Handbook We hope that your experience with our web site was successfull. If you still have some questions regarding InterTech or would like to just send a comment, we would like to hear from you. Included is a link to general contact us InterTechnologies Group.Link to the Computing Services provided by InterTechnologies Group. InterTech provides a variety of services in support of public entities' needs for central and distributed data processing. Included are Z-Server Services, Server Management Services, and Data Entry Services.Link to the Risk Mitigation IT Services provided by InterTechnologes Group (ITG). InterTech offers a variety of services to minimize exposure to and mitigate security breaches and other risks associated with public entities' use of information technology. Included are Business Impact Analysis, Hot and Warm Site Backup Services, PC and Server Backup, Mail Hub Directory and Virus Inoculation, and Web Authentication Services.Link to the Telecommunications Services provided by InterTechnologies Group. InterTech's telecommunications services connect public entities throughout the state by transporting customers' voice, data, and video transmissions over a shared network infrastructure. Included are Voice Services and WAN Services (Data Network Services, and Video Services).Link to the InterTechnologies Group Home Page.Search the InterTech web site.Link to the North Star Portal.Link to the Minnesota Government Directory.Link to the North Star Minnesota state web portal.

Security Home
 

SECURE4
Cyber Security
 

S_DISHvs
Emergency Alerts

YellewPages55
Reading Room

 

Policies, Standards & Guidelines
Policies, Standards & Guidelines

Business Continuity and Contengency Planning
Business Continuity

 

COMPUTR90
Training &
Networking

BOOK
ACF2 Handbook

PHONE08SS
Contacts
 

tools55


Security Scanning
Tool Kit

 
 
 
 
 
 
 
 
 

Agency ACF2 Security Administrator's Handbook

The Office of Enterprise Technology Shared Services (OET) maintains and supports the State of Minnesota's mainframe computer system.  As is true with any data repository, data security is an integral part of that maintenance.  In 1982, the Security Services Unit implemented the ACF2 software package to maintain security on the mainframe.

As the number of mainframe applications increased, OET began working with agencies to decentralize some of the ACF2 security maintenance.  This resulted in several agencies hiring their own security administrators to work with their applications and ACF2.  To achieve decentralized administration while still maintaining segregation of each agency's information on the z/OS mainframe, OET implemented logonid privileges and scope lists to limit each security administrator's access.  Logonid privileges and scope lists allow us to grant administrator access at varying levels.

ACF2 CAPABILITIES

Logonid privileges allow a user to use specific ACF2 commands:

      AUDIT  A user with the AUDIT privilege can display logonid records, data set rules and resource rules.  This privilege alone does not allow a user to make any changes to logonids or rules.

      LEADER  A user with the LEADER privilege is able to list logonids and change some privileges.  They cannot create or delete logonids, nor can they maintain data set or resource rules.

      ACCOUNT  A user with the ACCOUNT privilege can create, change, delete and display logonid records.

      SECURITY A user with the SECURITY privilege can access all data sets, protected programs and resources.  This person has unlimited access to system resources, unless a scope list restricts this capability.  This person has access to maintain data set and resource rules.  This person can administer logonid records if they also have the ACCOUNT privilege.

ACF2 scope lists, also called scope records, are used to limit the powers of the above user privileges.  At the State, scope lists are used to restrict each agency administrator to only their agencies logonids, data set rules and resource rules.  Privileges and functions that may allow a scoped administrator access outside their designated area will remain under OET control.

Several State agencies have been administering their own ACF2 security at varying levels for many years. Agencies have the option of administering their own ACF2 security or having OET administer it for them.  While agency security administrators are responsible for maintaining ACF2 for their agency, administrators do not have access to all ACF2 functions.

AGENCY SECURITY ADMINISTRATOR'S RESPONSIBILITIES

Agency security administrators are responsible for, but not limited to the following:

    1.Assigning and maintaining logonids for their agency

    2.Maintaining the UID for their agency

    3.Maintaining data set rules for their agency

    4.Maintaining resource rules for their agency

    5.Maintaining and enforcing an approval process for logonid and rule access requests within their agency

    6.Reviewing ACF2 violation reports on a daily basis, monitoring any access logging implemented and following up on suspicious access attempts.  These reports are available via DocumentDirect and InfoPac.  The report ID is F2**RP01, where the asterisks stand for the agency identifier.

    7.Regularly reviewing other DocumentDirect/InfoPac reports:

    • ACF2 Logonid Listing by Name (F2LS0101)
    • ACF2 Logonid Listing by Logonid (F2LS0102)
    • ACF2 Suspended Logonids (F2LS0103)  this report provides information on logonids in each agency that have been suspended as well as when they were suspended.  This report assists in identifying logonids that can possibly be removed from the system.
    • Logon ID's without Employee IDs (F2NOID01)  this report lists all logonids, by agency, that do not have a value in the EMPLID field.  These items should be reviewed and updated to include the users employee number.
    • Daily Employee ID Number Update by Agency (F2NOID02)  this report contains the employee numbers of all current State employees.  This report is used to resolve the blank EMPLID fields for the logonids listed in the Logonids without Employee IDs report.  The information in this report is extracted from SEMA4, the State payroll system.
    • ACF2 Logon ID Unused in 360 Days (F2SU0101)  this report lists all logonids that have not been used in at least 360 days.  This report identifies logonids that should be reviewed and possibly be removed from the system.
    • Employee Movement Security Report (HP6001)  this report lists all employee movement within an agency and is run every two weeks.  This information assists in identifying appropriate action that may be necessary for terminating or moving employees.
    • Review other reports as defined per agency.

