The Payment Card Industry (PCI) Data Security Standard und ISO-27001/2 represent important security standards for financial service institutions. This article keeps you updated on current topics surrounding PCI and ISO 27001/2 compliance of the mainframe platform. Latest best practice experience has shown potential mainframe-related difficulties in important areas not only your auditor should know about:

• PCI:

10.5 Secure audit trails so they cannot be altered,
2.2.3 Configure system security parameters to prevent misuse,
6.2 Establish a process to identify newly discovered security vulnerabilities …,
6.5.2 Broken access control, etc.

• ISO-27001/2:

A10.10.3 Protection of log information,
A11.5.4 Use of system utilities,
A12.6.1 Control of technical vulnerabilities, etc.

Furthermore, ISO sections A13.2.1, A13.1.1, and PCI sections 11.4, 11.5, 12.9, all stipulate the mandatory implementation of real-time monitoring for compliance.

The mainframe’s failure to fully comply with these requirements also stems from its missing ability to both detect and combat dynamic manipulation and malicious code processing regarding

a)

authentication (user ID switching, authorization theft, etc.),

b)

logging (manipulation or suppression of audit information, which means breaking the audit trail),

c)

resource access (manipulation of resource access procedures).

Best practice experience has proven that full compliance becomes impossible by solely relying on the capabilities of the standard operating and security systems, even when implementing some real-time SMF-based auditing (for technical details see below).

We are partners with the world’s largest companies and institutions in successfully achieving and maintaining extreme secure environments. Our unique real-time security monitoring technology, which we call SF-Sherlock, goes far beyond standard monitoring. It will “plug into” your mainframe environment and successfully detect and combat any attack. You become compliant easily.