Using STIGS

Includes mainframe security standard review and implementation guidelines.
When applied to CA IDMS, the security standards decrease the risk of unauthorized disclosure of sensitive information. We developed our vendor Security Technical Implementation Guides (STIGs) to enhance the confidentiality, integrity, and availability of customers using our mainframe products.
Implementation Responsibility
Before you implement these standards within your production environment, especially within large user populations, we recommend that you evaluate the specified standards in a local, representative test environment.  The extensive variety of environments makes it impossible to test these standards for all potential mainframe environments.
Broadcom accepts no liability for the consequences of applying specific configuration settings that are made based on the security standard. For some production environments, failure to test before implementation may lead to a loss of required functionality.
Evaluating the risks and benefits of circumstances and requirements of a system is the responsibility of the system owner.  The evaluated risks resulting from not applying specified configuration settings must be approved by the responsible authorizing official within respective organizations. Furthermore, Broadcom implies no warranty that the application of all specified configurations results in a system that is 100 percent secure. We provide these security standards as guidelines. Ensure that all applicable security guidance is applied at the device-hardening level and the architectural level. Some settings may not be configurable in all environments. Each STIG is limited to the specific CA IDMS and assumes that you have fully and properly implemented all security controls within CA IDMS.
Severity Definitions
These definitions are a measure of vulnerabilities that are used to assess a facility or system security posture. Each STIG ID in this document is assigned one of the following values:
  • Severity 1- High
    Any vulnerability, the exploitation of which directly and immediately result in loss of confidentiality, availability, or integrity.
  • Severity 2 - Medium
    Any vulnerability, the exploitation of which has a potential to result in loss of confidentiality, availability, or integrity.
  • Severity 3 - Low
    Any vulnerability, the existence of which degrades measures to protect against loss of confidentiality, availability, or integrity.
Depending upon the specific details within the access granted, aggregated risks may exist. The resulting risks could increase the risk severity from one level to another.
User Roles and Least Privilege Access
The following list details typical mainframe infrastructure roles at the z/OS system level regardless if 0 to 500 applications are running. These roles correspond to the roles allowed to have specific access levels within the STIG. Your organization, least privilege, and separation of role requirements determine who is assigned a role by user ID. We recommend that you build a formalized document that defines all roles, duties, responsibilities, and specific access allowed and approved for each mainframe infrastructure role in your organization.
  • z/OS IDMS System Programmer (IDMSSYSP)
  • Application Database Administrator (IDMSDBA)
  • Application Developer/Programmer (DEVLPGMR)
  • IDMS End User
Access is granted only based on valid requirements to product resources as documented by roles that individuals are assigned. Ensure the least privilege access is granted, allowing individuals to perform the documented functions within the assigned role.