acf2 bestpractices db2 enu

8/13/2019 ACF2 BestPractices DB2 ENU

1/29


2/29

This documentation and any related computer software help programs (hereinafter referred to as the

"Documentation") are for your informational purposes only and are subject to change or withdrawal by CA at any time.

This Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part,

without the prior written consent of CA. This Documentation is confidential and proprietary information of CA and may

not be used or disclosed by you except as may be permitted in a separate confidentiality agreement between you and

CA.

Notwithstanding the foregoing, if you are a licensed user of the software product(s) addressed in the Documentation,

you may print a reasonable number of copies of the Documentation for internal use by you and your employees in

connection with that software, provided that all CA copyright notices and legends are affixed to each reproduced copy.

The right to print copies of the Documentation is limited to the period during which the applicable license for such

software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to certify

in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed.

TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION "AS IS" WITHOUT

WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY,

FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO THE END USER

OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION,

INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR

LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.

The use of any software product referenced in the Documentation is governed by the applicable license agreement and

is not modified in any way by the terms of this notice.

The manufacturer of this Documentation is CA.

Provided with "Restricted Rights." Use, duplication or disclosure by the United States Government is subject to the

restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section

252.227-7014(b)(3), as applicable, or their successors.

Copyright 2009 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein

belong to their respective companies.


3/29

CA Product References

This document references the following CA products:

CA ACF2for z/OS (CA ACF2 for z/OS) CA Common Services for z/OS (CCS) CA Cleanup for ACF2(CA Cleanup)

Contact CA

Contact Technical Support

For your convenience, CA provides one site where you can access theinformation you need for your Home Office, Small Business, and Enterprise CA

products. Athttp://ca.com/support,you can access the following:

Online and telephone contact information for technical assistance andcustomer services

Information about user communities and forums Product and documentation downloads CA Support policies and guidelines Other helpful resources appropriate for your product

Provide Feedback

If you have comments or questions about CA product documentation, you can

send a message [email protected].

If you would like to provide feedback about CA product documentation, complete

our shortcustomer survey,which is also available on the CA Support website,

found athttp://ca.com/docs.

Best Practices Guide Process

These best practices represent years of product experience, much of which is

based on customer experience reported through interviews with development,

technical support, and technical services. Therefore, many of these bestpractices are truly a collaborative effort stemming from customer feedback.

To continue and build on this process, we encourage users to share common

themes of product use that might benefit other users. Please consider sharing

your best practices with us.
http://www.ca.com/supporthttp://www.ca.com/supporthttp://www.ca.com/supportmailto:[email protected]:[email protected]:[email protected]://www.ca.com/docshttp://www.ca.com/docshttp://www.ca.com/docshttp://www.ca.com/docshttp://www.ca.com/docshttp://www.ca.com/docshttp://www.ca.com/docshttp://www.ca.com/docshttp://www.ca.com/docsmailto:[email protected]://www.ca.com/support


4/29

To share your best practices, contact us [email protected] preface your

email subject line with "Best Practices forproduct name" so that we can easily

identify and categorize them.
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]


5/29

Contents 5

Contents

Chapter 1: Introduction 7Purpose of this Guide .......................................................................... 7Audience...................................................................................... 7Documentation Set Overview................................................................... 7Mainframe 2.0 Overview ....................................................................... 8Mainframe 2.0 Features........................................................................ 9Chapter 2: Installation Best Practices 11Installation Considerations .................................................................... 11CA Mainframe Software Manager .............................................................. 11DB2 Subsystems Protection ................................................................... 12CAIENF DB2 Component of CA Common Services............................................... 12Chapter 3: Configuration Best Practices 15CA ACF2 Option for DB2 Configuration......................................................... 15

The OPTIONS Record...................................................................... 15The EXITS Record......................................................................... 16

CA ACF2 for z/OS Configuration ............................................................... 17CA ACF2 for z/OS OPTS Record............................................................ 17CA ACF2 for z/OS Exit Considerations

......................................................

