CA ACF2 Option for DB2

Best Practices Guide

r1.2

This documentation and any related computer software help programs (hereinafter referred to as the "Documentation") are for your informational purposes only and are subject to change or withdrawal by CA at any time. This Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without the prior written consent of CA. This Documentation is confidential and proprietary information of CA and may not be used or disclosed by you except as may be permitted in a separate confidentiality agreement between you and CA. Notwithstanding the foregoing, if you are a licensed user of the software product(s) addressed in the Documentation, you may print a reasonable number of copies of the Documentation for internal use by you and your employees in connection with that software, provided that all CA copyright notices and legends are affixed to each reproduced copy. The right to print copies of the Documentation is limited to the period during which the applicable license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed. TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO THE END USER OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE. The use of any software product referenced in the Documentation is governed by the applicable license agreement and is not modified in any way by the terms of this notice. The manufacturer of this Documentation is CA. Provided with "Restricted Rights." Use, duplication or disclosure by the United States Government is subject to the restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or their successors. Copyright 2009 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.

CA Product References
This document references the following CA products: CA ACF2 for z/OS (CA ACF2 for z/OS) CA Common Services for z/OS (CCS) CA Cleanup for ACF2 (CA Cleanup)

Contact CA
Contact Technical Support For your convenience, CA provides one site where you can access the information you need for your Home Office, Small Business, and Enterprise CA products. At http://ca.com/support, you can access the following: Online and telephone contact information for technical assistance and customer services Information about user communities and forums Product and documentation downloads CA Support policies and guidelines Other helpful resources appropriate for your product

Provide Feedback If you have comments or questions about CA product documentation, you can send a message to techpubs@ca.com. If you would like to provide feedback about CA product documentation, complete our short customer survey, which is also available on the CA Support website, found at http://ca.com/docs. Best Practices Guide Process These best practices represent years of product experience, much of which is based on customer experience reported through interviews with development, technical support, and technical services. Therefore, many of these best practices are truly a collaborative effort stemming from customer feedback. To continue and build on this process, we encourage users to share common themes of product use that might benefit other users. Please consider sharing your best practices with us.

To share your best practices, contact us at techpubs@ca.com and preface your email subject line with "Best Practices for product name" so that we can easily identify and categorize them.

Contents
Chapter 1: Introduction 7
Purpose of this Guide .......................................................................... 7 Audience ...................................................................................... 7 Documentation Set Overview ................................................................... 7 Mainframe 2.0 Overview ....................................................................... 8 Mainframe 2.0 Features ........................................................................ 9

Chapter 2: Installation Best Practices

11

Installation Considerations .................................................................... 11 CA Mainframe Software Manager .............................................................. 11 DB2 Subsystems Protection ................................................................... 12 CAIENF DB2 Component of CA Common Services ............................................... 12

Chapter 3: Configuration Best Practices

15

CA ACF2 Option for DB2 Configuration ......................................................... 15 The OPTIONS Record...................................................................... 15 The EXITS Record......................................................................... 16 CA ACF2 for z/OS Configuration ............................................................... 17 CA ACF2 for z/OS OPTS Record ............................................................ 17 CA ACF2 for z/OS Exit Considerations ...................................................... 17 CA ACF2 for z/OS INFODIR Record ......................................................... 18 Removal of Obsolete Security ................................................................. 19 Obsolete User Definitions and Entitlements ................................................. 20 Obsolete Configuration Options ............................................................ 20 Expired and Unused User IDs and Entitlements ............................................. 20 Convert Native DB2 Security Information ...................................................... 21

Chapter 4: Auditability Best Practices

23

Auditability Considerations .................................................................... 23 Global Logging Controls ................................................................... 23 User-Based Controls ...................................................................... 24 Entitlement-Based Controls ................................................................ 25 Compliance Auditing .......................................................................... 26 Regular and Audit Regimen Using CA Auditor ................................................... 27

Contents 5

Index

29

6 Best Practices Guide

Chapter 1: Introduction
This section contains the following topics: Purpose of this Guide (see page 7) Audience (see page 7) Documentation Set Overview (see page 7) Mainframe 2.0 Overview (see page 8) Mainframe 2.0 Features (see page 9)

Purpose of this Guide

The guide provides a brief introduction to CA's Mainframe 2.0 strategy and features, and describes the best practices for installing and configuring CA ACF2 Option for DB2.

