Contributed 8/29/00 by Carolann Lazurus (Clazarus@business.buffalo.edu)

TANDEM AUDIT PROGRAM

I.	GENERAL OPERATING SYSTEM INFORMATION

Objective:	To obtain the appropriate general information regarding the operating system to aid in the review process.

A.	Determine, and document in the work papers, all Tandem systems, version, release, and maintenance level of the operating systems. Include in this list any other pertinent systems' software (e.g., safeguard, safetynet, Onguard,etc.). Determine if multiple operating systems exist and, if so, why.

B.	Interview systems Programming personnel, computer operations management, and other technical staff, to determine whether non- tandem code has been introduced into the operating system. Obtain available records about the content of known changes.

C.	Obtain PIX problem logs for open and closed calls for the last six months and review for processing problems of audit concerns.

D.	Review Technical Services written procedures to gain an understanding of the area to be audited.

II.	SYSTEM MODIFICATIONS

Objective:	To ensure that all changes to the operating system are authorized and properly tested.

A.	Determine whether FSC change control procedures exist for modifications to the operating system and are adequately adhered to.

B.	Document the frequency of Guardian operating system changes from the vendor. How are these changes sent and installed at FSC?

C.	Determine if there is a modification tracking log maintained by technical support. Ensure that this log indicates:

1.	Who made the changes?
2.	What was changed?
3.	How was the change installed (i.e., Debug, inspect, etc.)?

D.	Document the procedures for testing the modifications to the operating system (e.g., scheduling, individuals participating, formal sign-offs, etc.).

E.	Determine and document in the work papers, which individuals are responsible for applying changes to the operating system. Determine if this responsibility is rotated, and if the work performed is reviewed by a supervisor on a periodic basis.

F.	If applicable, examine documentation to determine the justification for and approval of each non-tandem modification to the operating system. Do procedures include management approval prior to implementation and independent certification of modified code and a review of supporting documentation?

G.	Is the previous version of the system configuration ($SYSTEM. CONFIG. SYSnn) retained when a new one is created. Is it backed-up and sent off-site?

III.	CRITICAL DATASET REVIEW

Objective:	To ensure that all critical/sensitive datasets are adequately protected against unauthorized access.

A.	With tech support personnel, execute FUP info against the tandem files to obtain the file characteristics for all system files.

B.	With tech support personnel, obtain a listing of production users and the access authority allowed.

C.	From the list obtained in Step A, identify all critical datasets and determine whether access is adequate and if only authorized individuals can access these datasets. Are password datasets encrypted?

$SYSTEM.System. User ID ) contains user 
$SYSTEM.System. User IDAIC) ID info
$SYSTEM.Safe AS00000n-System subject files
$SYSTEM.Safe A000000n-System object files
$SYSTEM.Safe ASUDDL, etc.
$SYSTEM.SYS. (NN) (password)
$SYSTEM.System. (OS system datasets)
$DATA1.SECURITY.PSWD (Encrypted Supervisor pw file for use by Corp. Data Sec. on the ATM machine)
$DATA1.PAN*	(Onguard security system programs and files on ATM
machine)

D.	Determine whether adequate back-up of these system files is being created and stored on/off site.

1.	Have adequate rotation schedules been established?

E.	Are mirrored disks used? If so, determine what disks are mirrored. Identify and review the controls over inactivating and activating this function.

IV.	REVIEW OF SENSITIVE UTILITIES/PROGRAMS

Objective:	To ensure that all critical/sensitive programs/utilities can only be executed by authorized individuals.

A.	Review the security over sensitive utilities/programs to ensure that only authorized users can execute them.

1.	Tandem Application Control Language (TACL)

a.	Determine which terminals have been set up to allow Guardian signon directly, thereby allowing direct execution of TACL (In the prior version of the operating system the Command interpreter or COMINT command performed the same basic functions as TACL) session. Onguard should control all user access to Guardian and TACL commands (Review TACL access through Qnguard in the security section of the audit program).

b.	How is the TACL restricted, who has access to the sensitive commands within the TACL? ADDUSER, DELUSER, etc.

