STIG ID - BACF1043: Identify System Users

System users must be uniquely identified to the operating system. To accomplish this, each user must have an individual account defined in
ACF2
. If user accounts are not associated with specific individuals and are shared among multiple users, individual accountability is lost, hampering security audit activities and leading to shared group accounts, unauthorized user access of system resources and customer data. Scope, ownership, and responsibility over users should be based on the specifics of appointment, role, responsibilities, and level or authority.
Your organization must ensure that the Information Systems Security Officer uniquely identify each system user to
ACF2
assigned access is role-based and that access to resources is limited to those needed to perform the function. A user is defined as an individual accessing a computer resource or a task executing on the system that requires access to a resource. This includes, but is not limited to, to data transfer userids (FTP, Connect Direct, XCOM, MQ, etc.) batch job userids, and started task userids, individually assigned (assigned to people or carbon based) userids. Shared or group accounts are not authorized. All accounts must provide for full accountability.
This STIG article shows how to identify userids that are shared among multiple users, uniquely define each identified user to
ACF2
, and ensure that access to resources is limited to those needed to perform the function.
Identify Audit Finding
Review the following data to determine if you should consider remediation.
Follow these steps
:
  1. Review list of userids defined to the system. From the ACF2 ISPF Option Selection Menu, select 4 - Reports, C - ACFRPTSL. The ACFRPTSL report generator provides a listing of all logonid records that match the set of selection criteria specified in the JCL parameters. This report generator provides the ability to copy all logonid records or to select and print specific logonid records. The IF parameter enables flexible record selection criteria and the SFLDS parameter enables flexible field printing and editing.
    //REPORT EXEC PGM=ACFRPTSL //SYSPRINT DD SYSOUT=* //SYSIN DD * TITLE(LIST LIDS SHOWING NAME) INPUT(ACF2) REPORT(SHORT) SFLDS(LID NAME) /*
    Review the output and ensure the following:
    1. Each userid returned has a valid name assigned.
    2. Individually assigned userids have a valid organizational email address assigned. If organizational policy is to store validation data within userid records, ensure such validation data is stored accordingly.
    3. All userids have expiring passwords in accordance with organizational password policy requirements.
    4. Identify any userid not assigned to a single individual, started task, or batch processes. This will aid in identifying a list of userids that might be shared among multiple users (not uniquely identified system users). Based upon access and roles assigned, contact the responsible teams to perform interviews and document how those userids are being used.
  2. If no shared userids or groups are identified,
    your organization does not have an audit finding
    .
  3. If shared userids or groups are identified,
    your organization has an audit finding
    . See Remediate Audit Findings.
Remediate Audit Finding
The ISSO is responsible for ensuring users are uniquely identified to the operating system.
Follow these steps:
  1. Identify userids that are shared among multiple users by reviewing the data provided in step 1 under Identify Audit Finding.
  2. Working with specific teams for each discovered shared userid, define the specific access and all requirements of why the userid must be used versus if the access were granted directly to their individual assigned userid. Work to correct and mitigate, allowing for the shared userids to be removed.
Control Correlation Identifier (CCI)
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG.  For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-000764
CCI
:
CCI-000764
Published Date
:
2009-09-17
Definition
:
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): IA-2
NIST: NIST SP 800-53 Revision 4 (v4): IA-2
NIST: NIST SP 800-53A (v1): IA-2.1