Documentation - V-223996

Title

IBM z/OS Surrogate users must be controlled in accordance with proper security requirements.

Description

<VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implem...

Fix Text (Documentation Requirement)

For each ACID identified in the XA ACID entries, ensure the following items are in effect regarding ACID permissions: -ACID permission (XA ACID) is logged (ACTION = AUDIT), at the discretion of the ISSM/ISSO scheduling tasks may be exempted from logging. -ACID permission (XA ACID) is logged (ACTION = AUDIT), for Privileged users (MSCA, SCA, DCA, VCA, ZCA). -Access authorization is restricted to scheduling tools, started tasks, or other system applications required for running production jobs. Other users may have minimal access required for running production jobs with documentation properly approved and filed with the site security official (ISSM or equivalent). Consider the following recommendations when implementing security for Cross-Authorized ACIDs: Keep ACID cross authorization...