Cookies disclaimer

I agree Our site saves small pieces of text information (cookies) on your device in order to deliver better content and for statistical purposes. You can disable the usage of cookies by changing the settings of your browser. By browsing our website without changing the browser settings you grant us permission to store that information on your device.

In this course, the attendee will learn why and how to secure software assets and data in the Mainframe environment. The course helps improve development and maintenance practices to strengthen legacy mainframe systems with best practices and examples.

Days Remaining

94

seat(s) occupied

0%

seat(s) left

15

Objectives

Understand the Mainframe impacts businesses nowadays.
Comprehend the risk caused by the interaction between Mainframe and distributed environments.
Understand the relationship between Application Software and Sensitive data.
Learn the best approaches for securing applications in the mainframe environment.
How to identify the data that is in scope.
How to prioritize and segment application analysis.
How to identify the business process that are impacted.
How to do a proper impact and gap analysis
Analyze case studies of realities that have already undergone the process of securing their Mainframe environments.
Perform live simulations from the analysis of COBOL applications that manage sensitive data (in the context of PCI-DSS or HIPAA or GDPR).

Why Attend

During the two days, attendees will learn how to analyze the current use of Mainframe systems, vulnerabilities and exploits performed on mainframe applications as well as to defend and/or mitigate against attacks and exploits. 

The course also explores key technical and managerial topics required for a balanced approach to reach the goal of information protection including the impact of directives, regulations, governance and management practices such as PCI-DSS v 3.2, HIPAA “Health Insurance Portability & Accountability Act”, GDPR “General Data Protection Regulation” . 
Understand key aspects to consider when managing data and applications for the core business.
Gain practical knowledge for developing and managing secure legacy applications.
Our unique approach is not only theoretical but provides a truly unique opportunity to learn using practical examples.

Context

The primary focus of the Payment Card Industry Data Security Standard (PCI DSS) is the protection of cardholder data. PCI DSS provides required controls for cardholder data that is stored, processed or transmitted on any platform. Unfortunately, many mainframes are currently not being assessed properly for PCI DSS compliance.

Mainframes have three external security management systems (ESMs) used for data and access protection: IBM's RACF, CA-TopSecret and CA-ACF2. Mainframe assessors not trained on or with limited exposure to these platforms will run a RACF DSMON, TopSecret TSSAAUDIT report or ACF SHOW ALL command that provides global security options at the OS level, but doing so still fails to give detailed protection of cardholder data.

Why is such scrutiny of mainframe security controls important? The majority of payments today touch or are processed on mainframes, regardless of whether the merchant or service provider is aware of it.

Since the 1980's, ESMs for mainframes have become feature-rich, robust and expansive. Consequently, many QSAs are less concerned with PCI cardholder data on the mainframe. They believe that the mainframe is so secure because of ESMs, they would rather focus on the ubiquitous server environment. The server environment certainly requires attention. However, ESM security features are installation-selectable. This means installations can choose to activate them -- or not. Security professionals and IT auditors who perform mainframe ESM assessments invariably find these features turned off for performance, cost and inconvenience reasons. This not only affects PCI compliance, but can also put cardholder data on those systems at risk.

Ignorance is not a control. Not having sufficient understanding of mainframe security constructs is not a valid reason to ignore them or justify minimizing the risk of cardholder data on insecure mainframes. Assuming few individuals know how to exploit mainframe vulnerabilities is unwise and portends negative results. Most QSAs and penetration testers don't have a background in mainframes and thus don't know how to exploit even the simplest vulnerability. However, remember attackers only need to be right once.

Protection of cardholder data that PCI DSS proposes should not be conditionally excluded because the cardholder data environment is not fully understood. This also includes issuing and acquiring financial institutions whose payment processing is predominantly mainframes -- but that is yet another neglected topic.

Who Attends

Application Development Senior Managers
Application Developer
CIO
CSO
DPO (Data Protection Officer)
ISA (Internal Security Officer)
IT professionals
QSA (Qualified Security Assessor)
Software Project Leaders

Testimonials

Hundreds of delegates from all over the world have attended LiquidNexxus training sessions. Here are some testimonials related to this course/event.

View More Testimonials

Agenda

Over the course of two full days the course covers the following topics...

Introduction and Context Mainframes & Distributed Environments

Mainframes
Current use of Mainframe Systems
Interaction between Mainframe and Distributed environment.
IT environment complexity.

Software Security

Software security concepts.
Are mainframes secure?
Risks in software development design flaws and implementation errors.
Legacy Mission critical applications and their maintenance.
Classify the main Cobol security myths.
Map Cobol programming bad practices to common vulnerabilities.

Security Regulations and Standards impact on software applications

HIPAA “Health Insurance Portability & Accountability Act” (USA).
GDPR “General Data Protection Regulation” (EU).
PCI-DSS v 3.2.
  • PCI DSS compliance process:
    • Assess
    • Report
    • Repair
  • PCI DSS Goals and Requirements.
  • PCI DSS Requirements that impact software applications:
  • Protect stored Cardholder Data
  • Develop and maintain secure applications
  • Compensating controls.
  • Entity Supplemental Validation.
  • Why securing the mainframe software applications is important.
  • Most common challenges.
  • Compliance vs security.

Applying PCI DSS to Mainframe Environments

Carry out a software application inventory (Assessment)
Cobol
JCL
Libraries
Tables Declaratives
Scope definition
Identify in-scope Tables & Columns
Identify Business Process in scope.
Identify Sensitive data in Files.
Conduct a proper impact and gap analysis.
Prioritize and segment application analysis.
Achieve and Maintain Compliance
  • Analyze applications to find vulnerabilities.
  • Mask PAN in maps.
  • Support Tokenization.

Speakers

The following speakers have confirmed their participation in this conference.

Mainframe Architecture & Security Specialist

G is currently Product Manager and lead developer for a specialised Mainframe security and analysis company. He focuses on adapting solutions to customer environments and requirements. Specialized in Mainframe environment (COBOL, JCL, Sequential files, etc.), PCI-DSS and PA-DSS solutions for securing the impacted applications and business processes. He previously headed up the R&D Team for the development of new, more effective and cost effective solutions of the products used for supporting customers in the field of system governance, compliance to regulations (specialized in PCI-DSS) and code review. He has experience in a level 6 complexity (top) PCI-DSS certification project. The solutions he has implemented are not only aimed at finding sensitive data inside in business processes but identify and study exactly how the data moves inside of the application giving the customer a precise map on how and where the applications need to be modified in order to secure them against the ever-growing threat of cyberattacks. His previous roles included internal systems maintenance, support, testing and implementing software security solutions.

Venue

Milan is an Alpha leading global city, with strengths in the arts, commerce, design, education, entertainment, fashion, finance, healthcare, media, services, research, and tourism. Its business district hosts Italy's Stock Exchange and the headquarters of the largest national and international banks and companies. The city is a major world fashion and design capital, well known for several international events and fairs, including Milan Fashion Week and the Milan Furniture Fair. The city hosts numerous cultural institutions, academies and universities, with 11% of the national total enrolled students.

Please contact us for the specific venue

Enquiries

Next Sessions

LiquidNexxus regularly hosts open training sessions globally, below is a list of courses related to this course which are currently scheduled. If your region is not listed or you would like to discuss inhouse training or partnership please contact us.

View Full Schedule

Keywords

The website keywords. Click on one to see associated contents.