IT Auditor Checklist for CA Endevor SCM

Note: In the Value column, the number of exclamation marks (!) indicates the value of the item to the audit, where !!! is critical and !! is important.
Data Set Security
Value Found setting or usage if
!!!=critical Audit Question Where to verify the setting or usage Recommended setting or usage different from
!!=important recommendation

!!! Is the Alternate ID enabled? C1DEFLTS table Type=MAIN section RACFUID= alternateID-name
ENABLE_ALTID_USS_SECURITY=(ON,nn)--
If used, is the Alternate ID enabled for USS Enables Alternate ID support for UNIX USS
!!! files and directories? ENCOPTBL, Options table files.

Verify with the security administrator that

the security software profiles protect the
CA Endevor SCM data sets and that update
authority has been granted to the
!!! Alternate ID for those libraries. Security administrator
Is the alternate ID enabled for internal
reader jobs? ENCOPTBL, Options table INTRDR_ALTID=Y
Is the Alternate ID enabled for the Package
Ship feature? ENCOPTBL, Options table PACKAGE_SHIP_WITH_ALTID=Y

USE_ALTID=N indicates that the alternate ID is

Is the alternate ID turned off for Exits and
Package Exits?
Exit table C1UEXITS parameter USE_ALTID=
turned off. USE_ALTID=Y indicates that the
alternate ID is used to access data sets, but
switches back to the user ID for all other
processing during the exit. USE_ALTID=+
indicates that the alternate ID is used to access
data sets and for all other processing during
the exit, so that your internal reader jobs are
submitted under the alternate ID.

Is the alternate ID turned off in ALTID=N --Indicates that the alternate ID is

processors? Processor JCL EXEC statement turned off for this processor.
If DB2 is in use, review with the
Is the alternate ID turned off for DB2? administrator.
Action Authorization (Functional) Security
Value Found setting or usage if
!!!=critical Audit Question Where to verify the setting or usage Recommended setting or usage different from
!!=important recommendation

What access levels are required to

!!! perform various functions? ESI name equates table, FUNCEQU entries
What are the pseudo data sets rules for
!!! resource checking? ESI name equates table, NAMEQU entries

Generate reports from your security software

Who has access to which Environments, to identify who has access to any of the files
!!! Systems, Subsystems and Types? used within CA Endevor SCM, this includes:

How often is the ESI trace facility run to

verify the ESI table is creating pseudo data
!! set names as expected? Ask the administrator. monthly

How often does the security

administrator verify that the proper Generate reports from your security software
profiles have been set up in the security to identify who has access to any of the files
!! software to protect the pseudo data sets. used within CA Endevor SCM. monthly
Control of Administrator Files and Privileged Access
Value Found setting or usage if
!!!=critical Audit Question Where to verify the setting or usage Recommended setting or usage different from
!!=important recommendation

What inventory location (Environment,

System, Subsystem) is used to store CA
Endevor SCM configuration files and is
!! access limited to administrators? Ask the administrator. Access limited to administrators
What inventory location (Environment,
System, Subsystem) is used to store
Processors and is access limited to
!!! administrators? Ask the administrator Access limited to administrators

NOTE: This same question appears in the SMF

Recording section of this checklist. See the
!!! Is SMF admin action recording activated? SMF Recording section for details.
Is package approval processing required to
move any Elements into the Production
!! Environment? Ask the administrator Package approval is required.

ESI name equates table NAMEQU entries that

determine who has authority to perform
Package actions and who has authority to Only privileged users or administrators should
Who can move Packages into the move the Elements within those Packages to have security to execute a Package that moves
!!! Production Environment? Production. Elements to Production.

Observe the security administrator run

reports from your security software to
identify who has access to any of the files
used within CA Endevor SCM, this includes:
--All of the files identified within the
C1DEFLTS table
--System Processor output libraries
--Type Definition Base, Delta and Source
output libraries Only CA Endevor SCM administrators and
Are critical files only accessible by -- Processor output files system administrators should have Update,
!!! administrators? -- custom user exits Alter, or Control access to any of these files.
SMF Recording
Value Found setting or usage if
!!!=critical Audit Question Where to verify the setting or usage Recommended setting or usage different from
!!=important recommendation

Site Options report, C1DEFLTS section,

parameter SMF Record Number. C1DEFLTS,
Site Options report, C1DEFLTS section, or TYPE=MAIN section, parameter: SMFREC#=n,
!!! Is SMF recording enabled for this site? C1DEFLTS Type=Main section where n is 1 or more.
Is SMF security violation recording TYPE=ENVIRONMENT in C1DEFLTS parameter
!!! activated? C1DEFLTS Type=Environment section SMFSEC=Y
Is SMF Element action recording TYPE=ENVIRONMENT in C1DEFLTS parameter
!!! activated? C1DEFLTS Type=Environment section SMFACT=Y
TYPE=ENVIRONMENT in C1DEFLTS parameter
!!! Is SMF admin action recording activated? C1DEFLTS Type=Environment section SMFENV=Y
Is the admin action log enabled? C1DEFLTS Type=Main section ALOGDSN=logname
Is admin action recording for Packages
!!! activated? C1DEFLTS Type=Main section SMFPKGADM=Y
What are the review procedures for these
reports? Ask the administrator. Reports should be reviewed periodically.
Backup and Recovery
Value Found setting or usage if
!!!=critical Audit Question Where to verify the setting or usage Recommended setting or usage different from
!!=important recommendation

How often are full volume backups

!!! performed? Ask the administrator Weekly
How often are incremental unloads
!!! performed? Ask the administrator Daily

