1

Verify that a policy was formulated to control changes and maintenance to your systems software environment.

2

Determine whether procedures are established that enforce the change control policy and conform with acceptable business practices. Some of the procedures that should be implemented follow.

3

Verify that procedures to control the distribution of SMP/E CBIPO, PUT, CBPDO, fixes, and APARs exist.

4

Ensure that SMP/E installation and PUT tapes are tracked and placed in a tape library.

Determine whether these tapes were processed through SMP/E and that SMP/E completed successfully.

5

Verify that change control procedures include audit trails of who installed SMP/E and when, who maintains it, and so on.

6

Ensure that SMP/E audit trail reports are properly accounted for and filed.

7

Check that the personnel who use SMP/E receive adequate training, such as computer‑based training (CBT), DVDs, video tapes, or training classes.

8

Verify that SMP/E files, libraries, and directories are backed up periodically. Use the SMF Search Criteria display (1.5.4) to look for SMF records that show the back ups. Ensure that the backup job completed successfully.

9

Determine whether SYSMODs, changes to the system, PTFs in error, and so on, that are applied through SMP/E are subjected to quality assurance testing.

10

If your programmers have online access to SMP/E through ISPF/PDF, ensure that appropriate access controls are in place to control its use.

11

Start to gather program product (PP) information. From Technical Support, obtain a Computer System Profile form that lists all PPs and their associated load libraries installed in your data center.

12

From Technical Support, obtain a list of the data set names for all SMP/E directories (both CSIs and CDSs) that the data center uses, and the names of the products managed by each directory.

13

Use the CSI Search option (2.3.1) to view the current list of CSIs. Note the version of SMP/E for each CSI.

14

Create a work paper cross‑referencing program products, load libraries, and SMP/E directories.

For each product, indicate which are maintained by SMP/E Release 4 or Release 5, and which are not SMP/E‑maintained at all.

List each product’s name, load library, SMP/E version, and CDS or CSI directory name.

15

For each product installed without SMP/E, determine from product documentation whether SMP/E should have been used. If so, investigate why it was not.

16

For products that are installed without SMP/E, ensure that adequate change control procedures are in place.

Use the Program Statistics (5.2) and Program Origin (5.1) displays to compare library maintenance activity to change control authorization records.

Note any unaccounted for changes in load module compilation or link edit dates. Follow up any evidence of unauthorized superzap use.

17

For products installed with SMP/E, determine whether the alternatives between a shared or a unique CSI for a particular product were considered.

18

If multiple CSIs are used, determine which CSIs contain the global zone. Access authority needed for a global zone in one data set might be different from authority needed for its target and distribution zones in other data sets.

19

Verify the accuracy and completeness of the information obtained from Technical Support in Step 12.

See the Usage Guide for information about how to identify any additional SMP/E directories.

20

Determine whether SMP/E control information agrees with what is in your system.

To analyze SMP/E using CA Auditor, select the CSI that you want to process from the SMP/E Global CSI List (2.3.1). Do not limit your search to a particular zone.

21

Find the products that SMP/E installed and compare them to the Computer System Profile form from Technical Support.

Use the Installed Products display (2.3.3) to list all of the products defined in the CSI that you selected.

If you are using multiple CSIs at your data center, you must run this display for each CSI that contains the global zone.

Verify agreement with the information from Step 12.

22

Using the paper work created in Step 13 and the information obtained from Installed Products display (2.3.3), verify that each CSI contains the product or products that the records reflect.

23

Check vendor billing documents to determine that you are being charged for the correct version and level number of each PP that the display lists. Note any pricing adjustments.

24

For each CSI, identify the PPs that perform overlapping or similar functions. Your system should run similar products only during periods of evaluation or conversion.

For example, use the Installed Products display to list the following products:

• Job entry subsystem (JES2 or JES3)
• Telecommunications software (Communications Server for z/OS for VTAM and TCPIP)
• Archival software (CA ASM2, CA Disk, or HSM)

Performance monitor software (CA SYSVIEW, Omegamon, Resolve, or RMF)

25

Find obsolete versions of a PP in a particular CSI by using the Installed Products display.

Sort by the description field and use the LOCATE command to find products that are similar.

26

For each library, identify the PPs that perform overlapping or similar functions. Similar products should be on the system only during periods of evaluation or conversion.

For example, use the Product Identity display (2.3.4) to list the following products:

• Job entry subsystem (JES2 or JES3)
• Telecommunications software (Communications Server for z/OS, TCAM or VTAM)
• Archival software (CA ASM2, CA Disk, or HSM)

Performance monitor software (CA SYSVIEW, Omegamon, Resolve, or RMF)

27

Find obsolete versions of a PP in a particular library by using the Product Identity display (2.3.4).

Sort the description and use the LOCATE command to find products that are similar.

28

Using the Product Identity display, list the programs for which CA Auditor could not associate a product.

Investigate the origin of any unknown products, paying particular attention to those programs residing in APF‑authorized libraries.

29

Validate your program libraries.

Run the Library Analysis display (2.3.5) against each of the critical program libraries (such as the linklist, LPA, and APF‑authorized libraries) to identify the programs that are maintained by SMP/E and those that are not. This display checks program names and aliases found in the load library against the CSI that you selected.

30

If the program is not defined in the selected CSI, verify that the program is not defined to other CSIs. Select another CSI and repeat this analysis for undefined programs.

31

Further review the contents of the unidentified programs for each library that you listed in Step 28.

Use the Library Analysis display (2.3.5) to review the entries that are marked RECOMMENDED FOR REVIEW.

32

Review any discrepancies with alias names that the Library Analysis display flagged with an asterisk.

If SMP/E does not know about the alias relationship found in the library, follow these up with Technical Support. The aliases could be nonexistent, misplaced, or so on. See the Usage Guide for more information about alias relationships.

33

Check any programs that SMP/E shows residing in a library other than the one you are currently processing.

SMP/E applies maintenance to the library that it knows about, which can cause problems during maintenance or afterwards when an unmaintained copy is executed.

34

At this point, you have cross‑referenced the products, libraries, and associated SMP/E CSIs and zones.

Additionally, you have listed programs that are not maintained by SMP/E. Now, verify that all maintenance was applied through SMP/E.

Run the Program Updates display (2.3.6) against the libraries that you identified in Step 28.

35

Detect program CSECTs that were zapped outside of SMP/E control by using the Program Updates display (2.3.6).

Review the entries marked with an asterisk. Follow up with Technical Support. You might request an AMBLIST IDRDATA for the module and an SMP/E LIST of the UMID data.

36

As an additional check, look for other evidence that library maintenance is performed outside of SMP/E.

Use the SMF Search Criteria display (1.5.4) to determine if anything other than SMP/E updated the production libraries.

Sort and locate the SMF record types of 15 and 30 to detect library updates. You can also use the loggings from your access control package to find this information.

37

Monitor changes in link‑edit dates. Run the Program Statistics Display (5.2) against the library and save the output.

Run it against the library again at a later date and compare the output to the previous results.

Alternatively, run the Program Statistics Display (5.2) against the library and sort the display by link‑edit date. Determine whether modules were relinked subsequent to the installation of the product. Relinked modules should be supported by change control authorization records.

38

For each PP installed on the system, use the File History Search display (6.5) to search SMF files or log streams for updates to the PP libraries. If any are found, verify agreement with the data center’s change control records and procedures.

39

For each PP installed, check your access control software to verify that each PP library named on the Computer System Profile sheet is protected from unauthorized access or modification.