Mainframe Penetration Test
This Service will test the overall configuration security controls in the Customer’s IBM® z Systems® environment to identify external or internal vulnerabilities, which could compromise the integrity and availability of systems or data.
What you get:
BMC will perform the following for one LPAR running IBM® z/OS® and an External Security Manager* (ESM):
- Discuss the scope and outline the high-level plan for the test
- Perform a White Box* penetration test that includes privilege escalation attempts using various user ids provided by Customer
- Assess the security configuration and controls defined in the ESM
- Conduct data gathering on the ESM and z/OS and perform analysis
- Execute z/OS penetration test
- Analyze penetration test results
- Generate Mainframe Penetration Test Report
- Provide encrypted deliverables to Customer
- If Customer asked for suggestions on third party equipment, software and services, BMC makes no representation or warranty whatsoever regarding such equipment, software and services or that the same shall be fit for the Customer’s purpose.
Customer will be responsible for:
- Providing two basic time sharing option (TSO)* user accounts
- Providing remote access to Customer’s mainframe via Virtual Private Network (VPN) or Virtual Desktop Interface (VDI)
- Maintaining and ensuring back-ups and recovery files
- Providing instructions on how to connect to the LPAR including such details as:
- IP address
- Port number
- Standard user ID
- SSL certificate details, if required
Deliverables: Using BMC’s standard methodology and templates, the following Deliverables are in scope for this project and will be delivered:
- Mainframe Penetration Test Report
Completion Criteria: BMC will have completed these Consulting Services when the in-scope Consulting Services have been completed and the Deliverables have been delivered to the Customer Project Manager.
Prior to the redemption of this service, Customer must provide advanced notification of internal security processes that require BMC to enter into any special terms and conditions before gaining access to Customer’s infrastructure.
- Customer has obtained the appropriate rights and permissions of any third parties for Customer to provide information relating to such third parties’ hardware, software and solutions and allow BMC to carry out the Services on their hardware, software and solutions that are in scope.
- Customer will provide BMC with two mainframe accounts (RACF, ACF2 or TSS) defined to the ESM as a basic user. This user should have similar access to that of a mainframe application developer or other basic system user.
- Customer will provide hands-on-keyboard access to the mainframe for BMC consultants.
- Estimated Duration: 6-8 weeks
- In-scope Product: BMC AMI Security
- Service Type: Advisory & Planning
- Availability: Active
- Success Service Code: BMSS_PENT_001
- Date Last Updated: 09/22/2023
Additional BMC Services:
As part of your ongoing adoption and extension of BMC capabilities and solutions, the following services complement each other:
- Mainframe Security Assessment: ESM - (IBM® RACF®, ACF2, Top Secret)
- Mainframe Security Assessment: Sub System IBM® Db2®
- Mainframe Security Assessment: Sub System IBM IMS™
- Mainframe Security Assessment: Sub System IBM® CICS®
- Mainframe Security Assessment: Sub System Network
- Mainframe Security Assessment: Sub System IBM® MQ
- Mainframe Security Assessment: Sub System IBM® z/OS® UNIX® System Services
- Mainframe Security Assessment: Sub System IBM® WebSphere® Application Server
- ESM: External Security Managers
- IBM z/OS: Z operating systems used by Customer
- White Box Testing: A testing technique which checks the internal functioning of the system. In Testing is based on coverage of code statements, branches, paths or conditions.
- TSO: Time Sharing Option
z/OS, z Systems, and IBM are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both.