Contributed 8/29/00 by Carolann Lazurus (Clazarus@business.buffalo.edu)

TSO Online System Services Audit Program

MASTER INDEX


I.	Audit Administration

II.	System Generation

III.	Critical Files / Processing Interf aces

IV.	System Logs and Problem Reporting

V.	Security

VI.	Documentation

VII.	Backup I Recovery



INTRODUCTION

This program is a technical review of the Time Sharing Options
(TSO) software. It is designed for the TSO - Extensions
(TSO/E) version operating in an MVS/ESA environment with ACF2.


OBJECTIVE

To ensure that the TSO software is properly controlled within the operating environment and that FNSC staff procedures provide adequate assurance for its continuous operation.

I.	AUDIT ADMINISTRTION

Objective:	To obtain accurate information regarding the current product and plan the audit accordingly.

A.	If a pre-audit phase was not completed:

-	perform the Standard Pre-Audit Survey tasks to update the understanding of the audit area;

-	obtain the prior reports and determine the current status of the audit issues;

-	update the Perm Binder as appropriate;

-	prepare (or review/update) the Audit Program; and

-	prepare the Audit Plan and the Functional Budget;


B.	Research all Carry Forward items from the current audit binder.

II.	SYSTEM GENERATION

Objective:	To ensure that the parameters and methods used to initiate the TSO started task for each mainframe are documented, reasonable, and subject to supervisory review.


A.	Obtain the initialization parameters which establish TSO controls. Evaluate them for reasonableness.

-	MVS,
-	ACF2, and
-	logon profiles.


B.	Evaluate the TSO initialization process to insure the correct parameters are used and that any overrides of normal parameters are reviewed.

-	confirm that parameters are normally provided automatically, with a minimum of operator intervention

-	confirm that messages and 'news' items in the TSQ welcome are complete and reviewed prior to their implementation


C.	Determine that logon processing is properly controlled.

-	Review the process for creating and assigning TSO logon procedures to users and confirm requests for changes and for new procedures are reviewed and approved prior to implementation.

-	Select a sample of logon profiles and evaluate the online facilities provided and the control parameters used.
III.	CRITICAL FILES / PROCESSING INTERFACES

Objective:	To ensure that system integrity is maintained through established controls over software interfaces.


A.	Obtain or develop a list of the files required for TSO and evaluate the controls used to assure the proper files are input and are processed completely.

-	TSO software,
-	TSO control parameters,
-	logon profiles,
-	CLISTS,
-	other input files or parameters.


B.	Evaluate the procedures for authorizing and approving changes to TSO programs, control parameters, and other system-related files.


C.	Evaluate the procedures for authorizing and approving changes to TSO logon procs and CLists.


D.	Obtain or develop a list of automated interfaces with TSQ (ACF2, !4VS, JES, SDSF, and any others) and evaluate controls over the interfaces.
	-	ACF2	-	SDSF
	- MVS	-	MULTSESS
	-	JES	-	other software


E.	Determine that the use of multiple sessions does not compromise TSO or ACF2 controls.

-	Discuss the effects of MULTSESS on ACF2 and TSO controls with the systems programming staff. Confirm this by performing typical online activities to test access controls in TSO under the MULTSESS environment.

-	Discuss the effects of MIJIJTSESS on resource limits imposed by TSO with the systems programming staff. Where possible, confirm their statements.

IV.	SYSTEM LOGS / PROBLEM REPORTING

Objective:	To determine if adequate recording of system activity is maintained and to ensure that problems are promptly identified and resolved.


A.	Identify reports produced routinely by TSO and determine who receives them and what purpose the report serves.


B.	Identify "management" and "exception" reports from TSO and determine who receives them and what action is taken.

Obtain a sample of problems (from PIX or SMF records of abends) and confirm them to TSO problems reported.


C.	Identify logs of TSO activity and exceptions. Determine if an adequate history is maintained and if the logged data is put to good use.
V.	SECURITY

Objective:	To determine that access to TSO files and facilities is restricted to authorized individuals.

A.	Obtain the ACF2 rules for access to TSO software and parameters and evaluate the restrictions in force. Test the ACF2 restrictions by attempting both online and batch additions to TSO datasets.

B.	Determine if ACF2 controls are applied to TSO and properly restrict access to online facilities.


C.	Review ACF2 rules for a sample of production datasets to confirm the access granted to TSO is appropriate.


D.	Determine if TSO's own access controls are in use and have been correctly implemented:

-	Confirm that access to online SDSF processing is restricted and includes adequate controls.

-	Obtain the SDSF access table and review the access allowed for reasonability.

-	Conduct online tests of SDSF to confirm the parameters in the initialization are still in effect and do provide adequate controls.

-	Evaluate the way SDSF access controls are used to segregate duties of: 1) operators, 2) QA Tech's, and 3) programmers / users.

-	Confirm that data for banks is protected from 'cross-bank' access.

-	Evaluate the procedures used to request new SDSF access and to determine the appropriate level of access to SDSF functions.


E. Obtain a list of APF Libraries and review the ACF2 rules over them. (NOTE: Consult the MVS Audit Binder for the results/findings of the most recent review.)


VI.	DOCUMENTATION

Objective:	To determine that documentation of TSO and FNSC procedures for TSO facilities is adequate.


A.	Policy and Procedure

1.	Review the Technical Services Procedures Manual and evaluate the adequacy of controls in the procedures for TSO related products.

2.	Test the compliance with procedures.

Select a sample of recent changes and trace them through the procedures to confirm compliance with standards and procedures.


B.	Confirm there is an adequate audit trail of the documents used in TSO.


C.	Ensure that appropriate documentation is available to the Tech Services staff and evaluate it for completeness and clarity. Minimally, this should include:

-	Technical Services Procedures Manual; and
-	TSO Documentation.


D.	Evaluate the procedures for authorizing and approving changes to TSO programs, CLISTS, and control parameters.

1.	Determine how changes to TSO software and parameters are authorized, documented, and tested.

2.	Select a sample of TSO changes and review the changes and supporting documentation.

-	are changes properly authorized
-	is documentation complete
-	is the change adequately tested
-	is the audit trail of changes adequate

VII. BACKUP/ RECOVERY

Objective: To ensure that backups of TSO programs and datasets are made on tape and are rotated off site in compliance with standards.

A. Confirm that critical TSO datasets are copied to tape and rotated off site. 
B. Confirm that recovery documentation has been prepared and a current copy is maintained off site.