HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

OpenVMS Security Audit Check List?

 
bmorris_1
Occasional Visitor

OpenVMS Security Audit Check List?

I'm looking for an OpenVMS 8.3 Sys Admin or SME to help put together a set of instructions on how to conduct a security audit of an existing system. A simple set of bullets or numbered items would suffice.
3 REPLIES
Hoff
Honored Contributor

Re: OpenVMS Security Audit Check List?

Robert Gezelter
Honored Contributor

Re: OpenVMS Security Audit Check List?

bmorris,

My first suggestion would be a careful read of the OpenVMS Guide to System Security from the standard documentation set.

As Hoff already noted, there is a NIST outline.

There is also some background information in the "OpenVMS Security" in the Handbook of Information Security [admittedly, I am the chapter author].

What is included in a security review depends on what the context is. If you are working to a standard (e.g., PCI), one needs to cover those requirements in addition to general securing of OpenVMS.

[Disclosure: We do provide consulting services in this area, as do Hoff and others who regularly contribute in this forum.]

- Bob Gezelter, CSA, CSE, http://www.rlgsc.com
Richard W Hunt
Valued Contributor

Re: OpenVMS Security Audit Check List?

There are two ways to look at this. If you just want some things to check on the system itself, that's one problem. There is also the list of ways you interact with the machine as a security procedures audit checklist. Like, when you make a tape backup (If?), where do you store it.

Look up FIPS-140-2 for a list of questions to ask if you work for the government. If you can have all the answers for that on hand, you are a very long step closer to having a properly secured and audited system.

The government also uses something called an SRR (System Readiness Report), though the one that DISA publishes for OpenVMS doesn't work very will and is at least two major versions of OpenVMS out of date. But it might give you some reasonable ideas for questions that security auditors might ask.
Sr. Systems Janitor