    8.Utilizing ETF/A (one of our ACF2 administration tools) to assist in rule maintenance:

    • Using the Rule Aging Facility (RAF) to identify obsolete rules and rule lines
    • Using the Display Ruleset Size panels to identify rules that are approaching maximum capacity

    9.Assist in ACF2 database clean up as it pertains to your agency.  This includes, but is not limited to:

    • Deleting unused logonids
    • Removing logonids from Source Groups when the logonid is deleted

    10.Participate in the quarterly and yearly certification processes implemented at OET to meet Legislative Audit requirements, including documenting USERDATA field updates.  Additional participation may be required in the future.

    11.Communicating with OET:

    • Requests that the agency administrator is unable to complete
    • Changes that may affect system processing, causing OET staff to be called

    12.Maintaining a good working relationship to allow clear communication and rapid problem resolution.

OET SECURITY STAFF RESPONSIBILITIES

OET Security Services Unit is responsible for, but not limited to, the following activities relating to Agency Security Administration:

    1.Processing requests in a timely manner (policy dictates a 24 hour turn-around, however, requests are usually processed the same day they are received)

    2.Maintaining system wide ACF2 functions

    3.Maintaining logonids for agencies that do not have their own security administrators

    4.Maintaining dataset rules for agencies that do not have their own security administrators

    5.Maintaining resource rules for agencies that do not have their own security administrators

    6.Developing processes and procedures for maintaining and cleaning up the ACF2 databases

    7.Providing extended support for ACF2

    8.Providing support for ETFA

    9.Maintaining and regularly reviewing all scope lists  working with the agencies to establish and ensure the appropriate access for their administrators

    10.Serving as backup to agency administrators when necessary

    11.Serving as an ACF2 resource to agency administrators when needed

    12.Communicating changes that may affect system processing to the agencies.

    13.Maintaining a good working relationship with the agencies to allow clear communication and rapid problem resolution

OET REQUIREMENTS FOR AGENCY SECURITY ADMINISTRATORS

    1.ACF2 Administration.  OET will work with each agency to determine the level of administration to be performed within the agency. 

    2.ACF2 personnel training.  Agency security administrators must be trained in the use of ACF2 before they will be granted ACF2 security authority for their department.  Limited access will be granted to new administrators as they are mentored in ACF2 administration.  The mentoring phase is important, as some understanding of ACF2 is beneficial prior to formal training. Formal vendor training is required before full security access will be given to any administrator.  Formal training may be instructor-led as well as alternative learning methods such as on-line or via CD. 

    Help Desk staff are required to have mentoring from within their agency.  No formal ACF2 training is required as help desk staff unsuspend logonids and do not add or delete logonids, nor do they add, delete or change resource or dataset rules.

    Existing security staff are not required to obtain training or have their access removed, although formal ACF2 training is valuable for any administrator.  Those coming into an administrator position with ACF2 or extensive security experience may be allowed to waive formal training.  These occurrences will be handled on an individual basis.

    3.CSO/CISO Approval.  OET has recently initiated policy requiring CSO/CISO approval for certain security requests.  OET will work with agencies that do not have a CSO/CISO to determine the appropriate level of approval required for the request.  These include:

    • Setting up access for new security personnel.  This includes anyone receiving a security privilege.  Security privileges include SECURITY, ACCOUNT, AUDIT and LEADER.  This applies to a new agency security administrator as well as a help desk person who may only unsuspend logonids and reset violation counts.
    • Access to another agency's data.  This does not mean CSO/CISO approval is required every time a user is granted access to another agencies information.  It would apply to the initial set up of that relationship, but not to each individual request.
    • Access to another agency's rules.  If one agency wants access to another agency's rules, the CSO/CISO from both agencies must approve this access.

    4.OET notification of changes.  Agency security administrators have access to make changes that could affect their entire system processing.  Changes with this possible effect should be communicated to OET Security Services Unit prior to implementing the change.  This includes, but is not limited to, changes such as:

      • Adding, deleting or changes to Started Task ID access
      • Rule lines that lock out access (i.e. UID(*) PREVENT)
      • New nextkeys

    OET requests a 1-day notice of such changes.  Notices received after 4pm may not be processed until the following day.  Send email to data-security@lists.state.mn.us containing a "heads-up" on the change(s) that will be made.  Include your name and phone number in the event we need to contact you during work hours and a name and phone number of who should be contacted during off-hours should the need arise.   Upon receipt of this information, OET Security Services will follow the OET change control process by completing a change notification form.  The change notification gives all areas of OET the courtesy of knowing the change is being implemented.  This will reduce trouble-shooting time should an issue arise.

    Once the change has been accepted through the OET change control process, OET will notify the changing agency that they may proceed with their change as scheduled.
[Home] [Contact] [Continuity] [Emergency] [SNSPG/SNAP] [Policies] [Reading] [Training] [Scanning] [Scans] [Handbook] [cybersecurity]

The information on this web site can be made available in alternative formats, such as large type, Braille and audio tape. To request an alternative format or to contact the webmaster, send e-mail, or call 651.296.8888 or TTY 651.296.3931.

The State of Minnesota an equal opportunity employer.