The regulations are from NY state, NYDFS.
https://www.dfs.ny.gov/system/files/documents/2023/12/rf23_nycrr_part_500_amend02_20231101.pdf
500.7 Access privileges and management.
500.7(c) Each class A company shall monitor privileged access activity and
shall implement:
(1) a privileged access management solution; and
(2) an automated method of blocking commonly used passwords for all
accounts on
information systems owned or controlled by the class A company and
wherever feasible
for all other accounts.
To automatically block commonly used passwords, a corpus is necessary. For
example, Cybernews Investigation team was able to collect 15m passwords.* If
they can do it, software vendors will see the opportunity here.
It's one option to force all RACF password changes through a single point.
However, there's a lot of ways to reach the password change process in MVS, and
writing blocks for all of them isn't reasonable.
The ZMFA holds promise, if I can find a software company that has
bought/collected the same 15m passwords that Cybernews did. I can route all
RACF password changes to the <currently unidentified> software company for
validation.
*https://cybernews.com/best-password-managers/most-common-passwords/
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