17

CA ACF2 for z/OS INFODIR Record......................................................... 18Removal of Obsolete Security ................................................................. 19

Obsolete User Definitions and Entitlements................................................. 20Obsolete Configuration Options............................................................ 20Expired and Unused User IDs and Entitlements............................................. 20

Convert Native DB2 Security Information ...................................................... 21Chapter 4: Auditability Best Practices 23Auditability Considerations .................................................................... 23

Global Logging Controls................................................................... 23User-Based Controls ...................................................................... 24Entitlement-Based Controls................................................................ 25

Compliance Auditing.......................................................................... 26Regular and Audit Regimen Using CA Auditor................................................... 27


6/29

6 Best Practices Guide

Index 29


7/29

Chapter 1: Introduction 7

Chapter 1: Introduction

This section contains the following topics:

Purpose of this Guide(see page7)

Audience(see page7)

Documentation Set Overview(see page7)

Mainframe 2.0 Overview(see page8)

Mainframe 2.0 Features(see page9)

Purpose of this Guide

The guide provides a brief introduction to CA's Mainframe 2.0 strategy and

features, and describes the best practices for installing and configuring CA ACF2Option for DB2.

Audience

The intended audience of this guide is systems programmers and administrators

who install, configure, deploy, and maintain .

Documentation Set Overview

This list offers a basic description of each guide in the CA ACF2 Option for DB2

documentation set:

Administrator Guide

Describes how to secure the IBM Database 2 (DB2) product using CA ACF2

Option for DB2.

Getting Started Guide

Details the steps to install CA ACF2 Option for DB2.

Messages Guide

Lists the messages that CA ACF2 Option for DB2 issues, explains why the

message appears, and details how you should respond.


8/29

Mainframe 2.0 Overview


Mainframe 2.0 Overview

Mainframe 2.0 is our strategy for providing leadership in the mainframe

operating environment. We intend to lead the mainframe marketplace for

customer experience, Out-Tasking solutions, and solution innovation. After

listening to customer needs and requirements to keep the mainframe operating

environment viable and cost-effective, we are providing new tools to simplify

usage and to energize this operating environment for years to come.

CA Mainframe Software Manager (CA MSM) is an important step in realizing the

Mainframe 2.0 strategy. CA MSM simplifies and standardizes the delivery,

installation, and maintenance of mainframe products on z/OS systems. CA MSM

has a browser-based user interface (UI) with a modern look and feel for

managing those solutions. As products adopt Mainframe 2.0 features and CA

MSM services, you can acquire, install, and manage your software in a common

way.

CA MSM provides software acquisition and installation that make it easier for you

to obtain and install CA mainframe products, and apply the recommended

maintenance. The services within CA MSM enable you to manage your software

easily based on industry accepted best practices. The common browser-based UI

makes the look and feel of the environment friendly and familiar.

We follow the IBM z/OS packaging standards using SMP/E, with some additional

CA qualities of service added, to make installation simple and consistent.

Additionally, through the synchronization of product releases and the use of

common test environments, we will declare a yearly mainframe software stack

that includes many new releases with enhanced functionality. This stack is

certified for interoperability across the CA mainframe product portfolio and the

base IBM z/OS product stack.


9/29

Mainframe 2.0 Features

Chapter 1: Introduction 9


Mainframe 2.0 has the following main features:

CA Mainframe Software Manager (CA MSM)

Delivers simplified acquisition, installation, and deployment capabilities

using a common z/OS-based web application delivered through a

browser-based UI. CA MSM includes the following services:

Product Acquisition Service (PAS)

Facilitates the acquisition of our mainframe products and services,

including product base installation packages and program temporary

fixes (PTFs). This service integrates the inventory of products available

on your system with CA Support, providing a seamless environment for

managing and downloading software and fixes onto your system.

Software Installation Service (SIS)

Facilitates the installation and maintenance of our mainframe products

in the software inventory of the driving system. This service enables you

to browse and manage the software inventory using a web interface, and

automates tasks for products that use SMP/E to manage installation. You

can browse downloaded software packages, and browse and manage

one or more consolidated software inventories (CSIs) on the driving

system.

Software Deployment Service (SDS)

Facilitates the deployment of our mainframe products from the software

inventory of the driving system. This service enables you to deploy

installed products that are policy driven with a set of appropriate

transport mechanisms across a known topology. The enterprise systemtopology can include shared DASD environments, networked

environments, and z/OS systems. Policies represent a combination of CA

metadata input that identifies the component parts of a product and

user-supplied input that identifies the deployment criteria, such as

where it will go and what will it be called.

Electronic Software Delivery (ESD)

Enables you to get our products from an FTP server. We have improved this

process so that you no longer need to build a tape to install the product.


10/29



Best Practices Management

Integrates with IBM Health Checker for z/OS to verify that deployed software

follows our best practices. The health checks continually monitor the system

and software to provide feedback on whether the software continues to be

configured optimally.