Audience
The intended audience of this guide is systems programmers and administrators who install, configure, deploy, and maintain <ACFDB2>.

Documentation Set Overview

This list offers a basic description of each guide in the CA ACF2 Option for DB2 documentation set: Administrator Guide Describes how to secure the IBM Database 2 (DB2) product using CA ACF2 Option for DB2. Getting Started Guide Details the steps to install CA ACF2 Option for DB2. Messages Guide Lists the messages that CA ACF2 Option for DB2 issues, explains why the message appears, and details how you should respond.

Chapter 1: Introduction 7

Mainframe 2.0 Overview

Mainframe 2.0 Overview

Mainframe 2.0 is our strategy for providing leadership in the mainframe operating environment. We intend to lead the mainframe marketplace for customer experience, Out-Tasking solutions, and solution innovation. After listening to customer needs and requirements to keep the mainframe operating environment viable and cost-effective, we are providing new tools to simplify usage and to energize this operating environment for years to come. CA Mainframe Software Manager (CA MSM) is an important step in realizing the Mainframe 2.0 strategy. CA MSM simplifies and standardizes the delivery, installation, and maintenance of mainframe products on z/OS systems. CA MSM has a browser-based user interface (UI) with a modern look and feel for managing those solutions. As products adopt Mainframe 2.0 features and CA MSM services, you can acquire, install, and manage your software in a common way. CA MSM provides software acquisition and installation that make it easier for you to obtain and install CA mainframe products, and apply the recommended maintenance. The services within CA MSM enable you to manage your software easily based on industry accepted best practices. The common browser-based UI makes the look and feel of the environment friendly and familiar. We follow the IBM z/OS packaging standards using SMP/E, with some additional CA qualities of service added, to make installation simple and consistent. Additionally, through the synchronization of product releases and the use of common test environments, we will declare a yearly mainframe software stack that includes many new releases with enhanced functionality. This stack is certified for interoperability across the CA mainframe product portfolio and the base IBM z/OS product stack.

8 Best Practices Guide

Mainframe 2.0 Features

Mainframe 2.0 Features

Mainframe 2.0 has the following main features: CA Mainframe Software Manager (CA MSM) Delivers simplified acquisition, installation, and deployment capabilities using a common z/OS-based web application delivered through a browser-based UI. CA MSM includes the following services: Product Acquisition Service (PAS) Facilitates the acquisition of our mainframe products and services, including product base installation packages and program temporary fixes (PTFs). This service integrates the inventory of products available on your system with CA Support, providing a seamless environment for managing and downloading software and fixes onto your system. Software Installation Service (SIS) Facilitates the installation and maintenance of our mainframe products in the software inventory of the driving system. This service enables you to browse and manage the software inventory using a web interface, and automates tasks for products that use SMP/E to manage installation. You can browse downloaded software packages, and browse and manage one or more consolidated software inventories (CSIs) on the driving system. Software Deployment Service (SDS) Facilitates the deployment of our mainframe products from the software inventory of the driving system. This service enables you to deploy installed products that are policy driven with a set of appropriate transport mechanisms across a known topology. The enterprise system topology can include shared DASD environments, networked environments, and z/OS systems. Policies represent a combination of CA metadata input that identifies the component parts of a product and user-supplied input that identifies the deployment criteria, such as where it will go and what will it be called. Electronic Software Delivery (ESD) Enables you to get our products from an FTP server. We have improved this process so that you no longer need to build a tape to install the product.

Chapter 1: Introduction 9

Mainframe 2.0 Features

Best Practices Management Integrates with IBM Health Checker for z/OS to verify that deployed software follows our best practices. The health checks continually monitor the system and software to provide feedback on whether the software continues to be configured optimally. Best Practices Guide Provides best practices for product installation and configuration. Note: For additional information about the CA Mainframe 2.0 initiative, see http://ca.com/mainframe2.

