Rick Fochtman wrote:
---------------------------<snip>----------------------
At one time (a number of years ago) we had a RACF revoke limit > 5. Got
similar argument from auditors who wanted 3. We analyzed RACF SMF
records to determine how much lowering the threshold would raise number
of daily revokes on legitimate users to arrive at some estimate of cost
in terms of user aggravation and increased workload/staffing of the Help
Desk and determined that for us 5 was a reasonable value and have stuck
with it. We have specific applications that will force the user out
after 3 attempts, but actual revoke takes 5 consecutive bad attempts
from any combination of applications. We're talking here about userids
that aren't directly exposed to the Internet, so there is some physical
security involved as well; and there is also a daily review of failed
logon attempts to look for unusual activity.
Any auditor that claims everyone uses 3 or that there is something magic
that makes "3" optimum is shoveling B.S.
--------------------------<unsnip>----------------------
IMHO, any auditor should be ecstatic if he finds any limit under 11 set.
It's not up to him to "dictate" security policy, only to examine and
recommend (possible) improvements.
I'd like to talk now about the reality. I disagree with Ted's opinion
that auditor only check standards and there are separate entities to set
up the standards, and to enforce them.
That's theory. I have *never* met such constellation. I met a lot of
auditors (even used to work as one of them).
Such triumvirate can be realistic for internal audit teams.
External auditor are usually hired to check the system against *their
own* "vision of security".
They rely on various references, sometimes it's set of rules created by
the company they for for (i.e. Deloitte), sometimes it's some CISA/CISSP
set of "good practises", and sometimes it is "magic knowledge" - like
holy 3 in revoke limit.
What' important here, the company who order and pay for audit expect
them to provide the rules. More: the internal rules are also *audited*.
Rules can have weaknesses.
My $0.02
--
Radoslaw Skorupka
Lodz, Poland
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