Best Practices Guide

Provides best practices for product installation and configuration.

Note:For additional information about the CA Mainframe 2.0 initiative, see

http://ca.com/mainframe2.
http://www.ca.com/us/products/collateral.aspx?cid=192430http://www.ca.com/us/products/collateral.aspx?cid=192430http://www.ca.com/us/products/collateral.aspx?cid=192430http://www.ca.com/us/products/collateral.aspx?cid=192430


11/29

Chapter 2: Installation Best Practices 11

Chapter 2: Installation Best Practices


Installation Considerations(see page11)

CA Mainframe Software Manager(see page11)

DB2 Subsystems Protection(see page12)

CAIENF DB2 Component of CA Common Services(see page12)

Installation Considerations

We recommend an installation process using a standardized set of libraries and

procedures.

Business Value:

This process simplifies and standardizes the installation process so it is reliable

and repeatable. These standardized libraries typically begin with the CAI

high-level qualifier. We have optimized installation and maintenance procedures

to support these standard data set names. CA ACF2 Option for DB2 is installed

and maintained using SMP/E.

Additional Considerations:

We now offer an easy-to-install Electronic Software Delivery (ESD) program. You

can download product and maintenance releases over the Internet directly to

your system from thehttp://ca.com/support.When you order the product, you

receive the authorizations and instructions to access, download, and prepare the

installation files without the need for a physical tape.

CA Mainframe Software Manager

We recommend that you use CA MSM to acquire, install, and maintain your

product.

Business Value:

CA MSM provides a web interface, which works with Electronic Software Delivery

(ESD) and standardized installation, to provide a common way to manage CA

mainframe products. You can use it to download and install CA ACF2 Option for

DB2.
http://www.ca.com/supporthttp://www.ca.com/supporthttp://www.ca.com/supporthttp://www.ca.com/supporthttp://www.ca.com/support


12/29

DB2 Subsystems Protection


CA MSM lets you download product and maintenance releases over the Internet

directly to your system fromhttp://ca.com/support.After you use CA MSM to

download your product or maintenance, you use the same interface to install the

downloaded software packages using SMP/E.


After you install the product, use the CA ACF2 Option for DB2 documentation set

athttp://ca.com/supportto configure your product. CA MSM can continue to

help you maintain your product.

More Information:

For more information about CA MSM, see the CA Mainframe Software Manager

Guide. For more information about product setup, see the CA ACF2 Option for

DB2 Getting Started Guide. Both documents are available at

http://ca.com/support.

DB2 Subsystems Protection

We recommend that you use the CA ACF2 Option for DB2 sample CADB2XAC

exit, which you can install into your DB2 SDSNEXIT data set as the DB2

DSNX@XAC resource authorization exit. This sample exit causes the DB2

subsystem to terminate if the subsystem initializes and executes without CA

ACF2 Option for DB2.

Business Value:

This practice lets you protect against a DB2 subsystem executing without using

CA ACF2 Option for DB2 security.

More Information:

To install this sample exit, see the CA ACF2 Option for DB2 Getting Started

Guide.

CAIENF DB2 Component of CA Common Services

We recommend installing and initializing the CAIENF DB2 component of CCS to

implement CA ACF2 Option for DB2.
http://www.ca.com/supporthttp://www.ca.com/supporthttp://www.ca.com/supporthttp://www.ca.com/supporthttp://www.ca.com/supporthttp://www.ca.com/supporthttp://www.ca.com/supporthttp://www.ca.com/supporthttp://www.ca.com/supporthttp://www.ca.com/supporthttp://www.ca.com/supporthttp://www.ca.com/support


13/29

CAIENF DB2 Component of CA Common Services

Chapter 2: Installation Best Practices 13

Business Value:

If the CAIENF DB2 component is not initialized, CA ACF2 Option for DB2 will not

initialize in any DB2 subsystem, and DB2 will revert to using whatever native

DB2 security controls are still intact.


14/29


15/29

Chapter 3: Configuration Best Practices 15

Chapter 3: Configuration Best Practices


CA ACF2 Option for DB2 Configuration(see page15)

CA ACF2 for z/OS Configuration(see page17)

Removal of Obsolete Security(see page19)

Convert Native DB2 Security Information(see page21)

CA ACF2 Option for DB2 Configuration

CA ACF2 Option for DB2 security processing is controlled by DB2 control records

defined in the CA ACF2 for z/OS Infostorage database. These records are critical

because they can control how CA ACF2 for z/OS operates and what it secures inservicing the resource security requests from CA ACF2 Option for DB2. DB2

control records are also critical from a compliance point of view, because each

standing control might need to be examined for appropriateness and validated.