2.	File utility program (FIrE') - used to create, modify, and manage structured or unstructured file.

a.	Review the security over this utility and the sensitive commands within FUP (license, revoke, etc.).

3.	Peripheral utility program (PUP) - used to maintain disc drives and other devices.

a.	Determine who has access to this utility and the sensitive commands within this utility (console, down, up, primary, etc.).

4.	Backup and restore - utilities that copy disc files onto magnetic tape and restore files from tape to disc.

a.	Determine who has access to this utility and ensure that it is
adequate.

5.	Peruse - Examine and change attributes of jobs that you have sent to the spooler.

a.	Review access to this utility and ensure that it is adequate.

6.	Spoolcom - provides interactive or non-interactive control of the spooler.

a.	Review access to this utility and the sensitive commands within spoolcom
(collect, rev, open, etc.).

7.	Also review the controls over Delay, Peek, Diver, Spool and Error utilities to ensure that access is adequate.

8.	DSAP/DCOM - DSAP analyzes how disc space is being utilized on a specified vol, and DCOM moves files in order to gain more usable space on the drives.

a.	These are privileged programs and accessibility should be controlled. Determine if access is controlled. This can be done in two ways:

Do not license the file for general
use;

License the file to some subset of users, setting up file security on some basis of controlled use.

B.	Review management trails produced from these various utilities and determine if they are adequate.


C.	When program files are licensed by FUP, this process gives the program privileged procedures so that non-privileged users can run the files. With tech support personnel, execute the DSAP utility, detail parameter~ specifying licensed. This process will create a detail report to include all licensed files in a file set.

1.	From this list, identify all licensed programs and document the reasons for being licensed or whether the controls over the programs are adequate.

D.	When the PROGID of a program file is set, it sets the process accessor ID to the ID of the owner of the program file. Therefore, individuals having execute access to a program with the PROGID set can access all files that the owner of the program can access. With tech support personnel, execute the DSAP utility. Detail parameter specifying PROGID. This process will create a report of all files in the file set that have the PROGID set.

1.	From this list, identify all program files with the PROGID set and document the reasons why, and determine if it is necessary to have the ID set and whether any exposure exists.

E.	CMON is a user written program which can be written to log logon attempts, log activity, require password changes, etc. Review the function of the existing CMON program.

1. Determine if it is adequately documented.

2. Determine if access is restricted.
3. Identify and test all controls built into the CMON program and document any exposures.

V.	INITIAL SYSTEM GENERATION AND STARTUP


Objective:	To ensure that procedures and supporting documentation is in place for the Tandem load process.

A.	Determine the frequency of system gens and review the documentation of the last gen to ensure that all $ system sub vols are utilized. In addition, review any critical parameters during the initial load. Who has access to the sys gen program and the OS Image file?

B.	Identify the individuals that can perform the cold load. Is it performed through the control panel switches or the Remote Maintenance Interface, or RMI (In prior systems this was called the OSP, or Operations and Service Processor)?

1.	Determine if a password is used for RMI and if so, who knows it, and how often it is changed?

2.	Is Remote Console Process (RCP) and Remote Operations Facility (RDF) used (products allowing remote control of system from offsite)? If so, determine the controls in place.

C.	Review the existing Tandem operating system load procedures and determine if they are well documented.

D.	Determine if normal procedures can be bypassed to interactively modify parameters within the sys gen process (For example, Dynamic System Configuration can be used in VLX/CLX Systems). Are these changes documented?

Note:	In general, for this section refer to the perm file section P3-B for more information.

VI.	GUARDIAN/ONGUARD/CMON SECURITY

Objective:	To ensure that the Tandem operating system security is adequate to control access to critical/sensitive programs/files and create an adequate separation of duties.

A.	Document and review the Guardian operating system security and determine whether it adequately addresses security issues. (Note:
In audits after 1991, Onguard security should be in place controlling almost all access. Major emphasis should therefore be place on audit step J.)

