Access Control Facility evaluation criteria:

A) Identification/Authentication Function:

Objective: Verify the user's claimed identify is verifiable, and user identification is a unique, auditable representation that can be identified for accountability.

1. Verify that the ACF supports the following attributes for identification/authentication:2.

• Each user has a unique User Id
• User ids can be disabled, reactivated, with the status of User id available
• User id's are disabled after a set inactive period (e.g. .60 days)
• User id changes are restricted to a limited group of authorized administrators
• UserIDs can be assigned to groups;
• Names of groups and associated individuals is available
• UserIDs are associated to individuals, profiles, or departments
• All users (including remote) should be identified/authenticated before gaining access to the system
• Mechanism(s) exists to authenticate the identity of users (i.e. password, smart card, biometrics) before performing any actions.
• (Note: If multiple authentication mechanisms are available within the system, verify whether the System Administrator can specify the authentication mechanism used for specific users and groups)
• Users must re-authenticate after a specified period of non-use; time-out (i.e. 15 min.) or keyboard lock w/ password
• disconnect after maximum number unsuccessful logon attempts (i.e. 3) and notification to system administrator
• No default ids exist that allow unauthenticated system access

2. If passwords are used to authenticate the user then the following attributes or support functions should exist:

• passwords encrypted (from end to end) and not accessible to non-privileged users
• not displayed on screen when entered
• not shared
• minimum length required (i.e. 6)
• customer specific words prevented
• can be reset by system administrator
• changes enforced (i.e. 30, 60 days)
• passwords can be changed by the user
• user notified previous to password expiration
• passwords should be reasonably resistant to brute force password guessing
• - simple passwords should not be allowed (i.e. repeating characters, re-using the same password, using similar passwords)
• generated passwords are easy to remember and random

B) Resource Access Control Function:

Objective: Verify that mechanisms exist to restrict access of computer resources (i.e. programs, data files transaction and commands) to authorized users.

1. Verify the ACF has the following attributes:

• all users and remote machines with access to the system can be listed
• access can be restricted based on time-of-day, day-of-week, calendar-date, method of entry or location (dial-in, network facilities), or specific program
• provides minimum access rights for protected resources to include create, inquire, update, delete, execute, and none
• warning message is displayed upon system entry regarding unauthorized use and the possible consequences
• creation, deletion, or change of user security profiles or security information is restricted to authorized administrators
• upon system logon the following should be displayed:

- the date, time, and location of the users last successful access

- number of unsuccessful logon attempts since last logon

- number of days until password expires

• access to all computer resources is restricted to individual users or groups with specific access rights
• lists provided which identifies users authorized to a resource. (i.e. user access rights to the resource)note: this should be limited to system administrator. Lists should include:

1. read, write and update/execute

2. default access right

• verify authorization rules for access to a resource prior to all uses of that resource
• by default, only the owner (creator) has access to the resource when it is created.
• specify default resource access rights for users not otherwise specified either explicitly by the user id or implicity by group membership
• access rights associated with a user id take precedence over any associated group provided access
• copied resources keep the same security attributes
• access to security tables/data files is protected
• status report available of security parameters.
• separate privileges shall be required to perform security relevant operations or commands
• privileges that permit users to override or bypass the security components shall be distinct and separate from all other privileges.

C) Accountability and Auditability

Objective: Ensure that sufficient security information about user actions or processing acting on their behalf is logged and provides a management trail to support the ability to audit.

1. Verify that the ACF has the following attributes or support functions:

• The following events should be recorded:

- valid and invalid user authentication attempts

- logons and logoffs

- activities of privileged users (e.g., System Administrators, Operators)

- unsuccessful data or transaction access attempts

- successful access to security-critical system resources

- changes to users' security profiles, privileges, or attributes

- changes to access rights of resources

- changes to the system security configuration

- modification of system-supplied software

• The ability should exist to record:

- creation and deletion of resources

- disk file access

- tape volume or tape file access

- program execution

- on-line command execution

- customer-defined events

• For each recorded event, the audit record shall identify, at a minimum:

- date and time of the event

- user identification and associated point of physical access, e.g., terminal, port, network address, or communication device

- type of event

- name of resources accessed

- success or failure of the event

• password should not be recorded in audit trails
• audit control data shall survive system restarts
• System Administrator notified if can't record audit records
• System Administrator actions must be audited
• audit trail and control mechanisms shall be protected from unauthorized access
• user identification information associated with any system request or activity shall be maintained and passed on to connecting systems
• audit analysis tools available which can produce exception reports, summary reports, and detailed reports which are periodically reviewed
• System Administrator can independently and selectively review actions of any one or more users
• system shall be able to provide a report of all modifications to a named or user-accessible system resources
• audit trails should be archived
• The system can flag and report on-line, significant security events.

