Re: CMS/DOD idle connection requirements
Google for DOD Orange Book. You can forget about the Orange Book of the famous National Security Agency Rainbow series of security books as having the current answer. They are good reference but are outdated. Back in the 1990s when Air Force MajGen Hayden took over NSA (4-Star now heads the CIA), he transferred most all the security work done by the National Computer Security Center (NCSC) over to what is now known as NIST in the Dept. of Commerce. The jist was to get NSA out of the security business for non-DOD agencies. Now a days it is called selling off your non-core businesses. So now for the non-DOD agencies, NIST is the one to make the rules for unclassified which can include Sensitive, For Official Use Only, Privacy Data, etc. The one gets into the PII (Personally Identifiable Information) which we are all getting introduced to for identity issues. It is not clear if the classified designations (Confidental, Secret, and TopSecret) used in DOD have moved over to the Defense Security Service, OSD's Information System Office of Oversight, or even the Office of the Secretary of Defense (OSD) itself. The Rainbow series is still referenced today by many vendors and quoted widely. NSA did a great job when they had the work and most of it still applies today. I have seen that it all depends on what the auditors will accept. Jim -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: CMS/DOD idle connection requirements
Can anyone point me to the actual government documents (CMS and DOD) pertaining to the security requirement for unattended (15 minutes) connections. US Government seemly imposed rules are confusing. What I know it comes from the NIST 800-53 document under the category of AC-12; www.nist.gov and search on sp 800-53. Depending on the level you choose, all they say is you must have some session timeout. Once you conform to this, then each agency puts forth their own security policy to show they conform to NIST 800- 53. For example, here is one I know about All 'Agency X' workstations must use password-protected screensavers. Your workstation screensaver activates if you dont use your keyboard or mouse for 15 minutes, and you must reenter your password to be able to use your workstation. This prevents unauthorized access to your workstation and the network while your workstation is unattended. If you are going to leave your mainframe terminal session unattended for any period of time, you should log off of the system. If you dont use your keyboard for more than 30 minutes, the system will automatically log you off. So is the 15 minutes a given - no. But within the policy made, some applications may want to apply 10 minutes to some and 30 to others. I leave that to the application owner to mandate. So whatever passes the auditors comes out OK. Saying one does not timeout anybody (just locking the keyboard) did not fly and some definite timeout period needed to be implemented. Jim -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: CMS/DOD idle connection requirements
Don't know about DOD but our security folks were satisfied that the multi-session product (Supersession in our case) timed out and locked its session with the physical terminal while allowing the virtual terminal sessions to remain live. This allows a timed out user to resume where they left off, preventing the productivity loss. Tim Hare Senior Systems Programmer Florida Department of Transportation (850) 414-4209 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: CMS/DOD idle connection requirements
snip Can anyone point me to the actual government documents (CMS and DOD) pertaining to the security requirement for unattended (15 minutes) connections. There are two interpretations here: 1) kick the user completely out (CICS TSO) 2) require the user to enter a (Secure Serve Validated) password to continue. /snip Google for DOD Orange Book. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: CMS/DOD idle connection requirements
David I'm paying attention here mainly because VTAM is mentioned. I wonder exactly what the concern of your VTAM guy is. I don't believe there are any timing specifications under VTAM control which can affect established sessions[1]. There is only one which can affect idle connections, the DISCNT operand of the PU statement. Thus you are going to have to resolve this problem application by application. If your VTAM guy is concerned about the number of resources tied up supporting your CICS and TSO applications, he - or she I guess - could be sure only to define resources when they are needed. If the SSCP-dependent LUs are supported on platforms which connect over media which requires the use of switched procedures in VTAM, the VTAM exit which supports the dynamic definition of adjacent link stations along with the SSCP-dependent PU can be used. This is the ISTEXCCS, the so-called configuration services, exit. Then, in order to support only active SSCP-dependent LUs and assuming the platform supports the function, the ISTEXCSD, the dynamic definition of dependent LUs exit, can be used. That's the best I can do. I can't help if the sessions are there but the keyboard is untroubled. Chris Mason [1] Unless they are LU type 6.2 sessions where it's *conversations* which count rather than sessions and so there is an operand, LIMQSINT, of the APPL statement with APPC=YES (that is, *not* CICS, note) which can be used to terminate sessions which are not supporting conversations after a delay - assuming the sessions pass over at least one link which has indicated it would like not to be kept active when idle, normally indicated with the LIMRES=YES operand of the PU statement or equivalent on SNA platforms other than VTAM. - Original Message - From: David Speake [EMAIL PROTECTED] Newsgroups: bit.listserv.ibm-main To: IBM-MAIN@BAMA.UA.EDU Sent: Monday, June 18, 2007 6:20 PM Subject: CMS/DOD idle connection requirements Can anyone point me to the actual government documents (CMS and DOD) pertaining to the security requirement for unattended (15 minutes) connections. There are two interpretations here: 1) kick the user completely out (CICS TSO) 2) require the user to enter a (Secure Serve Validated) password to continue. The first may be difficult/expensive machine/software wise. The second is monstrously disruptive to the session user. Have these issues been addressed with IBM - CICS/TSO? My VTAM guy tells me idle LU's are also a concern. My concern is productivity of 4 or 5 hundred TSO users and several thousand CICS users. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
CMS/DOD idle connection requirements
