Auditor(s) Assigned Audit Date

Workpaper

Audit Objectives and Procedures Ref. By

________________________________________________________________________________________________________

K.2 System Security Values -Cont'd

K.2.2.6 Determine the appropriateness of time-out system value:

QINACTITV - inactive job time-out.

*NONE: no time out.

5 - 300: valid range for maximum minutes before time-out.

E&Y recommended value: 15.

Terminals left unattended for an extended period of time may be used by unauthorized persons to perform functions that are available under that session, possibly affecting production data and processing. In addition, unauthorized users of unattended terminals may remain unidentifiable.

Authorized users can re-key their user-ids and passwords to continue from the screen left off in the previous session. This is possible when we set the disconnect job (*DSCJOB) value to disconnect any interactive, secondary or group jobs. Alternatively, *ENDJOB can be used. However, this will end any job, secondary or group.

K.2.2.7 Determine if concurrent device sessions are limited:

QLMTDEVSSN - limit device sessions.

0: does not limit the use of a user-id to one work station at a time.

1: limits the use of a user-id to one work station at a time.

E&Y recommended value: 1.

SYSTEM SECURITY K/PROG

24

Page 6 of 22

Auditor(s) Assigned Audit Date

Workpaper

Audit Objectives and Procedures Ref. By

________________________________________________________________________________________________________

K.2 System Security Values -Cont'd

K.2.2.8 Determine if sign-on information is displayed on screen.

QDSPSGNINF - sign-on display information control.

0: no sign-on information is displayed upon sign-on.

1: users are shown:

? date and time of last sign-on.

? invalid sign-on attempts since last sign-on.

? when applicable, a warning that the password is due to expire in

seven days or less.

This information can alert users to unauthorized attempts to use their profiles to access the system.

The sign-on screen should show a restricted access message such as \should also not show the company, system, and application names.

E&Y recommended value: 1.

K.2.3 Changing the Automatic Configuration of Virtual Devices Value

The QAUTOVRT values controls the creation of virtual device descriptions on a remote system when users pass-through to that system.

The system value QAUTOVRT specifies if pass-through virtual devices (as opposed to the workstation function virtual device) are automatically configured. This value can only be changed by the security officer or someone with all object (*ALLOBJ) and security administrator (*SECADM) special authority.

The value of QAUTOVRT should be set as low as possible. In most cases the value of 0 (zero) or 1 (one) is recommended. How ever in some locations where the passthrough activity is higher, it should be set as low as possible to minimize logon opportunities of unauthorized users.

SYSTEM SECURITY K/PROG Page 7 of 22

25

Auditor(s) Assigned Audit Date

Workpaper

Audit Objectives and Procedures Ref. By

________________________________________________________________________________________________________

K.2 System Security Values -Cont'd

K.2.4 Changing the Remote Sign-on Value

The QRMTSIGN value controls if users can bypass the sign-on display on the remote system when using the display station pass-through function or the workstation function of PC support.

The possible values are:

? FRCSIGNON: All pass-through sessions that begin on the system

must go through the normal sign-on procedure.

?

SAMEPRF: Pass-through sessions without going through the sign-on procedure are allowed only for users whose user profile name on the remote system is the same as the user profile name on the local system

?

VERIFY: Pass-through sessions without going through the sign-on procedure are allowed for all pass-through requests and no checking of passwords is done if the QSECURITY value is 10. Must sign-on if QSECURITY value is 30.

?

REJECT: Pass-through sessions are not allowed to start on the remote system.

K.2.5 Create Authority Parameter in System Value

Review the QCRTAUT parameter on the system values report, and ensure that it has been changed from the default value of *CHANGE, to a setting of *USE or less.

Determine that the production database and production source code files are maintained in a library with appropriately restricted access. Or, use the Display Object Authority command and determine whether the Public Authority Access (PUBAUT) access parameter for each significant individual production database and production source code file is *EXCLUDE and individual access allowed are appropriate.

SYSTEM SECURITY

K/PROG

26

Page 8 of 22

Auditor(s) Assigned Audit Date

Workpaper

Audit Objectives and Procedures Ref. By

________________________________________________________________________________________________________

K.3 User/Group Profiles

Objective: To ensure that user or group profiles are authorized and defined

appropriately to maintain adequate segregation of duties.

Procedures:

K.3.1 Obtain all user and group profiles by entering the command:

DSPAUTUSR SEQ (*GRPPRF)

K.3.2 Inspect each significant group profile to ensure that it is authorized by

appropriate management personnel and covers a common group of users with a common function. Ensure that only one group profile is assigned to a user.

K.3.3 Inspect selected user profiles to ensure that they are authorized by

appropriate management personnel and that their settings are compatible with their work functions.

K.3.4 A number of IBM user profiles are pre-defined when the system is

shipped. The passwords to these user profiles are identical to the user profile names, except for DST's which is \ Determine that the client has changed the passwords for these user profiles:

User Profile Description QSECOFR security officer QSRV full service functions QSRVBAS basic service functions QSYSOPR system operator QPGMR programmer QUSER work station user DST Dedicated Service Tools

Note: QSRVBAS and QSRV passwords should be changed after every maintenance trip by authorized IBM personnel. Vendor-supplied passwords for any commercial software products should also be changed.

SYSTEM SECURITY K/PROG

27

Page 9 of 22