!!! How often is data validation performed? Ask the administrator Daily
Packages
Value
!!!=critical Audit Question
!!=important
Is the Package processing enabled?
Is Package approval enabled at the site
level?
Is security checking required on Package
casts?
Are security authorizations checked for
every action in a Package for the user ID
requesting the Package inspect?
Which approver groups protect which
Environment and how are these approver
groups defined?
Which approver groups are used in which
inventory areas?
Is more than one approver required to
approve a Package?
Are approvers disqualified from approving Features Table ENCOPTBL setting; or
their own work?
How often is the Package data set cleaned
out to remove production changes that
have been successfully executed?
Who maintains (cleans out) the Package
data set?
Where to verify the setting or usage
Site Options report Package Processing
Options section or C1DEFLTS Type=MAIN
section
Site Options report Package Processing
Options section or C1DEFLTS Type=MAIN
section
Site Options report Package Processing
Options section or C1DEFLTS Type=MAIN
section
Site Options report Package Processing
Options section or C1DEFLTS Type=MAIN
section
CONRPT10
CONRPT11
CONRPT10
CONRPT10; Site Options report's Optional
ENCOPTBL file.
Ask the administrator.
Ask the administrator.
Found setting or usage if
Recommended setting or usage different from
recommendation
C1DEFLTS parameter:
PKGDSN=uprfx.uqual.PACKAGE
C1DEFLTS parameter: APRVFLG=Y
C1DEFLTS parameter: PKGCSEC=Y
C1DEFLTS parameter, PKGISEC=Y or no value
PKGISEC=
Review the approver group definitions to
ensure that more than one approver is
required to approve a Package.
Disqualify=Y parameter on selected approver
groups definitions. Alternatively, the
ENCOPTBL parameter:
APPROVER_DISQUALIFIED=Y enforces the
option site wide. The Site Options report
shows this option as APPROVER DISQUALIFIED.
Footprints
Value Found setting or usage if
!!!=critical Audit Question Where to verify the setting or usage Recommended setting or usage different from
!!=important recommendation

Do all generate processors include the Observe the administrator run the Search Each move processor should include
FOOTPRNT=CREATE statement? utility for FOOTPRINT=CREATE in processor FOOTPRNT=VERIFY
JCL. Review the JCL for each Processor.

Do all move processors include the Observe the administrator run the Search Each generate processor should include
FOOTPRNT=VERIFY statement? utility for FOOTPRINT=VERIFY in processor FOOTPRNT=CREATE
JCL. Review the JCL for each Processor.

When and how often are the following

footprint reports generated and
reviewed? --
CONRPT80, Library Member Footprint
Report Ask the administrator
CONRPT81, Library CSECT Listing Ask the administrator

CONRPT82, Library Zapped CSECT Profile Ask the administrator

CONRPT83, Footprint Exception Report Ask the administrator

What is the JCL library at the remote site

that contains the footprint extract and
data transmission utilities? Ask the administrator

Does the remote site JCL library contain

the JCL to execute the footprint extract
program, BC1JFEXT? Ask the administrator

The utility depends on the transmission

Does the remote site JCL library contain method being used: BC1FNDM for
the appropriate data transmission utility CONNECT:Direct, BC1FNTV for NetView, or
program? Ask the administrator BC1FBDT for Bulk Data.

The report generator program is optional,

because the reports could be generated at the
Does the remote site JCL library include host site if the footprint extract data set is
the report generator, BC1FRPT? Ask the administrator transmitted to the host.
CCIDs and Comments
Value Found setting or usage if
!!!=critical Audit Question Where to verify the setting or usage Recommended setting or usage different from
!!=important recommendation

Where (in which Systems in which

Environments) are CCIDs required? CONRPT07, System Definition report CCID Req is Y

Where (in which Systems in which

Environments) are comments required? CONRPT07, System Definition report Comment Req is Y
Element Registration
Value Found setting or usage if
!!!=critical Audit Question Where to verify the setting or usage Recommended setting or usage different from
!!=important recommendation

Site Options report:

Is Element Registration set at the site-
level?
Is Element Registration for processor
groups set at the site-level?
Site Options report, ENCOPTBL section
Site Options report, ENCOPTBL section
ELM_REG_CHK_OUTPTYPE_ACROSS_SY.
ENCOPTBL: ENHOPT
REGISTER_ACROSS_SYSTEMS=(ON,E)
Site Options report:
REGISTER_ACROSS_SYSTEMS. ENCOPTBL:
ENHOPT
ELM_REG_CHK_OUTPTYPE_ACROSS_SYSTEMS
=ON

If not set site-wide, where (in which

Systems in which Environments) is
Element Registration at the System level in
effect? CONRPT07, System Definition report DUP ELM NAME CHK, MSG SEV

If Element Registration is activated for a

System, is it activated in each Environment
in which that System appears? CONRPT07, System Definition report DUP ELM NAME CHK, MSG SEV

Is the same message severity level set on

the System definition in each Environment
where the system appears? CONRPT07, System Definition report DUP ELM NAME CHK, MSG SEV

Where (in which Systems in which

Environments) is Element Registration at DUPPROC O/P TYPE CHK, ACROSS SBS,
the processor group level in effect? CONRPT07, System Definition report MSGSEV

If processor group level Element

Registration is activated for a System, is it
activated in each Environment in which DUPPROC O/P TYPE CHK, ACROSS SBS,
that System appears? CONRPT07, System Definition report MSGSEV

Is the same message severity level for the

processor group level set on the System
definition in each Environment where the DUPPROC O/P TYPE CHK, ACROSS SBS,
system appears? CONRPT07, System Definition report MSGSEV