We also use FORCE DISC because of the very same situation. The auditors did give ground when we pointed out that the only access to our VM system was via terminal emulator running on a desktop or laptop that was logged on to our development network. They actually did not know that there was already protection in place that met their requirement. After admitting that, they came up with a "But then ..." saying that they were not completely convinced. That is when we proposed the gentler solution that broke the connection between the userid and termulator.
Regards, Richard Schuh > -----Original Message----- > From: The IBM z/VM Operating System > [mailto:ib...@listserv.uark.edu] On Behalf Of Marcy Cortes > Sent: Tuesday, June 01, 2010 8:17 AM > To: IBMVM@LISTSERV.UARK.EDU > Subject: Re: Automated Logoff of CMS user > > Here's an example of one such policy > "A session must be suspended after a period of inactivity not > to exceed fifteen minutes. Reauthentication must be required > to resume the session." > > Now, one could argue that all the desktops/laptops have this > capability, but some auditors will read this as needed on > each system that has the ability to authenticate. One can > argue (and likely lose), or just setup velocity tunefrc or > the perftk equiv. We use FORCE DISC which is kinder, gentler. > > > Marcy > > "This message may contain confidential and/or privileged > information. If you are not the addressee or authorized to > receive this for the addressee, you must not use, copy, > disclose, or take any action based on this message or any > information herein. If you have received this message in > error, please advise the sender immediately by reply e-mail > and delete this message. Thank you for your cooperation." > > > -----Original Message----- > From: The IBM z/VM Operating System > [mailto:ib...@listserv.uark.edu] On Behalf Of Alan Altmark > Sent: Tuesday, June 01, 2010 8:02 AM > To: IBMVM@LISTSERV.UARK.EDU > Subject: Re: [IBMVM] Automated Logoff of CMS user > > On Tuesday, 06/01/2010 at 09:51 EDT, "Martin, Terry R. > (CMS/CTR) (CTR)" > <terry.mar...@cms.hhs.gov> wrote: > > This may have been asked before but I was wondering the best way to > > Automatically log off a CMS user after a designated time > frame. This > > is > to > > address an Audit finding. > > You opened the door, Terry, so I will walk through it: What > policy would > drive an auditor to create such a finding? I just have > trouble with a policy that says "After a CMS user has been > logged on for [n] minutes, log them off." To what end? And > is it really only CMS users? In Linux systems the CMS users > are the admins and SVMs, none of whom should be logged off > (IMO). (I might buy FORCE DISC, but not logoff.) > > Alan Altmark > z/VM Development > IBM Endicott >
