Change, Risk, Audit and Compliance Management

zOSEM offers a methodology and ISPF interface to provide today's data center a proactive solution to the challenges of fewer systems programmers. It also offers an opportunity to make the task of managing system environments an administrative one, rather than a technical programming issue. zOSEM makes it much easier for installations to manage system resources and to control how they are used. It enables z/OS management to:

 See some of the zOSEM functional area benefits.

z/OS EXIT Explorer to determine where your inhouse, IBM and ISV z/OS exits have been applied to z/OS and associated sub-systems - all 500 plus - across diverse areas where no one manager or auditor will have relevant expertise to understand what is in place and what changes with new product installs or new z/OS releases. And with inhouse exits you have the added worries of relevant expertise in specialized assembler programmers "leaving".


P-Tracker collects usage information on all program and subprogram calls under z/OS including Batch, IMS/DC, CICS, TSO and other sub-system environments. Using P-Tracker, one can focus in on usage of modules, datasets, applications and products/licenses; and with inhouse applications determine the chained calls at sub-program level. One can quickly and easily identify applications and products that are unused, under-used, duplicated or scattered. Automatically collects information on every module invocation on the system, including sub-system level transactions when required. 

    

 ICE - IMAGE Control Environment detects changes, points of failure, and risks to the integrity of the z/OS systems. ICE help systems staff to examine the system and document for management, security and audit teams, that their job is being done correctly, has been verified and does not have further unintentional adverse impact outside of where the change was made. So no change management request is closed prior to proof of valid live and target systems.

A background monitor activates a virtual IPL for each image (and its alternate images) using the zOS-Inspector, Sysplex-Inspector, and primary sub-system inspectors (e.g. JES, VTAM, TCPIP) maintaining in-depth change-management and documentation of your images. Additionally for DR purposes ICE runs as a started task directly under z/OS and automatically creates and maintains full screen access, ISPF/PDF, to its own z/OS sub-system when VTAM, JES or TSO are unavailable giving various system management and recovery functions. 


Image FOCUS provides a uniquely powerful capability to perform inspections & verifications of critical configuration elements that define and control the startup and operational parameters of a z/OS LPAR and major subsystems such as JES, VTAM, TCP/IP, CICS and security definitions like PAGENT and SERVAUTH. Image FOCUS also detects changes to these same critical elements and evaluates the impact of the changes on the readiness and availability of the z/OS LPARS / SYSPLEX.

The Control Editor (TCE) is designed to establish and maintain best practices for an institution to enforce Infrastructure Administration controls. Some of these best practices which can be automatically performed by TCE would be to always create a backup of critical components when changed and maintain history and versions for each change. Provide and enforce a method of consistent documentation for change activity. Create a persistent method of notification when action is taken that may change the definition or running (dynamic) values of z/OS LPAR and sub-systems

TCE also provides additional controls beyond those provided by traditional External Security products, which allow for the requirements of Dependency Mapping and Excessive Access Checking (NIST SP 800-207).  TCE can be the central tool in any Security policy enforcement for critical z/OS datasets, Load Libraries and UNIX files. 


ICEDirect was developed to answer an additional need created by the evolution in Operational Integrity: Data Visualization. With the requirements for a ZTA (Zero Trust Architecture) and other information sources it became clear that the traditional reporting methods had enhanced requirements to share critical information captured and stored by various tools and services. ICEDirect is a highly secure browser interface into the ICE data space that can easily provide information from its data capture and store it in a format that is both intuitive and visually easy to understand.

ICEDirect also provides analytic capabilities for other z/OS critical data, such IODF configurations, the z/OS Health Checker (all LPARS in a SYSPLEX in one view), RACF, Certificates management, and LD-IPL. These analytic capabilities allow for an easy method to view, understand, and make the audit legible for non-specialists of these sources. 

A mitigation for vulnerabilities in customized versions of z/OS 3.1 is now available in the form of List Directed IPL (LD-IPL) and its two supporting components in Validated Boot and Secure Boot - Available for creation using ICE-Direct and for Inspection using Image Focus.

 

SAE - Stand Alone Environment allows access to z/OS volumes and datasets without having an z/OS active. Full range of ISPF like features, Fast DASD Erase to delete a farm in less than 30 minutes with audit report, and Dataset Utilities to ensure critical datasets are always immediately accessible including restore of datasets from DFDSS & FDR volume backups. SAE itself IPLs in 7 seconds, where normally your start-up pack requires 10 to 30 minutes. Essential to any disaster recovery plan as you execute your plan faster and have your production system up and running quicker, and avoid any back-outs.  With Rel. 17 it supports  the HMC Integrated Console  so you can IPL with Integrated 3270 (SYSG=ENABLE) as well as traditional IPL with console device (SYSG=DISABLE).