's obvious that automated tools make this entire process more efficient. During a third phase, the reviewer will concentrate on those areas that need additional research to evaluate the impact of the issues.

Optionally, the security review can include a resource-access analysis. This will provide insight in the efficiency of your access-control via RACF profiles.

The final report to the customer includes a management summary, followed by a detailed description of all the various attention areas. The detailed descriptions explain the issue, provide an indication of the severity, and will include an estimate of the impact and effort needed to correct the situation. An optional appendix will include output created by the automated analysis tools used during the review process

The table on the page z/OS and RACF Attention Areas contains a list of areas that are reviewed during a typical security review.