CA Compliance Manager aids compliance at Department of Human Services

Stephen Withers
Thursday, 01 December 2011 11:30

Business IT - Security

The federal Department of Human Services is using CA Compliance Manager for zOS to improve compliance reporting and auditing across multiple agencies including Centrelink and Medicare.

The 2009 decision to operate five organisations under the Department of Human Services (Commonwealth Rehabilitation Service, Centrelink, Medicare Australia, Australian Hearing, and the Child Support Program) led to additional audit scrutiny, according to Nigel Cox, operations manager, security IT services.

In addition to satisfying Australian National Audit Office requirements, he said it was necessary to ensure that non-technical users could understand compliance reports ("one of our biggest challenges"), and to manage compliance consistently across "a lot of different mainframe environments". That included 12 logical partitions serving Centrelink, five for Medicare, and three for the Child Support Program.

"I had to work out how we were going to managed compliance," said Mr Cox. Centrelink had an in-house compliance reporting tool, but the other agencies relied on outsourcers certifying they were in compliance with the contracts, which isn't the same as monitoring compliance with policies.

A decision was made to use CA Compliance Manager for zOS, as it could address malicious insider threats, malicious code execution ("not a massive problem on the mainframe," but it is important to be able to track changes made to systems), and data loss ("a huge problem for us because of privacy laws").

The problem with using ACF2 (Access Control Facility) reports as the basis for a compliance audit is that "everything looks bad," he explained. If you select an event at random, it is highly likely that you end up checking something that is within policy (eg, a person working overtime).

CONTINUED