|
|
|
Before using SMP/E directly to control the installation and maintenance of your software environment, your site should formulate a change control management policy and related procedures. While SMP/E can control the changes made to your software, you must use it consistently to be effective. Your security policy must stress the use of SMP/E as the change control system and outline procedures to control its use.
Because SMP/E can introduce fixes that modify the expected results of a critical software program, you must control access to it. You must also have procedures to control and track the distribution of the tapes that contain SMP/E programs and fixes. This ensures that SMP/E only controls the system and does not corrupt it. You must also ensure that access control software and physical controls that protect access to SMP/E through ISPF/PDF and SMP/E data sets, tapes, fixes, and so on, are in place. Check the appropriate user profiles, permissions, and access rules to determine whether appropriate software controls are implemented. Physical controls include tracking and placing tapes in tape libraries. You can implement other procedures to validate whether SMP/E successfully processed a maintenance tape by establishing quality assurance procedures to review system maintenance activities.
Controlling access to SMP/E also includes keeping audit trails of who installed SMP/E, who maintains it, when SMP/E was installed, and whether these audit trail reports are properly accounted for and filed. These records are vital to establishing responsibility and accountability for systems software changes.
Your procedures should ensure frequent and periodic backups of SMP/E data sets to ensure that they are not lost or corrupted. The SMP/E data sets map the structure of the operating system, and if lost, could endanger the integrity of the system. If they had to be rebuilt from old copies, vital information might be lost or misplaced. The CA Auditor SMF Scan Display can show you SMF records that tell you whether SMP/E components were backed up properly and on a regular basis. You should ensure that these backups were completed successfully.
The changes made to the system should also undergo quality assurance testing before they are implemented. System modifications (SYSMODs), PTFs, and other changes can all be avenues for introducing either inadvertent errors or malicious changes.
A working knowledge of SMP/E is considered a special skill in today’s software environments, so the staff members who work with and install SMP/E must have an adequate level of training to ensure effective use. Computer‑based training (CBT), DVDs, video tapes, and training classes are ways to obtain additional training. Studying the product documentation is another way. Your policy should outline the minimum training that is acceptable for staff members who use SMP/E. The policy should describe procedures to ensure that training is completed.
| Copyright © 2009 CA. All rights reserved. | Tell Technical Publications how we can improve this information |