On June 13, 2014 IBM CICS Transaction Server for z/OS V5.2 has become generally available. A service stream enhancement (SSE) to IBM Security zSecure 2.1 provided currency support on June 14, 2014. This SSE furthermore extends the zSecure Audit Compliance Testing Framework with additional DISA-STIG support and provides a number of usability enhancements.

Background

Mainframes continue to be the home for mission critical information and essential  business production applications in many organizations due to the strong heritage of integrated security support capabilities across hardware, operating system, software and applications. IBM Security zSecure suite builds on the security support in z/OS and  Resource Access Control Facility to enhance mainframe security capabilities.

The Security Technical Implementation Guide from the Defense Information Systems Agency provides a framework for ensuring that security is set up properly. IBM zSecure Audit helps automate compliance control points belonging to this standard as well as for the Payment Card Industry Data Security Standard (PCI-DSS) from the Payment Card Industry Security Standards Council and GSD331/ISeC (a global services document with security controls documentation from IBM).

Benefits

The following updates are provided:
* Additional compliance checks for DISA-STIG controls have been added to the rule-based compliance auditing (AU.R) menu
* Support for compressed CICS event records (SMF 110)
* Reporting configuration of stronger cryptographic ciphers per Special Publication 800-131A from the National Institute of Standards and Technology (NIST) in CICS V5R2
* A new option to send a report as an e-mail attachment on the "send as e-mail" panel
* Extensions to the selection criteria for IP-based event reporting (EV.I)

These features apply to zSecure Audit for RACF and zSecure Audit for ACF2. Some features apply to zSecure Admin and zSecure Audit for Top Secret as well. Some of the underlying capabilities can be used in other components of the zSecure suite through the CARLa Auditing and Reporting Language (CARLa) though not exploited in the product 'out of the box'.

Documentation updates have been provided in a Technote. This Technote furthermore adds documentation on how to exploit zEnterprise Data Compression for zSecure.

Prerequisites

To fully benefit from these enhancements the following is required:

* IBM Security zSecure 2.1, or one of the zSecure Compliance and Auditing solutions
* PTF UA73808 for APAR OA45298 (this updates general zSecure code)
* PTF UA73809 for SYSROUTE APAR OA45299 (this contains parts specific to ACF2)

The exploitation of zEnterprise Data Compression also described in the TechNote does not require any updates to zSecure.

IBM Security zSecure CICS Toolkit 2.1 works with CICS V5R2 without modifications.

Migration

The zSecure Audit Compliance Testing Framework has been extended with a new configuration member in the CKACUST customization data set. The job CKAZCUST to populate a CKACUST data set has been upgraded and this revised job can be re-run on an existing one prior to using option AU.R (rule-based compliance reporting) again. For best results the new member should be revised to conform to the installation's needs.

Further reading

This is the 4th service stream enhancement for zSecure 2.1. You can find the description of the new functions in the previous ones here:
* Integration with IBM InfoSphere Guardium Vulnerability Assessment
* Support for DB2 11 and IMS 13
* Compliance Testing Framework extended with PCI-DSS compliance checks

If you have any questions, please post them here or on the zSecure forum. You can also visit the zSecure community and wiki. The current zSecure for z/VM release at the time of original publication was 1.11.1. The IBM Security zSecure today developerWorks article serves as a starting point to reach all the latest zSecure announcements.

Note: The Migration section was added after original publication.