Frequently asked questions

Does IBM Z Security and Compliance Center need to run on the IBM z16?

Yes, this solution requires the use of the IBM® z16™.

Does this solution need to run on OpenShift Container Platform?

Yes, this solution requires the use of OpenShift®Container Platform on Linux on IBM Z.

If I am running this solution on the z16, can I scan workloads running on earlier versions of IBM Z hardware?

Yes, if you are running z/OS 2.4 or later.

Which regulatory frameworks can the application be used for?

The initially available version of the IBM Z Security Compliance Center will feature predefined 1-to-1 mappings of IBM Z controls to requirements specified in the following standards.

   1. PCI DSS v3.2.1
   2. NIST SP800-53
   3. CIS Benchmarks

Further standards will be provided predefined mappings in the future based on significant user feedback across industries and geographies.

Can I create a custom profile of controls?

Yes, you can create your own profiles and groups of controls using a selection of hundreds of technical checks that the IBM Z Security Compliance Center can perform out of the box. You can also import an extensive set of predefined mappings as a basis for your security procedures.

Through this process, the application may be used to prepare your organization for regulatory frameworks not covered by initially available predefined mappings, as well as for internal requirements that are specific to your organization.

Can I create my own subset of resources so I can validate compliance posture?

Yes, for z/OS systems you can select which LPARs will be in the scope of your scan.

What makes the IBM Z Security Compliance Center different from other compliance and auditing tooling?

The IBM Z Security Compliance Center automates the collection of compliance relevant data on IBM Z and Linux on IBM Z.

The application contains predefined 1-to-1 mappings of security controls written for IBM Z components (such as RACF, Db2, IBM CICS, IBM IMS, and IBM MQ) to requirements from regulatory frameworks (such as PCI DSS). These mappings were defined by the IBM Z Security team and have been validated with auditors.

Additionally, the solution includes an interactive, customizable dashboard displaying the security controls validated for each requirement, as well as which resources passed and failed. The solution also reports on compliance drift: how compliance posture has changed from one point in time to another.

Can I view how a specific regulatory control is validated with the IBM Z Security Compliance Center?

Yes. You can view detailed scan results in the IBM Z Security Compliance Center dashboard, or a report generated by the application.

For each technical check, you can view a list of all the IBM Z resources that have passed and failed across multiple sysplexes.

You may also view the logic of each scan performed by the application to see exactly what it checked.

How does the IBM Z Security Compliance Center perform scans?

The IBM Z Security Compliance Center is equipped with a microservice which sends an ENF signal to all compatible IBM Z components, triggering them to generate compliance data in an enhanced SMF record that has been custom built for this application.

Schedule a consultation

Talk with an IBM representative for answers to your questions.