10 Best Practices Guide

Chapter 2: Installation Best Practices

This section contains the following topics: Installation Considerations (see page 11) CA Mainframe Software Manager (see page 11) DB2 Subsystems Protection (see page 12) CAIENF DB2 Component of CA Common Services (see page 12)

Installation Considerations
We recommend an installation process using a standardized set of libraries and procedures. Business Value: This process simplifies and standardizes the installation process so it is reliable and repeatable. These standardized libraries typically begin with the CAI high-level qualifier. We have optimized installation and maintenance procedures to support these standard data set names. CA ACF2 Option for DB2 is installed and maintained using SMP/E. Additional Considerations: We now offer an easy-to-install Electronic Software Delivery (ESD) program. You can download product and maintenance releases over the Internet directly to your system from the http://ca.com/support. When you order the product, you receive the authorizations and instructions to access, download, and prepare the installation files without the need for a physical tape.

CA Mainframe Software Manager

We recommend that you use CA MSM to acquire, install, and maintain your product. Business Value: CA MSM provides a web interface, which works with Electronic Software Delivery (ESD) and standardized installation, to provide a common way to manage CA mainframe products. You can use it to download and install CA ACF2 Option for DB2.

Chapter 2: Installation Best Practices 11

DB2 Subsystems Protection

CA MSM lets you download product and maintenance releases over the Internet directly to your system from http://ca.com/support. After you use CA MSM to download your product or maintenance, you use the same interface to install the downloaded software packages using SMP/E. Additional Considerations: After you install the product, use the CA ACF2 Option for DB2 documentation set at http://ca.com/support to configure your product. CA MSM can continue to help you maintain your product. More Information: For more information about CA MSM, see the CA Mainframe Software Manager Guide. For more information about product setup, see the CA ACF2 Option for DB2 Getting Started Guide. Both documents are available at http://ca.com/support.

DB2 Subsystems Protection

We recommend that you use the CA ACF2 Option for DB2 sample CADB2XAC exit, which you can install into your DB2 SDSNEXIT data set as the DB2 DSNX@XAC resource authorization exit. This sample exit causes the DB2 subsystem to terminate if the subsystem initializes and executes without CA ACF2 Option for DB2. Business Value: This practice lets you protect against a DB2 subsystem executing without using CA ACF2 Option for DB2 security. More Information: To install this sample exit, see the CA ACF2 Option for DB2 Getting Started Guide.

CAIENF DB2 Component of CA Common Services

We recommend installing and initializing the CAIENF DB2 component of CCS to implement CA ACF2 Option for DB2.

12 Best Practices Guide

CAIENF DB2 Component of CA Common Services

Business Value: If the CAIENF DB2 component is not initialized, CA ACF2 Option for DB2 will not initialize in any DB2 subsystem, and DB2 will revert to using whatever native DB2 security controls are still intact.

Chapter 2: Installation Best Practices 13

Chapter 3: Configuration Best Practices

This section contains the following topics: CA ACF2 Option for DB2 Configuration (see page 15) CA ACF2 for z/OS Configuration (see page 17) Removal of Obsolete Security (see page 19) Convert Native DB2 Security Information (see page 21)

CA ACF2 Option for DB2 Configuration

CA ACF2 Option for DB2 security processing is controlled by DB2 control records defined in the CA ACF2 for z/OS Infostorage database. These records are critical because they can control how CA ACF2 for z/OS operates and what it secures in servicing the resource security requests from CA ACF2 Option for DB2. DB2 control records are also critical from a compliance point of view, because each standing control might need to be examined for appropriateness and validated. This section discusses the best practices for configuring CA ACF2 Option for DB2.

