Security Management Guide (G06.24+, H06.03+)
Security Management Guide—522283-008
8-1
8 Concerns for the EDP Auditor
This section is written for EDP auditors of NonStop systems. It addresses many issues
are unique to NonStop systems as well as some common auditing concerns.
In order to effectively audit a NonStop system, you must have a user ID and password.
You should be familiar with the following software publications:
•
Guardian User’s Guide
•
Safeguard User’s Guide
•
Safeguard Administrator’s Manual
•
Safeguard Reference Manual
•
Safeguard Audit Service Manual
You should also attend the following classes offered by NonStop Software Education:
Concepts and Facilities, Securing Guardian Systems, and System Management.
Your company should have a comprehensive, written security policy. One purpose of
your audit is to see how well the security mechanisms enforce this policy.
System Files
The subvolumes $SYSTEM.SYSTEM and $SYSTEM.SYSnn (SYS01, SYS02, and so
on) should contain only system files. These files should be under the control of the
super ID, the super group, or some set of privileged users. Your company’s security
policy should state who is responsible for system files. Be sure the system’s security
mechanisms enforce this control.
Application Programs and Files
Verify that all application programs are tested before they are released to production
systems. Only authorized, documented versions of these programs should be used.
They should have a specified life cycle, and they should be supported throughout their
life cycle.
Make sure all application program files and production data files are adequately
protected according to your company’s security policy.
Utilities
Verify that only authorized users can execute utility programs. Check your security
policy for information on control of various utility programs.
Review documentation for utilities that are not supplied by HP.