IBM Z9 Planning Manual page 237

v The hardware and any networks used to connect the hardware must be
physically secure. Access to I/O devices must be restricted to authorized
personnel. The hardware system console must be physically protected from
access other than by authorized system administrators.
v The Hardware Management Console User Interface Style selection must specify
"Classic Style".
v The remote support facility must be disabled.
v Devices should be configured so that no device is accessible by more than one
partition (although they may be accessible by more than one channel path).
v Each I/O (physical) control unit should be allocated to a single partition in the
current configuration.
v The Security Administrator should not reconfigure a channel path unless all
attached devices and control units are attached to that path only.
v The Security Administrator should help ensure that all devices and control units
on a reconfigurable path are reset before the path is allocated to another
partition.
v No channel paths should be shared between partitions.
v The amount of reserved storage for a partition should be zero to eliminate the
possibility of a covert channel.
v Although the system will help ensure that the total number of dedicated and
shared processors are not over allocated, the System Administrator should make
sure that the number of processors dedicated to activated partitions is less than
the total number available. This is important so that some processors are
available for partitions that do not have dedicated access.
v Dynamic I/O Configuration changes should be disabled (i.e. Changes require a
power-on reset).
v I/O Priority Queuing should be disabled.
v Workload Manager should be disabled so that CPU and I/O resources are not
managed across partitions.
v No partition should be configured to enable hipersockets (Internal Queued Direct
I/O).
v Partitions should be prevented from receiving performance data from resources
that are not allocated to them (no partition should have Global Performance Data
Control Authority).
v At most one partition should have I/O Configuration Control Authority (i.e. No
more than one partition should be able to update any IOCDS).
v The Security Administrator should help ensure that write access is disabled for
each IOCDS, unless that IOCDS is to be updated (the current IOCDS should not
be updated).
v The Security Administrator should verify any changed IOCDS after a power-on
reset with that IOCDS, before any partitions have been activated (the Security
Administrator may determine whether the IOCDS has been changed by
inspecting the date of the IOCDS).
v No partition should have Cross-partition Control Authority (i.e. No partition should
be able to reset or deactivate another partition).
v No partition should have coupling facility channels which would allow
communication to a Coupling Facility partition.
v Replication of HMC Customizable Data must be disabled.
Appendix B. Developing, Building, and Delivering a Certified System
B-3