Skip to main content
MainTegrity Cyber Security Framework (CSF)
MainTegrity Cyber Security Framework (CSF)
End-to-End Cyber Security for IBM z/OS

What is File Integrity Monitoring (FIM+)?

MainTegrity CSF cyber security suite for z/OS CSF FoundationFIM+EarlyWarningNetWatchSupplyChain
Suite Overview ›

FIM+ is the file-focused module of CSF. It monitors critical system files for unauthorized changes—detecting malware insertion, ransomware attacks, and unapproved updates before damage spreads.

FIM+ answers the question: "Has anyone tampered with my critical files?"

Why File Integrity Monitoring Matters

Every mainframe breach has a file-level footprint.

Ransomware encrypts datasets. Backdoors embed in APF libraries. Unauthorized changes to PARMLIB alter how your system operates. If you cannot tell exactly what changed, when it changed, and whether that change was approved — you are operating blind.

Most organizations discover file-level compromises hours or days after the fact, buried in thousands of SMF records requiring manual review. By then, the damage has compounded, recovery becomes guesswork, and audit becomes a scramble.

FIM+ was purpose-built to close that gap.

Originally developed in direct response to PCI DSS version 3.2 — which elevated file integrity monitoring from a recommendation to a requirement — FIM+ has since evolved into the core file-focused security module of MainTegrity's Cyber Security Framework.  

It goes well beyond compliance, providing the cryptographic certainty and forensic precision that modern mainframe security demands.

What FIM+ Does

FIM+ is the file integrity intelligence layer of MainTegrity's Cyber Security Framework. It answers one question with mathematical certainty: has anyone tampered with my critical files?
Every monitored file is fingerprinted using cryptographic hashing and stored in a secure vault. When a scan runs, current file state is compared against its vault signature. A mismatch means something changed — and FIM+ records exactly what was modified, when, and which user ID was responsible.

Only Real Alerts. Never Noise.

Most file monitoring tools flood security teams with alerts for every modification — including routine maintenance. FIM+ eliminates that problem.

FIM+ integrates directly with ServiceNow, BMC Helix, and Endevor to verify whether each detected change matches an approved change request. Approved changes update the vault silently. Unapproved changes trigger alerts.

Sets Itself Up. Keeps Itself Current.

FIM+ automatically discovers your critical system components — APF libraries, LINKLIST, LPA, and other sensitive files — at implementation time. There is no manual library-by-library configuration.

As your environment changes and datasets are added or modified, FIM+ continues learning. Monitoring stays current without ongoing administrative effort.

Detection That Fits Your Production Schedule

FIM+ provides two scan modes designed to balance coverage with performance. Quick scans check metadata, consume minimal resources, and can run many times per day during production. Full scans verify file contents through cryptographic hash comparison and are recommended for off-peak hours.

On z14 and newer processors, all hash processing offloads to the mainframe's cryptographic service. It does not appear in SMF records and has negligible impact on production workloads.

Watching Between the Scans

Between scheduled integrity scans, FIM+ monitors for irregular patterns of data access — watching backups for signs of tampering, recording IP addresses associated with TSO updates, and flagging unauthorized access attempts to sensitive datasets.

Protecting Your Backups Before You Need Them

FIM+ validates backup integrity on an ongoing basis, confirming that recovery sources remain trustworthy before an incident ever occurs.

This matters because immutable copies like SafeGuarded Copy may contain malware if attackers installed backdoors hours or days before the visible attack. FIM+'s scan history identifies when malicious changes were first introduced — enabling selection of the correct recovery point, which may be a conventional backup from before the compromise rather than the most recent immutable copy.

What Happens When FIM+ Finds Something

When FIM+ detects an unauthorized change, it provides the forensic intelligence needed to understand the scope, timeline, and severity of the event. What happens next depends on how CSF Foundation — the platform's reaction engine — is configured to respond.

Containment

CSF Foundation's reaction engine can automatically suspend the offending task, typically in under one second. The suspicious process is frozen in place — it cannot progress, but it is not destroyed. 

Operators investigate through Foundation's interface, review forensic detail, and make an informed decision: resume if legitimate, cancel and recover if malicious.

Surgical Recovery 

Foundation's Recovery Assistant uses FIM+'s intelligence — the precise timeline of which files were compromised and when — to generate targeted recovery JCL. 

Only affected components are restored. After restoration, FIM+ verifies every recovered file against its vault signature.

Evidence Preservation

FIM+ can quarantine compromised components for later forensic analysis without slowing down restoration. 

This preserves the evidence chain while allowing operations to resume on clean, verified files.

Simplify Compliance and Shrink Your Audit Window

FIM+ provides direct compliance support across the regulatory frameworks governing mainframe environments — and automates the evidence collection and reporting that make audits expensive and disruptive. Compliance reports are produced, filed, and distributed automatically on schedule. Rather than assembling audit evidence by hand, designated compliance officers receive completed reports without manual intervention.

PCI DSS

FIM+ delivers direct compliance with Controls 10.5 and 11.5, eliminating the need for compensating controls. A major airline using FIM+ saved one full-time equivalent of effort, improved detection accuracy, and improved PCI compliance audit scores.

SOX

Automated change detection with ServiceNow verification and complete audit trail generation supports Internal Controls Report requirements. One organization achieved a 90% reduction in staff time compared to the manual process of reviewing thousands of SMF update records daily.

NIST CSF

FIM+ maps to the Protect, Detect, Respond, and Recover functions, providing cryptographic integrity verification and automated change detection across monitored z/OS environments.

DORA

For financial institutions, FIM+ supports ICT risk management and operational resilience requirements through continuous integrity monitoring and auditable change records.

FISMA

For federal agencies and contractors, FIM+ aligns with NIST 800-53 controls required under the Federal Information Security Modernization Act.

HIPAA

FIM+ monitors the integrity of system components containing electronic protected health information and strengthens Breach Notification Rule compliance through precise scope and timing data.

GDPR

FIM+ supports Articles 32 and 43 by detecting unauthorized changes to systems processing personal data, with auditable records of every modification.

*FIM+ runs on CSF Foundation, which provides the real-time reaction engine, browser-based forensics interface, whitelisting, alert routing, and Recovery Assistant capabilities referenced on this page.*