STIGQter: STIG Summary: zOS FEP for TSS Version: 6 Release: 1 Benchmark Date: 11 Mar 2020:

NCP (Net Work Control Program) Data set access authorization does not restricts UPDATE and/or ALLOCATE access to appropriate personnel.

DISA Rule

SV-7199r3_rule

Vulnerability Number

V-6904

Group Title

ZFEP0015

Rule Version

ZFEP0015

Severity

CAT II

CCI(s)

• CCI-001499 - The organization limits privileges to change software resident within software libraries.

Weight

10

Fix Recommendation

Identify Names of the following data sets used for installation and in development/production environments:

- NCP system data sets
- NCP source definition data sets
- NCP load modules
- NCP host dump data sets
- NCP utility programs
Have the IAO validate that they are properly protected by the ACP. And that only authorized personnel are permitted UPDATE and/or ALLOCATE access (e.g., z/OS systems programming personnel).

Check Contents

a) Refer to the following report produced by the Data Set and Resource Data Collection:

- SENSITVE.RPT(NCPRPT)

___ The ACP data set rules for NCP data sets allow inappropriate access.

___ The ACP data set rules for NCP data sets does not restrict UPDATE and/or ALL access to authorized personnel (e.g., systems programming personnel).

b) If both of the above are untrue, there is NO FINDING.

c) If either of the above is true, this is a FINDING.

Vulnerability Number

V-6904

Documentable

False

Rule Version

ZFEP0015

Severity Override Guidance

a) Refer to the following report produced by the Data Set and Resource Data Collection:

- SENSITVE.RPT(NCPRPT)

___ The ACP data set rules for NCP data sets allow inappropriate access.

___ The ACP data set rules for NCP data sets does not restrict UPDATE and/or ALL access to authorized personnel (e.g., systems programming personnel).

b) If both of the above are untrue, there is NO FINDING.

c) If either of the above is true, this is a FINDING.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

3359

Comments