IBM Security Z Security

 View Only
  • 1.  How to create a compliance 'Management Summary'

    Posted Fri November 20, 2020 06:26 AM
    Edited by Andrew Cameron-Heffer Fri November 20, 2020 06:36 AM
    I saw this in the zSecure 2.4.0 release notes:

    TYPE=COMPLIANCE* newlists have been enhanced to support comparisons:
    • Rule set compliance summary provides a management summary, comparing percentages, and indications of direction of changes.

    That got me excited. I would like to generate reports for management to show our compliance status and compliance progress every month.  Being busy folks they would really like a RED AMBER GREEN dashboard, but something with percentages would be acceptable.  Unfortunately, the phrase 'management summary' isn't in the V2.4.0 CARLa Command Reference manual and I can't work out what I need to do to create something that (non-technical) management would understand.

    Could you provide some sample code to assist in creating reports; or point me at some helpful CARLa code.

    Thanks.

    ------------------------------
    Andrew Cameron-Heffer
    ------------------------------


  • 2.  RE: How to create a compliance 'Management Summary'

    IBM Champion
    Posted Fri November 20, 2020 09:37 AM
    Edited by Rob van Hoboken Fri November 20, 2020 09:39 AM
    Hi Andrew
    This refers to the Compliance Framework, option AU.R.E.  When you allocate 2 snapshots (a CKFREEZE and an UNLOAD in each) in SE.1, using S to select the newer snapshot and C (for Compare) on the older snapshot, you can compare the two.  The Set of Input files would look like this

                      zSecure Suite - Setup - Input files             Row 1 from 106

    (Un)select (U/S/C/M) set of input files or work with a set (B, E, R, I, D or F)

    Description                                                      Complex
    PRODMVS (2)                                                      PROD#OLD baseline
    PRODMVS (0)                                                      PROD     selected

    Next, in many of the reporting panels you can select Show differences under Output/run options, and select the type of differences you would like to see.  When you use this in AU.R.E, the report shows compliance rules where Tests or Objects changed.  This could point to new objects, or to tests that changed in compliance posture (e.g., became non-compliant).

    The result is not easy to understand for managers.  However, the security analyst can use it to spot resources that were added or the effect of incorrect security administration.  This example shows that one new APF  library was found, and it is compliant for the requirements of AAMV0040 (there in no "NonComp" value), but it fails some tests in ACP00060 (See the yellow 1?).  68 (new) issues with Sensitive CICS transactions were uncovered, etc.

    A compliance progress report could be found in the Rule set compliance summary  display that you can get from AU.R.E.   It shows a Cm% column that indicates the percentage of Compliant tests in the evaluation of this system.  The percentage is designed as an indicator of the effort needed to achieve a 100% compliant system.


    ------------------------------
    Rob van Hoboken
    ------------------------------


  • 3.  RE: How to create a compliance 'Management Summary'

    Posted Thu May 11, 2023 10:50 AM

    Hi @Rob van Hoboken ,

    Is it possible to have this management summary in batch, but one step earlier.
    I mean, the summary on how many rule sets are compliance per standard. Not how many test_rules per rule set (this works, but can't figure out how to get the summary per standard. Like you get in the panels AU->R->E->STDTESTS

    Thanks in advance!



    ------------------------------
    Tim Osaer
    ------------------------------



  • 4.  RE: How to create a compliance 'Management Summary'

    IBM Champion
    Posted Fri May 12, 2023 03:03 AM
    Edited by Rob van Hoboken Fri May 12, 2023 03:04 AM

    On the panel you get from AU.R.E (Evaluate), there is an option "Background run" that shows up when you request "Print format" output.  You can use this to generate JCL for the requested report(s).

    ------------------------------
    Rob van Hoboken
    ------------------------------



  • 5.  RE: How to create a compliance 'Management Summary'

    Posted Fri May 12, 2023 04:38 AM

    Hi Rob,

    Yes, but that doesn't give the summary on Standard level. This gives it on Rule_set level. 

    I need to have a view how many rule sets are complaint per Standard. Not how many tests per ruleset. 

    Like you have on this panel:
    AU->R->E->STDTESTS
    Before you select a standard.



    ------------------------------
    Tim Osaer
    ------------------------------