This section discusses the best practices for configuring CA ACF2 Option for DB2.

The OPTIONS Record

Because implementation of CA ACF2 Option for DB2 in a DB2 subsystem and the

DB2 resources secured in the subsystem are controlled by the configuration

options specified in the DB2 Control OPTIONS record, we recommend that you

do not specify a MODE other than ABORT for any DB2 resource in the OPTIONS

record.

Business Value:

When a DB2 resource is accessed, CA ACF2 Option for DB2 parallels native DB2

security processing in checking several different resources and privileges for

access. For example, when a DB2 table is read, CA ACF2 Option for DB2 checks

for SELECT access to the table, ownership of the table, the DBADM privilege on

the DB2 database that contains the table, and the SYSADM system privilege. If

any of these different authorization checks returns an allow condition, the

original resource access (reading the table) is allowed. This means that the

MODE specified for one resource class can affect access authorizations to a

different resource class.


16/29

CA ACF2 Option for DB2 Configuration


The EXITS Record

Proper exit usage can customize CA ACF2 Option for DB2 processing to

accommodate installation specific needs and considerations. We recommend

writing one or more exits.

Business Value:

Writing exits provides additional value to your installation, using them to better

customize CA ACF2 for z/OS for z/OS security functionality with your business

processes and applications.

Exit Code Review

You should examine CA ACF2 Option for DB2 line by line to identify specifically

what each exit does. We recommend using the freezer function of CA Auditor as

a method of helping to automatically monitor these critical data sets.

Business Value:

Proper exit usage can customize CA ACF2 for z/OS processing to accommodate

site-specific needs and considerations. Strict security and change management

controls ensures that only properly certified changes are allowed to occur.


CA ACF2 Option for DB2 exit code and the libraries used to hold the source and

executable code should be carefully controlled and subjected to stringent change

control restrictions to ensure that all changes are properly tracked and audited.

The pre- and post-validation exits specified in the CA ACF2 for z/OS GSO EXITSrecord can affect the access decision returned by CA ACF2 for z/OS to any DB2

access authorization request. CA ACF2 for z/OS exit code and the libraries used

to hold the source and executable code should be carefully controlled and

subjected to stringent change control restrictions to ensure that all changes are

properly tracked and audited. You should put strict security and change

management controls in place to ensure that only properly certified changes are

allowed to occur.


17/29

CA ACF2 for z/OS Configuration



CA ACF2 Option for DB2 leverages the security controls of CA ACF2 for z/OS to

allow you to control access to DB2 resources, identify usage activity, violation

activity, administrative activity, and more. Because CA ACF2 for z/OS performs

the actual resource authorization checks, the integrity and performance of the

CA ACF2 Option for DB2 is dramatically affected by the installation and

configuration of CA ACF2 for z/OS. This section discusses best practices for

configuring security controls in CA ACF2 for z/OS that CA ACF2 Option for DB2

leverages.

More Information:

In addition to reading this guide, you should also familiarize yourself with the CA

ACF2 for z/OS for z/OS Best Practices Guide. In addition, see the CA ACF2 for

z/OS Administrator Guide for more information about the CA ACF2 for z/OS

options discussed in this section.

CA ACF2 for z/OS OPTS Record

CA ACF2 Option for DB2 leverages the security controls of CA ACF2 for z/OS. We

recommend using the MODE value in the GSO OPTS record, which determines

the access decisions returned by CA ACF2 for z/OS to any DB2 access

authorization request.

Business Value:

The MODE field in the CA ACF2 for z/OS GSO OPTS record determines the access

decision returned by CA ACF2 for z/OS to any DB2 access authorization request.


A MODE value other than ABORT or RULE in the OPTS record will cause CA ACF2

for z/OS to return an allow or allow with log response to any CA ACF2 Option for

DB2 authorization request. If the MODE value in the OPTS record is RULE, the

access decision will be determined by the CA ACF2 Option for DB2 resource rule,

and the rules must be written accordingly.

CA ACF2 for z/OS Exit Considerations

We recommend that you periodically review each exit to recertify its applicability

and usefulness. If the exit provides a function that CA ACF2 for z/OS now

provides, you can migrate from that exit point to the native product

functionality.


18/29



Business Value:

As CA ACF2 for z/OS has evolved, we have added exit functionality to the base

product, typically using new options, security records, privileges, and so on.