D) Administration (applies to all categories above)

Objective: Verify administration controls ensure the continued protection of data as defined by the owner and that security deviations are detected and corrected.

• Authentication and access security functions/process is clearly defined and documented. (add, delete, change user ids and access)
• Segregation of duties in granting, denying, or changing access
• Formal documentation process to request access to the system
• User requests are authorized by the business owner
• User requests are retained for Audit purposes
• Access to the system is reviewed on a periodic basis
• Number of users with privileged status controlled and monitored
• Documented process to monitor access security violations and event resolution
• System business manager reviews system administration modification to audit trail

Top Secret Security Application Level review of dataset protection, monitoring, and administration

Objectives: Verify access security components exist to sufficiently protect computing resources (i.e. data files, programs). To identify over controlled or under controlled security activities and ensure weak security controls are compensated for by business or other system controls.

1. Determine the last time the Top Secret installation was reviewed for the processing environment.

a) If the review was conducted within the last year, evaluate the impact of any open issues that effect your applications. For example, the TSS facilities settings (facilities include CICS, batch, TSO etc..) that your application use impact the security access controls.

b) If the review has not been conducted within the last year see I/T Audit team for future coverage plans.

2. Evaluate the application level administrative procedures in place for Top Secret access security protection including:

- Establishing user ids

- Protecting resources (files, programs, CICS trans) to Top Secret as required by the owner

- Granting user access to Top Secret protected resources

- Removal of employee access upon termination or change in job function

- User requests are authorized by the owner

- Owners periodically (i.e. 180 days) review and adjust users access to the system and access authorizations to their resources.

- Documented procedures

- Documented access standards based on job function.

- Security Coordinator job responsbilities are formally defined as part of their PDR.

Note: Administrative procedures performed by the Top Secret Master Administration area will be covered by the I/T Team.

3. Evaluate procedures in place to monitor Top Secret security related activity:

a) Verify owners (or data custodians) periodically review unsuccessful and audited dataset/resource access attempts and unsuccessful login attempts. (e.g. daily, weekly) This also includes the review of TSS access violations.

b) Verify escalation procedures are documented and exercised for those incidents or recurring trends that indicate:

- Repeated or unusual attempts by a user to gain unauthorized access to protected resources.

- System hacking activities in the form of excessive numbers of repeated, unsuccessful login/access.

c) Verify access to critical files is audited where a business need exist.

4. Obtain Top Secret Security reports from I/T Team necessary to evaluate the access protection for identified datasets. (i.e. TSS whoowns, TSS whohas, TSS list, ACCESS TSS tools)

This requires:

• Identify critical libraries, datasets (high level qualifiers) or transactions (CICS trans) concerning the business applications under review.
• Provide CAATS team with the application library or dataset names.
• Provide the name of the environment your application is processing under. (e.g. Middletown Production, Windsor test)

5. Verify that critical and sensitive data files and programs are adequately protected by TSS using the reports from step 4.

- Identify datasets (high level qualifiers), libraries or transactions not defined to Top Secret.

- Identify users who have not recently used their Top Secret ids. (i.e. in the last 6 months)

- Identify users who are suspended in TSS.

- Identify users who are not required to have a password

- Identify users who are not required to change their password.

- Identify users who can bypass TSS Security or are privileged users (e.g. no data set check, administrative authority.)

- Evaluate the level of access for users based on user job function . User job titles can be obtained through profs callup.

- Identify jobs which have update/all access to the critical datasets.( From reports gained in step #4) Followup with the application area to verify any jobs which have update/all access which do not belong to the application being reviewed.

- Verify with business owner exceptions or questionable access privileges.

6. Ensure each top secret id has a 1 to 1 correspondence with either a user or job. Evaluate the need for use of a group id.