Professional Documents
Culture Documents
Infrastructure Services
Middleware and Database Build
Procedure
Table of Contents
1 Document Control ............................................................................................................................... 3
1.1 Summary of Changes ................................................................................................................... 3
1.2 Document Approvers .................................................................................................................... 3
1.3 Document Review Plans ............................................................................................................... 3
1.4 How to Find the Latest Revision of this Document ....................................................................... 3
1.5 Document Distribution and Notification ......................................................................................... 3
2 Description........................................................................................................................................... 4
3 Scope .................................................................................................................................................... 4
3.1 Environment and Audience. .......................................................................................................... 5
4 Details ................................................................................................................................................... 6
4.1 GSDCat (Delivery Catalog). .......................................................................................................... 6
4.2 Controls ......................................................................................................................................... 6
4.3 Workflow........................................................................................................................................ 8
4.4 Build Procedure Workflow ............................................................................................................. 9
4.5 Build Procedure Narrative ........................................................................................................... 10
5 Business Rules ................................................................................................................................. 17
5.1 Policies ........................................................................................................................................ 17
5.2 Control Points .............................................................................................................................. 17
5.3 Key Metrics.................................................................................................................................. 18
6 Related Assets................................................................................................................................... 19
6.1 Related Processes or Service Flows .......................................................................................... 19
6.2 Referenced Procedures .............................................................................................................. 19
6.3 Referenced Supporting Documents and Work Instructions ........................................................ 19
7 Appendix ............................................................................................................................................ 20
7.1 Screenshots ................................................................................................................................ 20
7.2 Other Details ............................................................................................................................... 20
7.3 Glossary ...................................................................................................................................... 20
End of Document ...................................................................................................................................... 20
1 Document Control
1.1 Summary of Changes
Revision
Number Revision Date Author or Editor Nature of Change
2 Description
This procedure provides the required steps for building (installing) middleware and database products in
accordance with IBM and client requirements.
This procedure is called from Server Build & Decommission or Mainframe Build & Decommission Service
Flows when middleware or database products are being installed along with an operating system; or can
be used as a standalone procedure when a middleware or database product is being installed in isolation
(i.e. on an existing system).
The business objectives of the procedure are to:
Provide a consistent approach that ensures configuration items under GTS Infrastructure
Services management are built according to client and IBM requirements.
Establish effective and appropriate controls over configuration items being entered into
production by GTS Infrastructure Services.
Provide a means for retaining evidence generated during build in support of compliance
requirements.
3 Scope
The Middleware and Database Build Procedure applies to configuration items where IBM is responsible
for maintaining security controls on the configuration item in accordance with client requirements.
The Middleware and Database Build Procedure is further defined by the following inclusions and
exclusions, and applies in the specified environment and has the intended audience as specified below:
Middleware and Database products include all products supported by the Middleware and
Database Service Area teams within GTS Infrastructure Services, and specifically exclude tooling
products typically used in the monitoring or management of systems. Products supported by the
Middleware and Database Service Area teams include the following categories of products:
o Big Data Analytics
o Integrated Systems and Appliances
o Distributed Database Products
o Mainframe Database Products and DB/DC
o Application Integration Middleware
o Business Applications Services Middleware
o Email & Collaboration
o Mobile Enterprise Services
Note: Product listings can be found https://w3-connections.ibm.com/wikis/home?lang=en-
us#!/wiki/Wd533af36fa72_4fa7_b17c_8696d9232fcd/page/Service%20Components but are not
limited to these products.
This procedure provides the primary guidance for execution teams. However, the customer
security policy may document additional requirements and specific contractual obligations.
Consult governing policy and/or customer requirements from Client Management for
consideration of local regulatory and customer specific requirements on privacy restrictions
including, additional approval requirements for access to sensitive personal information (SPI) and
for obtaining required credentials, such as certifications and/or security clearance, on-boarding
restrictions, access restrictions, etc.
Configuration items not under GTS Infrastructure Services managed services control are not
covered by this procedure. This includes situations where GTS Infrastructure Services teams are
building configuration items for handover to a client where no ongoing management by GTS IS in
steady state will occur. These situations are handled as projects and will be governed by the
client requirements for completion.
End user configuration items (e.g. personal computers and mobile devices) are not included in
the scope of this procedure.
System Applies to Middleware & Database products supported by the Middleware and
Database Service Area teams, as defined above.
4 Details
4.1 GSDCat (Delivery Catalog).
Activity Key Not Applicable
Sub-Activity Key Not Applicable
4.2 Controls
Attributes Details
Inputs 1. Build Request from Account Authorized Requester and corresponding change
record following change management process
Middleware/Database Administrator:
This role is responsible for performing the steps required to build or decommission
a middleware or database product in accordance with client and IBM requirements.
Specific responsibilities include:
Performs:
◦ Pre-Build Review
◦ The technical steps required to build or decommission a middleware or
database product, including triggering and execution of interdependent
processes used in the course of the build or decommission activity.
Responsible For:
◦ Build of a middleware or database product in accordance with client and
IBM requirements
◦ Decommission of a middleware or database product in accordance with
client and IBM requirements
◦ Creation of artifacts generated in the course of build or decommission to
evidence compliance with client and IBM requirements.