Because CA ACF2 Option for DB2 leverages the security controls of CA ACF2 forz/OS, any exits specified in the CA ACF2 for z/OS base product can affect the

access decision CA ACF2 for z/OS returns to any DB2 access authorization

request; therefore, examine any CA ACF2 for z/OS exit line by line to identify

specifically the role of each exit.


We also suggest that you consider the following:

Carefully control CA ACF2 for z/OS exit code and the libraries used to holdthe source and executable code, and implement stringent change control

restrictions to ensure that all changes are properly tracked and audited.

Implement strict security and change management controls to ensure thatonly properly certified changes are allowed to occur.

The freezer function of CA Auditor is an excellent method of helping to

automatically monitor these critical data sets.

CA ACF2 for z/OS INFODIR Record

Minimize DASD utilization by eliminating the need to retrieve the rules from the

security databases on DASD. We recommend using the CA ACF2 for z/OS

controls which enable memory-based sharing of the CA ACF2 Option for DB2

resource rules.

Business Value:

The performance of the authorization process in CA ACF2 for z/OS strongly

impacts the performance of the CA ACF2 Option for DB2 resource security

processing. One of the biggest performance-related items concerns

DASD-related overhead and contention for the CA ACF2 for z/OS security

databases. In particular, during the CA ACF2 for z/OS processing of a CA ACF2

Option for DB2 authorization request, CA ACF2 for z/OS locates and checks the

CA ACF2 Option for DB2 resource rule.


Generally speaking, activation of these options involves a trade-off that must be

weighed carefully. These options generally control sharing of security objects in

common memory storage, a relatively scarce commodity even on the largest of

todays IBM mainframes. The cost of the storage must be weighed against the

benefit gained, namely the saving of DASD I/O operations.


19/29


20/29

Removal of Obsolete Security


Obsolete User Definitions and Entitlements

It is common for an installation to have obsolete logonids and security

entitlements in the form of data set access rules and resource rules. We

recommend that your site implement CA Cleanup.

Business Value:

CA Cleanup provides automated, continuous cleanup of CA ACF2 for z/OS

security databases.

Obsolete Configuration Options

Implement CA Cleanup to identify obsolete GSO control options that should be

targeted for removal.

Business Value:

Frequently, an installation implements a security policy using particular GSO

options and then that policy will remain defined permanently, even though the

underlying business case reason behind the policy has been modified or perhaps

deleted.


An audit of a security control may require that some substantiation for the need

of that control be performed. This process is easier to address if a change control

mechanism exists that tracks security policy changes that result in changes to

GSO records, configuration options, pertinent logonids, rules, and so on.

Otherwise, the process of substantiating change becomes difficult and one

probable outcome is the orphaning of security options and controls.

Expired and Unused User IDs and Entitlements

We recommend that you implement an automated credential and entitlement

monitoring system, such as CA Cleanup.

Business Value:

CA Cleanup provides a viable, cost-effective means of automatic identificationand de-administration of unused, obsolete, expired user credentials or security

entitlements.


21/29

Convert Native DB2 Security Information



Expired, obsolete, and unused credentials and entitlements pose a large security

risk and, for this reason are the target of many contemporary compliance laws,

requirements, and regulations. The PCI-DSS standard contains very specificlanguage concerning processing of expired or obsolete user credentials and

entitlements. The v1.2 specification states that inactive accounts must be

removed or disabled after 90 days.

Convert Native DB2 Security Information

If you use native DB2 security, you can simplify rule writing by using a

conversion utility to create rule sets. We recommend that you run a conversion

utility to create your first set of rules.

Business Value:

The conversion effort turns existing native DB2 security information and the

security controls into corresponding security controls in CA ACF2.


The conversion utility job CP12CNVT is located in the CAI.ACF2DB2.CACPJCL

data set. This utility provides a basis from which to start writing rules.


22/29


23/29

Chapter 4: Auditability Best Practices 23

Chapter 4: Auditability Best Practices


Auditability Considerations(see page23)

Compliance Auditing(see page26)

Regular and Audit Regimen Using CA Auditor(see page27)

Auditability Considerations

We recommend that you log data to fit your business needs, but we caution you

to devise your logging plans with auditability and resource usage in mind.

Business Value:

The security administrator, through entitlement-based controls and general

security configuration options, controls the amount of logging on a system. The

options that are set must reflect the business needs of the installation.