The OPTIONS Record

Because implementation of CA ACF2 Option for DB2 in a DB2 subsystem and the DB2 resources secured in the subsystem are controlled by the configuration options specified in the DB2 Control OPTIONS record, we recommend that you do not specify a MODE other than ABORT for any DB2 resource in the OPTIONS record. Business Value: When a DB2 resource is accessed, CA ACF2 Option for DB2 parallels native DB2 security processing in checking several different resources and privileges for access. For example, when a DB2 table is read, CA ACF2 Option for DB2 checks for SELECT access to the table, ownership of the table, the DBADM privilege on the DB2 database that contains the table, and the SYSADM system privilege. If any of these different authorization checks returns an allow condition, the original resource access (reading the table) is allowed. This means that the MODE specified for one resource class can affect access authorizations to a different resource class.

Chapter 3: Configuration Best Practices 15

CA ACF2 Option for DB2 Configuration

The EXITS Record

Proper exit usage can customize CA ACF2 Option for DB2 processing to accommodate installation specific needs and considerations. We recommend writing one or more exits. Business Value: Writing exits provides additional value to your installation, using them to better customize CA ACF2 for z/OS for z/OS security functionality with your business processes and applications.

Exit Code Review

You should examine CA ACF2 Option for DB2 line by line to identify specifically what each exit does. We recommend using the freezer function of CA Auditor as a method of helping to automatically monitor these critical data sets. Business Value: Proper exit usage can customize CA ACF2 for z/OS processing to accommodate site-specific needs and considerations. Strict security and change management controls ensures that only properly certified changes are allowed to occur. Additional Considerations: CA ACF2 Option for DB2 exit code and the libraries used to hold the source and executable code should be carefully controlled and subjected to stringent change control restrictions to ensure that all changes are properly tracked and audited. The pre- and post-validation exits specified in the CA ACF2 for z/OS GSO EXITS record can affect the access decision returned by CA ACF2 for z/OS to any DB2 access authorization request. CA ACF2 for z/OS exit code and the libraries used to hold the source and executable code should be carefully controlled and subjected to stringent change control restrictions to ensure that all changes are properly tracked and audited. You should put strict security and change management controls in place to ensure that only properly certified changes are allowed to occur.

16 Best Practices Guide

CA ACF2 for z/OS Configuration

CA ACF2 for z/OS Configuration

CA ACF2 Option for DB2 leverages the security controls of CA ACF2 for z/OS to allow you to control access to DB2 resources, identify usage activity, violation activity, administrative activity, and more. Because CA ACF2 for z/OS performs the actual resource authorization checks, the integrity and performance of the CA ACF2 Option for DB2 is dramatically affected by the installation and configuration of CA ACF2 for z/OS. This section discusses best practices for configuring security controls in CA ACF2 for z/OS that CA ACF2 Option for DB2 leverages. More Information: In addition to reading this guide, you should also familiarize yourself with the CA ACF2 for z/OS for z/OS Best Practices Guide. In addition, see the CA ACF2 for z/OS Administrator Guide for more information about the CA ACF2 for z/OS options discussed in this section.

CA ACF2 for z/OS OPTS Record

CA ACF2 Option for DB2 leverages the security controls of CA ACF2 for z/OS. We recommend using the MODE value in the GSO OPTS record, which determines the access decisions returned by CA ACF2 for z/OS to any DB2 access authorization request. Business Value: The MODE field in the CA ACF2 for z/OS GSO OPTS record determines the access decision returned by CA ACF2 for z/OS to any DB2 access authorization request. Additional Considerations: A MODE value other than ABORT or RULE in the OPTS record will cause CA ACF2 for z/OS to return an allow or allow with log response to any CA ACF2 Option for DB2 authorization request. If the MODE value in the OPTS record is RULE, the access decision will be determined by the CA ACF2 Option for DB2 resource rule, and the rules must be written accordingly.

CA ACF2 for z/OS Exit Considerations

We recommend that you periodically review each exit to recertify its applicability and usefulness. If the exit provides a function that CA ACF2 for z/OS now provides, you can migrate from that exit point to the native product functionality.