Account Security Focal
Role is responsible for execution of Risk & Compliance owned global processes
triggered in support of a build or decommission. This role represents a functional
part of the organization and could be filled by multiple individuals based on the
roles and responsibilities of the respective global processes being followed.
Specific responsibilities include:
Drives the evaluation of whether a Technical Specification is required when
one is not available for the configuration item being built, and if required,
drives the creation of the Technical Specification and corresponding update
to the Customer Security Document.
Drives the IT Risk Management process, when determined necessary, to
assess risk related to the use of unsupported hardware or software for new
builds.
4.3 Workflow
15.0
Account
4.0
Focal
Handle Security
Policy Pre-Build
Requirements
CAR Performer
9.0
Create Configuration
Item Artifact Repository
(CAR) Request
NOTE: Steps 7.0, 8.0 & 9.0 can all happen in parallel. The
only dependency is that the install date is required to be
known when opening a CAR Request (step 9.0).
9.0 CAR Performer 5 3.0, Create Configuration Item Artifact Repository (CAR)
5.0 Request
The objective of this step is to create a request in the CAR
tool in order to store artifacts from the build activity for the
purposes of evidencing compliance.
Invoke Configuration Item Artifact Repository Request
Procedure.
NOTE: Steps 7.0, 8.0 & 9.0 can all happen in parallel. The
only dependency is that the install date is required to be
known when opening a CAR Request.
14.0 Account Authorized 10 13.0 Engage Support Teams to Prepare for Steady State
Requester
Once the required software, agents and tooling are
installed on the configuration item, the engagement of
steady state support teams to activate support must be
performed. Examples of steady state support teams
include Monitoring and Backup & Restore teams.
15.0 Account Authorized 11 14.0 Request Removal of Access for Build Team & Shared
Requester ID Ownership Change (optional, if required)
If the build team is not the team that will be providing
steady state support, the IDs used to perform the build
activities must be removed from the system.
In addition, the Shared IDs ownership must be updated to
reflect the steady state support team.
Invoke Global IAM Process/Global IAM Primary
Controls Delete User ID or Access Procedure for the
deletion of IDs, as required.
Invoke Global IAM Process/Global IAM Primary
Controls Modify User ID or Access Procedure to
update ownership of Shared IDs, as required.
5 Business Rules
5.1 Policies
Policy Name Description
Use of Cloning The build of a configuration item using a cloning method must follow the
During Configuration Configuration Item Build & Decommission service flows and execute all
Item Build required controls.
Special attention must be paid to the protection of customer data during use of
a cloning method when building a configuration item.
Scope Alignment The scope of configuration items that (1) must be recorded in the
Between Security geography/account appropriate Security Inventory system, and (2) must follow
Inventory and the Configuration Item Build & Decommission (CIB&D) Global Process is
Configuration Item EXACTLY THE SAME.
Build &
Decommission
Global Processes
Software Licensing Appropriate Licenses Required for all Software Installed During Build
During Build
CP- Initial Compliance Risk: Configuration Item not built as per the Compliance,
MD-1 Validation Technical specifications agreed with the customer Preventative
Description: An Initial Configuration Validation must
be performed and a compliant output obtained
confirming the configuration item has been
hardened as per the technical specifications.
(CAR-A Question #102)
CP- Code Currency Risk: Configuration Item not at the required account Compliance,
MD-2 baseline for currency Preventative
Description: Configuration Item must be brought to
required account baseline for patches and/or
firmware before being entered into production.
(CAR-A Question #115)
CP- ID Management Risk: Unauthorized users accessing the Compliance,
MD-3 configuration item in Production Preventative
Description: ID’s must be created on configuration
item only after receiving appropriate authorization.
(CAR-A Question #195/196)
CP- Inventory Risk: Configuration Item will not be managed in Compliance,
None
6 Related Assets
6.1 Related Processes or Service Flows
Process Name Relationship with this procedure
Configuration Item Build & Configuration Item Build & Decommission Service Flows
Decommission Service Flows trigger use of this procedure in support of build activities
Configuration Item Called during build to capture evidence that controls are met
Artifact Repository
(CAR) Request
Procedure
None
7 Appendix
7.1 Screenshots
7.3 Glossary
Term Definition
Build Build is defined as the installation and configuration of a new configuration item
into a production environment.
CSD The documentation that is created for each customer as a result of the Security
Policy Management activity is referred to as Customer Security Document (CSD)
Database Databases refers to the datafiles / tables / schemas used by customer. CAR
checklist should be used to add/modify configuration items within inventory.
Database Database Instance refers to the software component and the in memory processes
Instance use to run a database
Decommission The removal of a configuration item from production and/or IBM managed services
responsibility.
GSD331 Security Controls for Strategic Outsourcing Customers
ITCS104 Information Technology Security Standards. IBM internal Security standards and
guidelines that provides end-to-end security for applications and information
across multiple hardware and software platforms and networks.
ISEC Security Controls for Strategic Outsourcing Customers (Replaces GSD331 for new
customers)
Middleware Middleware refers to Middleware product software beyond what is normally
available within OS. This software used to service customer applications. This
does not include IBM support products such as Tivoli.
End of Document