ICHPWX11 changes from passwords to passphrases with a 100-character limit. Joe
On Tue, Nov 26, 2024 at 1:08 PM Jousma, David < [email protected]> wrote: > I wrote an ICHPWX01 exit years ago, and is on CBT here File # 728 ICHPWX01 > - RACF Password Quality Exit - Dave Jousma< > https://www.cbttape.org/ftp/cbt/CBT728.zip>. I wouldn’t read a dataset > though, just define the list in the exit. The exit is pretty old, there > may be better methods now. > > Dave Jousma > Vice President | Director, Technology Engineering > > > > > > From: IBM Mainframe Discussion List <[email protected]> on behalf > of Joe Monk <[email protected]> > Date: Tuesday, November 26, 2024 at 1:50 PM > To: [email protected] <[email protected]> > Subject: Re: NYDFS Cybersecurity 500.7(c)(2) blocking common passwords > > > > You can use the exit routine (ICHPWX11) to lookup the password in a dataset > > and reject if the password is found. > > > > > https://urldefense.com/v3/__https://www.ibm.com/docs/en/zos/2.4.0?topic=exits-new-password-phrase-exit-ichpwx11__;!!MwwqYLOC6b6whF7V!jP0Zsb6zgOGtkvU3zPd_8XTgee1UkQuo4AWElb7eRXmlK5pRnh3AgOvrNQuaWVcF6VX9ZvQ9VN5xPCbqxOTaxWaZ21QXPhLhKgE$ > < > https://urldefense.com/v3/__https:/www.ibm.com/docs/en/zos/2.4.0?topic=exits-new-password-phrase-exit-ichpwx11__;!!MwwqYLOC6b6whF7V!jP0Zsb6zgOGtkvU3zPd_8XTgee1UkQuo4AWElb7eRXmlK5pRnh3AgOvrNQuaWVcF6VX9ZvQ9VN5xPCbqxOTaxWaZ21QXPhLhKgE$ > > > > > > Joe > > > > On Tue, Nov 26, 2024 at 11:25 AM Grace Godfrey < > > [email protected]> wrote: > > > > > Hi, > > > > > > I'm hoping to tap the vast knowledge here on IBM-Main. > > > > > > We're under NYDFS Cybersecurity regulations and I'm looking at > 500.7(c)(2) > > > > > > (c) Each class A company shall monitor privileged access activity and > > > shall implement: > > > (1) a privileged access management solution; and > > > (2) an automated method of blocking commonly used passwords for all > > > accounts on > > > information systems owned or controlled by the class A company and > > > wherever feasible > > > for all other accounts. To the extent the class A company determines > > > that blocking > > > commonly used passwords is infeasible, the covered entity’s CISO may > > > instead approve > > > in writing at least annually the infeasibility and the use of > > > reasonably equivalent or more > > > secure compensating controls > > > > > > Does anyone have any experience blocking common passwords within RACF? > > > Does IBM ship a component to satisfy 500.7(c)(2) for zOS RACF? > > > > > > Any information or ideas are appreciated. > > > > > > Thanks! Grace > > > > > > ---------------------------------------------------------------------- > > > For IBM-MAIN subscribe / signoff / archive access instructions, > > > send email to [email protected] with the message: INFO IBM-MAIN > > > > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to [email protected] with the message: INFO IBM-MAIN > > This e-mail transmission contains information that is confidential and may > be privileged. It is intended only for the addressee(s) named above. If > you receive this e-mail in error, please do not read, copy or disseminate > it in any manner. If you are not the intended recipient, any disclosure, > copying, distribution or use of the contents of this information is > prohibited. Please reply to the message immediately by informing the sender > that the message was misdirected. After replying, please erase it from your > computer system. Your assistance in correcting this error is appreciated. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