Can anyone point me to the actual government documents (CMS and DOD) pertaining to the security requirement for unattended (15 minutes) connections. There are two interpretations here: 1) kick the user completely out (CICS TSO) 2) require the user to enter a (Secure Serve Validated) password to continue. The first may be difficult/expensive machine/software wise. The second is monstrously disruptive to the session user. Have these issues been addressed with IBM - CICS/TSO? My VTAM guy tells me idle LU's are also a concern. My concern is productivity of 4 or 5 hundred TSO users and several thousand CICS users. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: CMS/DOD idle connection requirements
Steve, I didn't think that it (maybe AR39 - check DISA) was that detail to logoff with 15 minutes of inactivity. I though it just stated to lock the terminals and have the users be revalidated. Checking my memory backs for the documents now. Maybe GAO.. Kevin -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of David Speake Sent: Monday, June 18, 2007 12:20 PM To: IBM-MAIN@BAMA.UA.EDU Subject: CMS/DOD idle connection requirements Can anyone point me to the actual government documents (CMS and DOD) pertaining to the security requirement for unattended (15 minutes) connections. There are two interpretations here: 1) kick the user completely out (CICS TSO) 2) require the user to enter a (Secure Serve Validated) password to continue. The first may be difficult/expensive machine/software wise. The second is monstrously disruptive to the session user. Have these issues been addressed with IBM - CICS/TSO? My VTAM guy tells me idle LU's are also a concern. My concern is productivity of 4 or 5 hundred TSO users and several thousand CICS users. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: CMS/DOD idle connection requirements
David, You know where to find the DISA STIGs, right? If not: http://iase.disa.mil/stigs/stig/index.html Curiously, the Network Infrastructure STIG says this: (NET1453: CAT III) The IAO/NSO will ensure that a session that exceeds 30 minutes of inactivity is disconnected. While the MQ section of the OS/390 STIG (there is no z/OS STIG yet) says: 4.3.1.7 Userid Timeouts Userids signed on to a queue manager will be logged off after 15 minutes of inactivity. This timeout process will be implemented by including the ALTER SECURITY command in the CSQINP1 data set. The format of the command will be specified as follows: ALTER SECURITY INTERVAL(5) TIMEOUT(15) • (ZWMQ0020: CAT II) The systems programmer responsible for supporting MQSeries/WebSphere MQ will ensure that the timeout is set to 15 and the interval is set to 5. Farther into that same STIG: The TELNETPARMS INACTIVE statement defines the terminal inactivity timeout value. When there has been no client-VTAM activity for the specified number of seconds, the session will be dropped. Note that the value of the INACTIVE parameter can impact the values of the PRTINACTIVE and KEEPINACTIVE (OS/390 Release 2.10) statements. The STIG requirement recommends that user sessions be terminated or locked out after 15 minutes of inactivity. Documentation must be maintained with the IAM when this guideline is not followed. The OS/390 STIG vol. 2 also says this about CICS: (12) Enforce a CICS time-out time limit, which is implemented based on 15 minutes of user inactivity. • (ZCIC0042: CAT II) The IAO will ensure that all CICS users have a 15 minute time-out limit specified. So there is incomplete agreement among the various STIGs regarding the exact amount of time (15 vs. 30 in those four sections of 2.5 different STIGs). They generally say 15 but at least one says 30. (I didn't produce an exhaustive list.) Much of this will depend upon just how secure you are required to become (Secret, Top Secret, etc.). -- Tom Schmidt Madison, WI -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: CMS/DOD idle connection requirements
Tom, Thanks much. I think I'm going to be physically ill. They impose specific mandates on each choke point regardless of actual need. So a product that simply locks the session. and accomplishes just as much without killing the productivity of the poor slob at the keyboard will not help. Will pull them up and read the full dictas later. Just been pushed in a good bit more urgent direction Thanks again -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: CMS/DOD idle connection requirements
-snip- Can anyone point me to the actual government documents (CMS and DOD) pertaining to the security requirement for unattended (15 minutes) connections. There are two interpretations here: 1) kick the user completely out (CICS TSO) 2) require the user to enter a (Secure Serve Validated) password to continue. The first may be difficult/expensive machine/software wise. The second is monstrously disruptive to the session user. Have these issues been addressed with IBM - CICS/TSO? My VTAM guy tells me idle LU's are also a concern. My concern is productivity of 4 or 5 hundred TSO users and several thousand CICS users. --unsnip Down around the Futures Exchange (CBOT), we used a product called TPX, though I forget the vendor's name. After 15 minutes, we disconnected him from all sessions; after 60 minutes, we terminated the sessions. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: CMS/DOD idle connection requirements
TPX is from CA. Regards, Herman Stocker Technical Specialist Data Center Operations avis budget group Phone: 1973-496-4847 fax: 1973-496-8201 E-Mail:[EMAIL PROTECTED] -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Rick Fochtman Sent: Monday, June 18, 2007 4:04 PM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: CMS/DOD idle connection requirements -snip- Can anyone point me to the actual government documents (CMS and DOD) pertaining to the security requirement for unattended (15 minutes) connections. There are two interpretations here: 1) kick the user completely out (CICS TSO) 2) require the user to enter a (Secure Serve Validated) password to continue. The first may be difficult/expensive machine/software wise. The second is monstrously disruptive to the session user. Have these issues been addressed with IBM - CICS/TSO? My VTAM guy tells me idle LU's are also a concern. My concern is productivity of 4 or 5 hundred TSO users and several thousand CICS users. --unsnip Down around the Futures Exchange (CBOT), we used a product called TPX, though I forget the vendor's name. After 15 minutes, we disconnected him from all sessions; after 60 minutes, we terminated the sessions. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html The sender believes that this E-mail and any attachments were free of any virus, worm, Trojan horse, and/or malicious code when sent. This message and its attachments could have been infected during transmission. By reading the message and opening any attachments, the recipient accepts full responsibility for taking protective and remedial action about viruses and other defects. The sender's employer is not liable for any loss or damage arising in any way from this message or its attachments. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html