Chapter 3: Configuration Best Practices 17

CA ACF2 for z/OS Configuration

Business Value: As CA ACF2 for z/OS has evolved, we have added exit functionality to the base product, typically using new options, security records, privileges, and so on. Because CA ACF2 Option for DB2 leverages the security controls of CA ACF2 for z/OS, any exits specified in the CA ACF2 for z/OS base product can affect the access decision CA ACF2 for z/OS returns to any DB2 access authorization request; therefore, examine any CA ACF2 for z/OS exit line by line to identify specifically the role of each exit. Additional Considerations: We also suggest that you consider the following: Carefully control CA ACF2 for z/OS exit code and the libraries used to hold the source and executable code, and implement stringent change control restrictions to ensure that all changes are properly tracked and audited. Implement strict security and change management controls to ensure that only properly certified changes are allowed to occur.

The freezer function of CA Auditor is an excellent method of helping to automatically monitor these critical data sets.

CA ACF2 for z/OS INFODIR Record

Minimize DASD utilization by eliminating the need to retrieve the rules from the security databases on DASD. We recommend using the CA ACF2 for z/OS controls which enable memory-based sharing of the CA ACF2 Option for DB2 resource rules. Business Value: The performance of the authorization process in CA ACF2 for z/OS strongly impacts the performance of the CA ACF2 Option for DB2 resource security processing. One of the biggest performance-related items concerns DASD-related overhead and contention for the CA ACF2 for z/OS security databases. In particular, during the CA ACF2 for z/OS processing of a CA ACF2 Option for DB2 authorization request, CA ACF2 for z/OS locates and checks the CA ACF2 Option for DB2 resource rule. Additional Considerations: Generally speaking, activation of these options involves a trade-off that must be weighed carefully. These options generally control sharing of security objects in common memory storage, a relatively scarce commodity even on the largest of todays IBM mainframes. The cost of the storage must be weighed against the benefit gained, namely the saving of DASD I/O operations.

18 Best Practices Guide

Removal of Obsolete Security

The GSO INFODIR records control the memory-based sharing of CA ACF2 Option for DB2 resource rules. Using the GSO INFODIR records, you define which specific CA ACF2 for z/OS resource types are to have directories built into common storage. Generally ECSA will be used for these directories, although this can be overridden by settings in the GSO RULEOPTS record. When you define the GSO INFODIR records, you specify what objects are to be placed into storage, specifically the directory only or the directory and the rules themselves. You have choices here on how and whether to make the rules resident as follows: Rules can be made resident (R) at CA ACF2 for z/OS initialization, in response to a REFRESH command and in response to a REBUILD command. Use this option for most instances of resident resource rules for the following reasons: It is more efficient for CA ACF2 for z/OS to acquire the storage once and load all of the rules into storage during initialization. It alleviates possible future out-of-storage situations whereby a rule needed to secure a critical application function cannot be loaded because of a storage shortage, thus resulting in application unavailability. It eliminates possible performance spikes that might arise if CA ACF2 for z/OS needed to periodically retrieve rule records from DASD to meet security demands.

Rules can be brought in on demand (D), meaning that CA ACF2 for z/OS maintains in storage only those rule sets that are actually used. This option might be used for more infrequently used rules and lesser used applications.

Rules can be brought into memory on a transient basis (T), meaning that CA ACF2 for z/OS will load them only when used and will then release them when the use is complete. Use this option only for the lightest use systems that are not subject to service level agreements and other user constraints.

Removal of Obsolete Security

Many times, we will see options defined and activated even though the original business case that caused activation or definition of these options has long since ceased to be of concern. You might need to be prepared to substantiate each control to an auditor. This section discusses how to manage obsolete user definitions and entitlements, configuration options, and expired user IDs.

Chapter 3: Configuration Best Practices 19

Removal of Obsolete Security

Obsolete User Definitions and Entitlements

It is common for an installation to have obsolete logonids and security entitlements in the form of data set access rules and resource rules. We recommend that your site implement CA Cleanup. Business Value: CA Cleanup provides automated, continuous cleanup of CA ACF2 for z/OS security databases.

