Title

A CMP (Change Management Process) is not being utilized on this system. (Cat III impact)

Discussion

Without proper tracking of changes to the operating system software environment, its processing integrity and availability are subject to compromise.

Check Content

a) Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(SMPERPT) b) Invoke the CA-EXAMINE application from within ISPF/PDF. This is typically done by executing %EXAMINE from ISPF/PDF option 6. From the CA EXAMINE primary menu, enter 2.3.3 from the command line to display the INSTALLED PRODUCTS SELECTION menu. Enter a hyphen (-) for all optional search criteria fields and a valid SMP/E CSI name. Repeat this step for all applicable SMP/E CSI names. NOTE 1: CSI names can be obtained from the SMPERPT report or by leaving the CSI name field blank and allowing CA-EXAMINE to compile a list of cataloged CSI data sets from which to choose. NOTE 2: SMP/E CSIs may not be present on this domain. If the site uses another domain to install products via SMP/E, and then copies the SMP/E product installation libraries to this domain, this is acceptable. Review the domain where the SMP/E environment resides and compare it against the domain being reviewed for compliance. The z/OS Vendor recommends that all products with the capability for installation via IBM’s SMP/E process will be installed and maintained using that process. c) If the entries contained in the SMP/E CSIs accurately reflect the operating system software environment, there is NO FINDING. d) If the entries contained in the SMP/E CSIs do not accurately reflect the operating system software environment, this is a FINDING.

Fix Text

The systems programmer responsible for supporting changes to the software will ensure that all changes and updates are tracked and maintained using a CMP. Obtain/locate all applicable SMP/E data sets (e.g., CSI, PTS, etc.). Ensure that all entries contained in the SMP/E configuration are matched with the operating system environment. Verify with the Systems programmer that the components of the operating system are controlled through a CMP. Note: Many systems are created from a base system that is controlled by a change management program. Be sure to note that the system has been maintained based on this process.

Additional Identifiers

Rule ID: SV-82r2_rule

Vulnerability ID: V-82

Group Title: AAMV0010

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.