I wrote an ICHPWX01 exit years ago, and is on CBT here File # 728 ICHPWX01 - RACF Password Quality Exit - Dave Jousma<https://www.cbttape.org/ftp/cbt/CBT728.zip>. I wouldn’t read a dataset though, just define the list in the exit. The exit is pretty old, there may be better methods now.
Dave Jousma Vice President | Director, Technology Engineering From: IBM Mainframe Discussion List <[email protected]> on behalf of Joe Monk <[email protected]> Date: Tuesday, November 26, 2024 at 1:50 PM To: [email protected] <[email protected]> Subject: Re: NYDFS Cybersecurity 500.7(c)(2) blocking common passwords You can use the exit routine (ICHPWX11) to lookup the password in a dataset and reject if the password is found. https://urldefense.com/v3/__https://www.ibm.com/docs/en/zos/2.4.0?topic=exits-new-password-phrase-exit-ichpwx11__;!!MwwqYLOC6b6whF7V!jP0Zsb6zgOGtkvU3zPd_8XTgee1UkQuo4AWElb7eRXmlK5pRnh3AgOvrNQuaWVcF6VX9ZvQ9VN5xPCbqxOTaxWaZ21QXPhLhKgE$<https://urldefense.com/v3/__https:/www.ibm.com/docs/en/zos/2.4.0?topic=exits-new-password-phrase-exit-ichpwx11__;!!MwwqYLOC6b6whF7V!jP0Zsb6zgOGtkvU3zPd_8XTgee1UkQuo4AWElb7eRXmlK5pRnh3AgOvrNQuaWVcF6VX9ZvQ9VN5xPCbqxOTaxWaZ21QXPhLhKgE$> Joe On Tue, Nov 26, 2024 at 11:25 AM Grace Godfrey < [email protected]> wrote: > Hi, > > I'm hoping to tap the vast knowledge here on IBM-Main. > > We're under NYDFS Cybersecurity regulations and I'm looking at 500.7(c)(2) > > (c) Each class A company shall monitor privileged access activity and > shall implement: > (1) a privileged access management solution; and > (2) an automated method of blocking commonly used passwords for all > accounts on > information systems owned or controlled by the class A company and > wherever feasible > for all other accounts. To the extent the class A company determines > that blocking > commonly used passwords is infeasible, the covered entity’s CISO may > instead approve > in writing at least annually the infeasibility and the use of > reasonably equivalent or more > secure compensating controls > > Does anyone have any experience blocking common passwords within RACF? > Does IBM ship a component to satisfy 500.7(c)(2) for zOS RACF? > > Any information or ideas are appreciated. > > Thanks! Grace > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
