Everyone has to start from somewhere. What would you do?
- Is a security package installed?
The three big ones are IBM's RACF, with CA-Top Secret and CA-ACF2 as alternates. All three are excellent. Like most I have a preference, which I won't disclose here because it's pointless. If none are installed, stop here.
All three have a testing mode, or "warn" mode. In "warn" mode, userid controls are enabled but resource use is not fully protected. Make sure the security product is not in "warn" mode.
- Review how enhanced security authority is distributed. The terms differ between the products; you will have to review product documentation to find the terms. You want to look for two major issues.
- How are userids created? Who can do it? What are the controls? A related issue is how are problems corrected? How and who can assign new passwords if one is forgotten? What are the controls to verify these users are valid?
RACF and Top Secret have the ability to place users into groups. Does the grouping have anything to do with the current organization's structure? If not - and don't be surprised if it doesn't, can it be corrected? ACF2 does not have this direct ability, but the so called UID string is supposed to imply grouping. Does it make sense?
- Storage management. This organization usually has near 100% ability to look at and modify anything.
Look for users that are not storage management with storage management authority. If possible this authority should be removed.
- Verify production data is rigidly isolated from test. Unfortunately this is not as firewalled as well as one might like. Look for the breaks in the firewall.
That should get you started. This is security auditing 101.