Steve, I would agree that software with human checking is the way is _should_ be done, but I've had a client tell me they were handed nothing more than software output and a large bill. That is why I advised Filip not to assume anything and to ask questions.
Regards, Bob -----Original Message----- Date: Mon, 15 Aug 2016 09:33:11 -0500 From: Steve Beaver <st...@stevebeaver.com> Subject: Re: Mainframe's security assessments costs Vanguard has their VCM that will handle a lot of the checking you are looking for, But no one handles it all without some human checking Steve -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Robert Hansel Sent: Monday, August 15, 2016 9:29 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Mainframe's security assessments costs Hi Filip, I'm not sure asking others about pricing would be of much benefit because such pricing is likely to be based on their unique configuration and the type of assessment, and besides, they probably can't disclose such pricing because it is likely to be protected by a confidentiality agreement. Some of the factors we consider in pricing an assessment are the number of RACF databases to be reviewed, number of z/OS system images (a.k.a. LPARs) sharing each set of RACF databases, number of profiles defined by class in each database, number of CICS regions (SIT PARM analysis), whether Unix File System security permissions are to be examined, and whether the assessment can be performed remotely. To compare offers, you need to look closely as nature and depth of the review. Some will simply run a software tool and issue findings that in some cases are based on arbitrary thresholds (e.g., 'n' number of IDs with NOINTERVAL or OPERATIONS). Others will bore into the details and attempt to identify IDs that perhaps shouldn't have NOINTERVAL or look for SURROGAT profiles that allow unprivileged users inappropriate use of OPERATIONS IDs. Don't assuming anything. Ask questions. Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel http://twitter.com/RSH_RACF www.rshconsulting.com -----Original Message----- Date: Mon, 15 Aug 2016 09:51:48 +1000 From: x ksi <s3...@pjwstk.edu.pl> Subject: Mainframe's security assessments costs Hey group. I was wondering if some of you could share some information about the costs various companies charged you for performing security assessment of your mainframes? At this point literally any information will be valuable (e.g. hourly rate, particular engagement cost, order of magnitude for this type of engagements etc.). From what I can tell there are companies providing such services but their prices seem to be a one big mystery. Having even a rough estimation would allow to better choose between various providers. Thank you in advance. Kind regards, Filip ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN