IBM Security Z Security

Expand all | Collapse all

How to create a compliance 'Management Summary'

  • 1.  How to create a compliance 'Management Summary'

    Posted Fri November 20, 2020 06:26 AM
    Edited by Andrew Cameron-Heffer Fri November 20, 2020 06:36 AM
    I saw this in the zSecure 2.4.0 release notes:

    TYPE=COMPLIANCE* newlists have been enhanced to support comparisons:
    • Rule set compliance summary provides a management summary, comparing percentages, and indications of direction of changes.

    That got me excited. I would like to generate reports for management to show our compliance status and compliance progress every month.  Being busy folks they would really like a RED AMBER GREEN dashboard, but something with percentages would be acceptable.  Unfortunately, the phrase 'management summary' isn't in the V2.4.0 CARLa Command Reference manual and I can't work out what I need to do to create something that (non-technical) management would understand.

    Could you provide some sample code to assist in creating reports; or point me at some helpful CARLa code.

    Thanks.

    ------------------------------
    Andrew Cameron-Heffer
    ------------------------------


  • 2.  RE: How to create a compliance 'Management Summary'

    Posted Fri November 20, 2020 09:37 AM
    Edited by Rob van Hoboken Fri November 20, 2020 09:39 AM
    Hi Andrew
    This refers to the Compliance Framework, option AU.R.E.  When you allocate 2 snapshots (a CKFREEZE and an UNLOAD in each) in SE.1, using S to select the newer snapshot and C (for Compare) on the older snapshot, you can compare the two.  The Set of Input files would look like this

                      zSecure Suite - Setup - Input files             Row 1 from 106

    (Un)select (U/S/C/M) set of input files or work with a set (B, E, R, I, D or F)

    Description                                                      Complex
    PRODMVS (2)                                                      PROD#OLD baseline
    PRODMVS (0)                                                      PROD     selected

    Next, in many of the reporting panels you can select Show differences under Output/run options, and select the type of differences you would like to see.  When you use this in AU.R.E, the report shows compliance rules where Tests or Objects changed.  This could point to new objects, or to tests that changed in compliance posture (e.g., became non-compliant).

    The result is not easy to understand for managers.  However, the security analyst can use it to spot resources that were added or the effect of incorrect security administration.  This example shows that one new APF  library was found, and it is compliant for the requirements of AAMV0040 (there in no "NonComp" value), but it fails some tests in ACP00060 (See the yellow 1?).  68 (new) issues with Sensitive CICS transactions were uncovered, etc.

    A compliance progress report could be found in the Rule set compliance summary  display that you can get from AU.R.E.   It shows a Cm% column that indicates the percentage of Compliant tests in the evaluation of this system.  The percentage is designed as an indicator of the effort needed to achieve a 100% compliant system.


    ------------------------------
    Rob van Hoboken
    ------------------------------