Case Study › Potential Problem Areas

Potential Problem Areas

The following paragraphs describe potential problems that you may encounter and recommended solutions to those problems.

TSO Logon

CA Top Secret does not allow the combined entry of user ID and password when logging on to TSO. Each entry must be made separately at the appropriate prompt.

If your TSO PROFILE currently is set with a parameter of NOPROMPT, you may experience difficulty when logging on. This parameter (within z/OS TSO) requires you to enter both your ID and password in one entry (TS9999/PASSWORD).

You may check, and correct, this as follows:

• After logon, at either READY or option 6:

  ENTER => PROFILE
  

  This will display your current TSO PROFILE parameters.

• If you see the value NOPROMPT displayed

  ENTER => PROFILE PROMPT
  

  This will change the parameter value to the correct value of PROMPT.

As stated earlier, CA Top Secret does not allow the combined entry of ID/PASSWORD, but it does not prevent you from this form of entry. If you enter the combined entry, CA Top Secret will display the message DO NOT SUPPLY PASSWORD(S) WITH LOGON COMMAND, time‑out the terminal for 30 seconds, and then ask you to reenter the password.

Mandatory Changing of Password

Under CA Top Secret, you are totally in control of, and responsible for, your secret password. Your TSO (z/OS) password is no longer operative and has been replaced by your CA Top Secret password.

In terms of responsibility, you have already read how CA Top Secret discourages you from entering your password at logon (except in non‑display mode). In keeping with this philosophy, you will be required to change your secret password at least every 30 days. You may change it more often, as necessary.

Three days prior to your password's expiration you will begin receiving an CA Top Secret message informing you that your password will expire within three days. For your convenience, it is recommended that you change your password as soon as you get this message, at the next logon.

CA Top Secret will not automatically suspend your ID unless you totally ignore this message. That is, if you do not use your ID for 45 days, it will not be suspended, but change your password the first time you logon.

• To change your password, at logon (password prompt)

  => ENTER: OLDPASSWORD/NEWPASSWORD
  

• You will receive the message PASSWORD CHANGED.

Keep in mind that:

• Your password must be at least four characters long.
• You cannot reuse any of your last three previous passwords.

Every time you log on you will get a last used message displayed on your terminal. This message informs you of the date, time, facility used, system used, and a numeric count of the number of times your ID has been used. If you suspect, or are sure, that your ID is being used by another individual you should change your password immediately.

Remember:

• Do not share your password with other individuals.
• Do not write your password down and leave it where it can be obtained by others.
• Change your password regularly.

Use of Production High Level Indexes

The access rules are primarily determined based upon the current high level indexes in use. That is, production files (data sets) are generally protected from all access except for production batch processing and authorized terminal inquiry/update functions. Systems development users have been authorized read access, by group, to the applications they are responsible for.

CA Top Secret enforces the DPS standards that have been defined to it. Therefore, make every effort to conform to the current published standards. Whenever possible use the TEST prefix to eliminate conflict with production indexes.

Due to the previous inability to enforce standards, many users have created test mechanisms that either bypassed or ignored the published standards. Without exception CA Top Secret will intercept each and every one of these and prevent them from accomplishing the desired result.

All test jobs and/or libraries that you currently use should be reviewed to ensure compliance with this rule. A thorough review of your existing procedures, rather than job‑by‑job experimentation, will save you lost time and headaches.

Exceptions to this rule must be justified and will be addressed on a case‑by‑case basis.

Access Change Rules

There are many situations that will require changes to the currently defined access rules such as:

• Employee new hire, transfer, or termination
• Major system conversion/parallel
• Special project requirements
• Vendor imposed exception conditions
• Production problem resolution

Requests for access rule changes will be subject to base control standards established for all T & I users:

• Unauthorized access to production data is prohibited.
• Unauthorized access to production libraries is prohibited.

All requests for access rule changes are to be made in the following manner:

• Document the requirements and current restrictions.
• Obtain approval from your designated Departmental Security Coordinator.
• Forward approved request to the Central Security Administrator, in advance of needed date.

The above documentation may be submitted by memo, and countersigned by the DSC (Departmental Security Coordinator).

Additional information may be required- such as the access duration and specific user IDs affected. Please try to be prepared to answer these questions.

Production Problem Resolution

The function of production problem resolution will be strictly monitored to ensure adherence to the security standards. In the past, many types of problems could be resolved informally by knowledgeable personnel. This will no longer be the case. The access restrictions placed upon T & I personnel will require a formalized procedure to be initiated to obtain the needed access to resolve most production problems.

The procedure to be followed for the resolution of production problems is:

• A properly documented I/R form is required for each problem.
• The I/R must be presented to the acting central production manager (or designee, if not present) for his/her review.
• The central production manager, or designee, is authorized to grant the use of special TSO IDs that have appropriate access capabilities needed to resolve production problems.

  Note: All use of these IDs will be monitored and must be accounted for with supporting problem documentation.

• The central production manager, or designee, will record the assigned special ID number on the I/R and ensure that the problem resolver's name is also recorded on the document. The password for the ID will be given to the problem resolver.
• The problem resolver will use the ID provided to fix the problem. Upon satisfactory resolution, he/she will return I/R, with completed resolution data, to the central production manager or designee.
• The central production manager will deactivate the ID by changing the password and recording the password in a secure location.
• The central production manager will route a copy of the completed I/R to the Central Security Administrator for reconciliation to the audit trail report.