Specifications include, but are not limited to:3.1.1 Data Gathering and Analysis - The purpose of this activity is to review the gathered information to perform the assessment, and to identify potential gaps, exposures and, as applicable, opportunities for improvement based on industry best practice. 3.1.1.1 Analyze requested RACF command outputs and SDSF screenshots. 3.1.1.2 Analyze system management facilities (SMF) reports. 3.1.1.3 Analyze current password policy (length, complexity, etc.). 3.1.1.4 Analyze the use of RBAC (Role Based Access Control) 3.1.1.5 Analyze security database housekeeping process (obsolete accounts, apps, etc.) 3.1.1.6 Analyze escalation of privilege prevention process 3.1.1.7 Analyze RACF checks results from IBM Health Checker for z/OS 3.1.1.8 Analyze system datasets protection (e.g., SYS1.*) 3.1.1.9 Analyze Open Multiple virtual storage (MVS) User ID (UID) and Group ID (GID) assignments 3.1.1.10Analyze current security violation monitoring, logging, and alerting capabilities 3.1.1.11Request any missing or additional RACF implementation information as applicable 3.1.1.12Upon completion of the data analysis, Vendor will document any gaps and exposures identified and develop remediation recommendations to be included in the RACF Assessment Report
