IBM Security Guardium S-TAP for z/OS security recommendations

The following security recommendations apply to S-TAP for Db2, IMS, and Data Sets.

Define the ID assigned to the S-TAP started tasks via system authorization facility (SAF) to the S-TAP product load libraries with READ ONLY access.
The ID assigned to the S-TAP started tasks should not be able to log on to TSO and should be designated for the exclusive use of the S-TAP started tasks.
Ensure that the only TSO ID’s able to update access to the S-TAP product load libraries are those that perform product installation and apply product maintenance.
Security administrators need to work with systems programmers to ensure that the contents of APF/LINKLIST/LPA lists of program libraries are maintained correctly. Update access to these libraries must be defined for each library, independently of the RACF controls.
Ensure verify the source of all APF authorized and system code that you install. If possible, get statements of assurance from the suppliers.
Manage your APF lists with great care. Double-check entries. Do not leave dead entries in the list for simplicity or ease of use. Use a formal checker for the lists if possible.
Do not grant READ access for any configuration libraries except to users with a defined business need.
Strictly follow the documented values for UACC values for system data sets.

For details on security practices, see IBM Redbooks Solution Guide Securing the IBM Mainframe.