Obsolete Configuration Options

Implement CA Cleanup to identify obsolete GSO control options that should be targeted for removal. Business Value: Frequently, an installation implements a security policy using particular GSO options and then that policy will remain defined permanently, even though the underlying business case reason behind the policy has been modified or perhaps deleted. Additional Considerations: An audit of a security control may require that some substantiation for the need of that control be performed. This process is easier to address if a change control mechanism exists that tracks security policy changes that result in changes to GSO records, configuration options, pertinent logonids, rules, and so on. Otherwise, the process of substantiating change becomes difficult and one probable outcome is the orphaning of security options and controls.

Expired and Unused User IDs and Entitlements

We recommend that you implement an automated credential and entitlement monitoring system, such as CA Cleanup. Business Value: CA Cleanup provides a viable, cost-effective means of automatic identification and de-administration of unused, obsolete, expired user credentials or security entitlements.

20 Best Practices Guide

Convert Native DB2 Security Information

Additional Considerations: Expired, obsolete, and unused credentials and entitlements pose a large security risk and, for this reason are the target of many contemporary compliance laws, requirements, and regulations. The PCI-DSS standard contains very specific language concerning processing of expired or obsolete user credentials and entitlements. The v1.2 specification states that inactive accounts must be removed or disabled after 90 days.

Convert Native DB2 Security Information

If you use native DB2 security, you can simplify rule writing by using a conversion utility to create rule sets. We recommend that you run a conversion utility to create your first set of rules. Business Value: The conversion effort turns existing native DB2 security information and the security controls into corresponding security controls in CA ACF2. Additional Considerations: The conversion utility job CP12CNVT is located in the CAI.ACF2DB2.CACPJCL data set. This utility provides a basis from which to start writing rules.

Chapter 3: Configuration Best Practices 21

Chapter 4: Auditability Best Practices

This section contains the following topics: Auditability Considerations (see page 23) Compliance Auditing (see page 26) Regular and Audit Regimen Using CA Auditor (see page 27)

Auditability Considerations
We recommend that you log data to fit your business needs, but we caution you to devise your logging plans with auditability and resource usage in mind. Business Value: The security administrator, through entitlement-based controls and general security configuration options, controls the amount of logging on a system. The options that are set must reflect the business needs of the installation. Logging does affect performance; logging does cost in terms of processing path length, data repository size, and more. Consider this potential for overhead when deciding what logging controls to activate. More Information: The following sections detail several logging controls and our recommendations on how to use them.

Global Logging Controls

We recommend that you use global control options to customize how you capture data to logs. Business Value: By capturing system-wide data to logs, you can secure data for an audit, troubleshooting, and potential error recovery.

Chapter 4: Auditability Best Practices 23

Auditability Considerations

Additional Considerations: Examine the following GSO controls that affect logging at a global level: BLPPGM record CLASMAP record DELRSRC record LOGPGM record MLSOPTS record OPTS record PPGM record SECVOLS record

User-Based Controls
We recommend that you implement user-based controls for logging to generate log entries when CA ACF2 for z/OS uses the controls to determine what resources a user has accessed. Business Value: This practice lets you track user and logonid activity.

24 Best Practices Guide

Auditability Considerations

Additional Considerations: You can log all system entry (logon, job) activity by using one of the following logonid record privileges: MON-LOG MONITOR PP-TRC P-TRCV TRACE TSO-TRC LOGSHIFT

Consider the role that special privileges play on an individual user level and their impact on logging. CA ACF2 for z/OS generates special log entries based on the following logonid privileges: SECURITY NON-CNCL PRIV-CTL (if this causes special privileges to be granted) READALL RULEVLD

Entitlement-Based Controls
When a CA ACF2 Option for DB2 resource rule is written, the security administrator has control over the specific circumstances in which logging records will be written. By default, CA ACF2 for z/OS logs failed access attempts or access attempts made under special circumstance such as under security authority. We recommend detailed examination of the rule sets. Business Value: Examination may reveal that some generated loggings are superfluous and can be eliminated without impacting system security or auditability.