B.	Review password controls and ensure the following:

1.	passwords are changed periodically;

2.	the file where passwords are maintained is properly controlled;

3.	passwords are properly issued;

4.	password requests are authorized;

5.	passwords are masked during signon and in output listings;

6.	passwords are not written in user manuals, taped to operator terminals, etc.; and

7.	can a user remove his/her password from the system.

8.	are group user accounts on the system? If so, review procedures for adequacy.

C.	Ensure that procedures for recording and following up on unauthorized access attempts are adequate.

D.	Is maintenance to security matrices/tables logged and reviewed?

E.	Obtain and review the current Tandem users listing. Determine if the list is current and all user authority levels are consistent with job responsibility.

F.	Determine if any remote passwords are utilized and review the controls over these logons, and ensure that user remote access is adequate in conjunction with his job responsibility.

G.	Document and determine if adequate procedures are in place for creating user accounts, assigning privileges and permitting the use of computer resources.

H.	Do terminals automatically log-off after a period of inactive use?

I.	Review the Super Group Logons to ensure that users having access to these logons are reasonable.

1.	Obtain the ACF2 rule sets over data sets where the production Super password is located and ensure that only authorized individuals can gain access. (These data set in the prior audit included $DATA1.SECURITY.PSWD on the Tandem and SEC.TANDEM1,2,3,&4 on the Albany mainframe)

2.	In addition, review the ACF2 logs to determine when the password was utilized and review procedures over follow-up of access and whether the password was changed after access was made. Also, determine whether the password is changed periodically (monthly).

J.	Review and test where appropriate the controls provided by the Onguard security software over the Tandem system. Include at least:

1. control over access to critical Guardian functions such as TACL,

2. control over access to critical applications,

3. audit trails and security violation reporting.

K. Review any security and audit trails provided by the in-house modified communications software CMON.

VII.	COMMUNICATION CONTROLS

Objective:	To ensure that there are adequate controls over Tandem communications to restrict access to authorized individuals.

A.	Identify and document the communication configuration of the three Tandem machines.

B.	Describe any confidential information which is being transmitted via telephone lines, and determine what controls are in place, if any, to protect this data (e.g., encryption).

C.	If encryption/decryption is being utilized, determine if the algorithm and keys are properly controlled and protected.

1. How often are the keys changed?
2. Who is responsible for changing these keys?

D.	Review the controls over Tandem dial-in capabilities (e.g., Defender, dial-out modems, etc.) and determine whether they are adequate.

E.	Obtain a PUP LISTDEV listing and review.

VIII.	CHANGE CONTROL

Objective:	To ensure that controls over changes to the object and source production programs are adequate.

A.	Review the Tandem object/source change control procedures for both production systems to ensure that adequate controls are in place (network performs the moves on the Switch System and Operations technical support performs the moves on the Moneynet System).

B.	Review a sample of Tandem object/source change control forms to ensure that they are completed properly and procedures are being adequately adhered to.

C.	Determine what audit trail exists on the system for program changes and trace a sample to program change requests.

IX.	TANDEM LOGS REVIEW

Objective:	To ensure that all critical and sensitive activity, utilizing Tandem commands, is logged creating a valid audit trail.

A.	Identify the various logs produced by the Tandem system (e.g., PMI log and CMON log, etc.).

B.	Review these logs for any items of audit significance and research any unusual occurrences.

C.	Determine maintenance of console logs. Note the retention period of these logs, who reviews them, and physical security.

X.	PHYSICAL SECURITY

Objective:	To ensure that adequate physical security is in place over the Tandem systems and components of these systems.

A.	Enter the computer room and review the Tandem systems for the following physical controls:

1.	Are the machine cabinets locked? Who maintains the keys, are there backup keys, and where are they kept?

2.	Is the RMI locked? Who maintains the keys, are there backup keys, and where are they kept?

3.	Is RMI signon through the local terminal done with a non-blank password?

4.	Examine the RMI control panel switches for whether RMI local password checking is turned off (no RMI password needed locally), and whether the Remote Access switch is set to Disabled/Enabled (whether someone can dial in to PMI remotely without operator intervention).

B.	Determine that appropriate physical security exists for terminals not controlled by Onguard security.