Sorry, needed to repost because I only posted to the newsgroup.
Joel C. Ewing wrote:
At one time (a number of years ago) we had a RACF revoke limit > 5. Got
similar argument from auditors who wanted 3. We analyzed RACF SMF
records to determine how much lowering the threshold would raise number
of daily revokes on legitimate users to arrive at some estimate of cost
in terms of user aggravation and increased workload/staffing of the Help
Desk and determined that for us 5 was a reasonable value and have stuck
with it. We have specific applications that will force the user out
after 3 attempts, but actual revoke takes 5 consecutive bad attempts
from any combination of applications. We're talking here about userids
that aren't directly exposed to the Internet, so there is some physical
security involved as well; and there is also a daily review of failed
logon attempts to look for unusual activity.
Any auditor that claims everyone uses 3 or that there is something magic
that makes "3" optimum is shoveling B.S.
The magic reason for nearly everyone using a RACF revoke limit of 3 is
baseball and the way it is firmly rooted in the American way of life.
The rule is: "Three strikes and you're out", and what is good for
baseball must be good for security.
Baseball is virtually unknown in most other countries but due to the
overwhelming US influence on IT, especially in the earlier years, such
rules and recommendations were just taken as gospel everywhere.
--
Ulrich Boche
SVA GmbH, Germany
IBM Premier Business Partner
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
