IBM z/VM tapes must use Tape Encryption.

From IBM z/VM Using CA VM:Secure Security Technical Implementation Guide

Associated with: CCI-001199

SV-93609r1_rule IBM z/VM tapes must use Tape Encryption.

Vulnerability discussion

Information at rest refers to the state of information when it is located on a secondary storage device (e.g., disk drive and tape drive, when used for backups) within an operating system.Guest operating systems, such as CMS, that are not capable of enabling the hardware encryption available with the 3592 Model E05 tape drive are able to use z/VM facilities that enable the encryption on behalf of the guest. Guest operating systems that do support tape encryption, such as z/OS with proper service, will be able to do so without interference from z/VM.

Check content

Verify Tape Encryption is in use. For IBM drives issue the following command: Class B: QUERY TAPES DETAIL or Class G: QUERY VIRTUAL TAPES If resulting text includes “ACTIVE KEY LABELS”, this is not a finding. Regardless of the drive type if there is no encryption available, this is a finding.

Fix text

Consult CP Administration manual for procedures to set up IBM Device Encryption. For any other drive type consult manufacturer for encryption procedures.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.