Chapter 4: Auditability Best Practices 25

Compliance Auditing

Compliance Auditing
We recommend using CA Compliance Manager which provides a single source for real-time, compliance-related information and events occurring within the mainframe environment. Business Value: CA Compliance Manager lets you easily manage and audit your mainframe environment. It accomplishes this with continuous, real-time monitoring and collection of compliance and security-related information, policy alerting, and an intuitive reporting interface for compliance and security event reporting. It also gives you the comprehensive auditing tools that you need to prove your compliance to IT and risk-management auditors. Additional Considerations: CA Compliance Manager consists of several components: The Change Monitor detects and records changes to external security manager (ESM) configurations, operating system security configuration, and selected PDS/PDSE data sets. The Data Warehouse stores information about mainframe security events in a relational repository that is accessible for compliance reporting, allowing complex reporting processes to be initiated. It also provides real-time access to current and historical security information for forensic analysis, going beyond current reporting capabilities of security products. The Alert component provides real-time notification of potential security breaches indicated by changes in the security configuration and specific security events. Stakeholders can receive immediate notification of pertinent violations, user activity, and access or change activity to critical resources using email notification, Write To Operator (WTO), or help desk ticket creation.

26 Best Practices Guide

Regular and Audit Regimen Using CA Auditor

The Logger component writes information about mainframe security events to a dedicated z/OS log stream. A historical record of security events is maintained to address compliance and audit requirements and security forensics. This approach provides greater capability and is easier to use than standard log collection using SMF and file-based security journals. A web-enabled user interface provides summary and detailed reports that answer the audit questionWho accessed what, from where, and when. For example, you can report on everything a specific user has accessed or everyone who accessed a resource due to a specific permission. From the web interface, you can also create the policy statements that control what events are captured and the actions to take.

More Information: For a complete description of this product, see the CA Compliance Manager Implementation Guide.

Regular and Audit Regimen Using CA Auditor

We recommend that you constantly audit your mainframe z/OS system by using CA Auditor. We also recommend that you create procedures to audit your physical IT environment. Business Value: Regular auditing using CA Auditor offers the following benefits: Helps maintain z/OS integrity through timely identification of z/OS customization and modifications Helps verify internal compliance to change control procedures Minimizes z/OS auditing costs through CA Auditor usage, whether through direct license or through CA Out-Tasking, which is a CA Services initiative whereby customers can engage us to perform regular services

Maintaining the integrity of the z/OS system is necessary to maintain proper system and application functionality. Regular audits can also satisfy many common compliance regulations, laws, and requirements, such as Sarbanes-Oxley (SOX) and the Payment Card Industry-Data Security Standard (PCI-DSS).

Chapter 4: Auditability Best Practices 27

Regular and Audit Regimen Using CA Auditor

Additional Considerations: As you devise your auditing regimen, consider the following points: The z/OS system is the foundation for the applications and data that run your business; therefore, if the z/OS system has integrity exposures, the associated applications have the same exposures. A sound security policy bolsters z/OS integrity. Similarly, a proper z/OS implementation supports your overall security because a user could exploit any weakness to circumvent critical security controls and damage your applications.

Sound system integrity is the result of careful planning, well-defined procedures, proper security and change control mechanisms, and regular auditing to verify that users are following these procedures.

28 Best Practices Guide

Index
A
access decisions 17 auditing your system 27 Overview 8

O
obsolete logonids 20

C
CA Auditor freezer function 16, 17 CA Cleanup 20 CA Common Services (CCS) 12 CAIENF DB2 component 12 CA Compliance Manager 26 conversion utility 21 credential monitoring 20

P
privileges DBADM privilege 15 SYSADM 15

S
security controls 17 security entitlements 20 security processing 15, 16 SELECT access 15 subsystem protection 12

D
DASD-related overhead 18

E
entitlement monitoring 20 exits 16 considerations 17

G
GSO records ABORT 17 EXITS 16 identify obsolete 20 INFODIR 18 MODE value 17 OPTS record 17 RULE 17 RULEOPTS 18

I
Infostorage database 15, 16

L
logging data 23, 24, 25

M
Mainframe 2.0 CA Mainframe Software Manager 11 Electronic Software Delivery 11 features 9

Index 29