Hi Travi,
OPSECURE() in the CMD rule/s for Start and Stop to check the commands issuers' authority is a recommended method to secure the managing of SSM resources, as for the MVS start/stop commands. Is physical access to your MCS consoles secure and do you require a user to logon to MCS consoles? If not you will have to account for this type of access. Also, you may have to secure access to ADDRESS SQL/OPSQL via an OPS/MVS )SEC SQL* rule, if you have users that know how to issue SQL instructions to update the desired state of an SSM resource.