IBM AS400 Security Procedures

Auditor(s) Assigned Audit Date

Workpaper

Audit Objectives and Procedures Ref. By

________________________________________________________________________________________________________

K.2 System Security Values - Cont'd

K.2.1.1 Determine who is/are assigned the QSECOFR profile.

All system inquiries in this section must be made with the QSECOFR profile as any others won't have enough privilege. The person holding the QSECOFR profile is typically the master security officer or someone of high management level.

K.2.1.2 Review other duties performed by the Master Security Officer (MSO) to

ensure they do not conflict with the responsibilities required by the MSO position (e.g. if the MSO is a programmer).

K.2.2 System values are defined by the client. Obtain the system values report

which lists all system values together with a brief description of each value by entering the following command:

WRKSYSVAL

The system values can also be displayed one by one on the terminal by using this command:

DSPSYSVAL SYSVAL (system value)

To print one by one use the command:

WRKSYSVAL *SEC OUTPUT(*PRINT)

System values are defined by the client according to their specific and unique security requirements. Security could be compromised if options are changed or inappropriate.

All possible options of each system value are listed and explained in this audit program as a guide. IBM default values are underscored.

SYSTEM SECURITY K/PROG

20

Page 2 of 22

Auditor(s) Assigned Audit Date

Workpaper

Audit Objectives and Procedures Ref. By

________________________________________________________________________________________________________

K.2 System Security Values - Cont'd

K.2.2.1 Determine the system security level:

QSECURITY

10: No user authentication, no resource protection.

20: User authentication through password security only, no resource

protection.

30: User authentication and default resource protection.

40: Similar to level 30 but controls privileged instructions and the

machine interface.

E&Y recommended value: 30.

Level 40 should be considered for clients with high inherent risk. It prevents direct access to objects, data of other jobs and internal system programs.

K.2.2.2 Determine the maximum number of sign-on attempts allowed:

QMAXSIGN

NOMAX: the system allows an unlimited number of sign-on attempts.

15: a user can try to sign on a maximum of 15 times.

After the specified maximum number of invalid sign-on attempts is reached, the terminal is varied (forced) off and a message is logged.

E&Y recommended value: maximum of 3.

SYSTEM SECURITY K/PROG

21

Page 3 of 22

Auditor(s) Assigned Audit Date

Workpaper

Audit Objectives and Procedures Ref. By

________________________________________________________________________________________________________

K.2 System Security Values - Cont'd

K.2.2.3 Determine action taken by system when QMAXSIGN is exceeded:

QMAXSGNACN

1: disable terminal.

2: disable user profile.

3: disable terminal and user profile.

E&Y recommended value: 3.

K.2.2.4 Determine the user-selected options related to password security:

? QPWDEXPITV - password expiration interval

*NOMAX: unlimited number of days.

1-366: valid range of days.

E&Y recommended value: 30-90 days.

? QPWDRQDDIF - duplicate password control.

0: can be identical as the previous 32 passwords.

1: must be different from the previous 32 passwords.

E&Y recommended value: 1.

? QPWDMINLEN - minimum password length

1: minimum of 1 character.

1 - 10: valid range of number of characters.

E&Y recommended value: 6 or more.

SYSTEM SECURITY

22

K/PROG Page 4 of 22

Auditor(s) Assigned Audit Date

Workpaper

Audit Objectives and Procedures Ref. By

________________________________________________________________________________________________________

K.2 System Security Values - Cont'd

? QPWDMAXLEN - maximum password length.

10: Maximum of 10 characters.

1 - 10: Valid range of number of characters.

E&Y recommended value: 7-8 if connecting to systems other than AS/400 or S/38.

? QPWDVLDPGM - password validation program.

*NONE: no password validation program is used.

Review specified program(password exit routine) used, if any, and ensure that it does not allow user to bypass password security and does not contain hard-coded passwords.

K.2.2.5 Determine if users with all object (*ALLOBJ) or service (*SERVICE)

special authorities may sign on to only work stations they have specific authority to access.

QLMTSECOFR - limit security officer device access.

0: allows all users with *ALLOBJ authority to sign on to any display

station, and users with *SERVICE can sign on to any display station with public authority of *CHANGE.

1: not allow users with *ALLOBJ or *SERVICE authorities to sign on any

work stations unless they have specific authority to access.

E&Y recommended value: 1.

SYSTEM SECURITY K/PROG

23

Page 5 of 22