Logging does affect performance; logging does cost in terms of processing path

length, data repository size, and more. Consider this potential for overhead

when deciding what logging controls to activate.

More Information:

The following sections detail several logging controls and our recommendations

on how to use them.

Global Logging Controls

We recommend that you use global control options to customize how you

capture data to logs.

Business Value:

By capturing system-wide data to logs, you can secure data for an audit,

troubleshooting, and potential error recovery.


24/29




Examine the following GSO controls that affect logging at a global level:

BLPPGM record CLASMAP record DELRSRC record LOGPGM record MLSOPTS record OPTS record PPGM record SECVOLS record

User-Based Controls

We recommend that you implement user-based controls for logging to generate

log entries when CA ACF2 for z/OS uses the controls to determine what

resources a user has accessed.

Business Value:

This practice lets you track user and logonid activity.


25/29


Chapter 4: Auditability Best Practices 25


You can log all system entry (logon, job) activity by using one of the following

logonid record privileges:

MON-LOG MONITOR PP-TRC P-TRCV TRACE TSO-TRC LOGSHIFTConsider the role that special privileges play on an individual user level and their

impact on logging. CA ACF2 for z/OS generates special log entries based on thefollowing logonid privileges:

SECURITY NON-CNCL PRIV-CTL (if this causes special privileges to be granted) READALL RULEVLD

Entitlement-Based Controls

When a CA ACF2 Option for DB2 resource rule is written, the security

administrator has control over the specific circumstances in which logging

records will be written. By default, CA ACF2 for z/OS logs failed access attempts

or access attempts made under special circumstance such as under security

authority. We recommend detailed examination of the rule sets.

Business Value:

Examination may reveal that some generated loggings are superfluous and can

be eliminated without impacting system security or auditability.


26/29

Compliance Auditing


Compliance Auditing

We recommend using CA Compliance Manager which provides a single source for

real-time, compliance-related information and events occurring within the

mainframe environment.

Business Value:

CA Compliance Manager lets you easily manage and audit your mainframe

environment. It accomplishes this with continuous, real-time monitoring and

collection of compliance and security-related information, policy alerting, and an

intuitive reporting interface for compliance and security event reporting. It also

gives you the comprehensive auditing tools that you need to prove your

compliance to IT and risk-management auditors.


CA Compliance Manager consists of several components:

The Change Monitor detects and records changes to external securitymanager (ESM) configurations, operating system security configuration, and

selected PDS/PDSE data sets.

The Data Warehouse stores information about mainframe security events ina relational repository that is accessible for compliance reporting, allowing

complex reporting processes to be initiated. It also provides real-time access

to current and historical security information for forensic analysis, going

beyond current reporting capabilities of security products.

The Alert component provides real-time notification of potential securitybreaches indicated by changes in the security configuration and specificsecurity events. Stakeholders can receive immediate notification of pertinent

violations, user activity, and access or change activity to critical resources

using email notification, Write To Operator (WTO), or help desk ticket

creation.


27/29


28/29

Regular and Audit Regimen Using CA Auditor



As you devise your auditing regimen, consider the following points:

The z/OS system is the foundation for the applications and data that run yourbusiness; therefore, if the z/OS system has integrity exposures, the

associated applications have the same exposures.

A sound security policy bolsters z/OS integrity. Similarly, a proper z/OSimplementation supports your overall security because a user could exploit

any weakness to circumvent critical security controls and damage your

applications.

Sound system integrity is the result of careful planning, well-defined procedures,

proper security and change control mechanisms, and regular auditing to verify

that users are following these procedures.


29/29

Index

A

access decisions 17

auditing your system 27

CCA Auditor

freezer function 16, 17

CA Cleanup 20

CA Common Services (CCS) 12

CAIENF DB2 component 12

CA Compliance Manager 26

conversion utility 21

credential monitoring 20

DDASD-related overhead 18

Eentitlement monitoring 20

exits 16

considerations 17

GGSO records

ABORT 17EXITS 16

identify obsolete 20

INFODIR 18

MODE value 17

OPTS record 17

RULE 17

RULEOPTS 18

IInfostorage database 15, 16

Llogging data 23, 24, 25

MMainframe 2.0

CA Mainframe Software Manager 11

Electronic Software Delivery 11

features 9

Overview 8

Oobsolete logonids 20

Pprivileges

DBADM privilege 15

SYSADM 15

Ssecurity controls 17

security entitlements 20

security processing 15, 16

SELECT access 15

subsystem protection 12

acf2 bestpractices db2 enu

Documents