× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Hi Rob -

I was not referring to you in that comment. The process anyone chooses
to use is really up to them. The object of compliance auditing is not
stating specifically that one process or another is allowed or not
allowed, but that you have documented and can defend the security of the
processes you have in place.

I'm not as familiar with SOX as I am with PCI, but all compliance audits
are moving targets. The issue is protecting sensitive data. So for
example, if you have no sensitive data on your i you may not have to
prove compliance at all. If you do one thing you'll have to prove is
that you have documented password standards and a means to enforce those
standards.

An automated password reset procedure would *probably* be allowed if it
has proper "compensating controls" like requiring the user to verify
some personal information before doing the reset. At that point you
would now have to prove that the path that the new password follows is
also secure, so a plain text email might not be allowed but being
displayed on a secure webpage *probably* would. Since you have written
the code behind this process in house you'll now have to prove that you
are also following best practices for code development, including
testing, approval and change control procedures.

The goal is not pleasing the auditors, it's keeping your company out of
the headlines. Just be glad you're the i guy, your job will be a lot
easier than some others.

For more info on PCI standards see:

https://www.pcisecuritystandards.org/education/docs/Prioritized_Approach
_PCI_DSS_version1_2.xls

http://tinyurl.com/nbdesh

Regards,

Scott Ingvaldson
Senior IBM Support Specialist
Midwest Region Data Center
Fiserv.



-----Original Message-----
From: rob@xxxxxxxxx [mailto:rob@xxxxxxxxx]
Sent: Wednesday, June 17, 2009 4:30 PM
To: Midrange Systems Technical Discussion
Subject: RE: AS400 Automatic Sending of New Password?

Scott,

I realize what I said could be taken wrong on the QSYSMSG. However it
is sending the password to a known good email account though...

Rob Berendt
--
Group Dekko Services, LLC
Dept 01.073
Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com





From:
"Ingvaldson, Scott" <scott.ingvaldson@xxxxxxxxxx>
To:
"Midrange Systems Technical Discussion" <midrange-l@xxxxxxxxxxxx>
Date:
06/17/2009 04:04 PM
Subject:
RE: AS400 Automatic Sending of New Password?
Sent by:
midrange-l-bounces@xxxxxxxxxxxx



At work, our automated process needs the last four of my SS# and a
correctly answered challenge question.

That doesn't sound "automatic" to me. The user has to manually verify
their identity to perform the reset. This would appear to be an example
of "a commercial application that takes the risk and guesswork out of
the process." I'm not trying to split hairs here, the person I was
referring to was intending to monitor for the CPF1394 message and
automatically re-enable the profile with no other intervention.

You may also find that passing an audit next year may be harder than
passing the same audit was last year.

Regards,

Scott Ingvaldson
Senior IBM Support Specialist
Midwest Region Data Center
Fiserv.


-----Original Message-----
From: Charles Wilt [mailto:charles.wilt@xxxxxxxxx]
Sent: Wednesday, June 17, 2009 1:58 PM
To: Midrange Systems Technical Discussion
Subject: Re: AS400 Automatic Sending of New Password?

On Wed, Jun 17, 2009 at 2:32 PM, Ingvaldson, Scott <
scott.ingvaldson@xxxxxxxxxx> wrote:

I did have another admin ask me once if I could help him write
something that would automatically reset profiles before the users had

to call the help desk. I think I talked him out of the idea.

PCI requirement 8.5.2 is: Verify user identity before performing
password resets. That pretty much makes automatic password resets
verboten.


Nonsense....

We do it, my bank does it, my student loan processor, my insurance
company....

All of which ask questions to verify my identity before they allow me to
reset my password.

At work, our automated process needs the last four of my SS# and a
correctly answered challenge question. Then it sets the new password I
specify.

The process has passed both SOX and PCI.

Charles


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.