---------------------------<snip>----------------------
At one time (a number of years ago) we had a RACF revoke limit > 5. Got
similar argument from auditors who wanted 3. We analyzed RACF SMF
records to determine how much lowering the threshold would raise number
of daily revokes on legitimate users to arrive at some estimate of cost
in terms of user aggravation and increased workload/staffing of the Help
Desk and determined that for us 5 was a reasonable value and have stuck
with it. We have specific applications that will force the user out
after 3 attempts, but actual revoke takes 5 consecutive bad attempts
from any combination of applications. We're talking here about userids
that aren't directly exposed to the Internet, so there is some physical
security involved as well; and there is also a daily review of failed
logon attempts to look for unusual activity.
Any auditor that claims everyone uses 3 or that there is something magic
that makes "3" optimum is shoveling B.S.
--------------------------<unsnip>----------------------
IMHO, any auditor should be ecstatic if he finds any limit under 11 set.
It's not up to him to "dictate" security policy, only to examine and
recommend (possible) improvements.
The TAIL SHOULD NOT WAG THE DOG!
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
