Security System Values Overview

Run the Security System Values report to determine the current settings for security system values on your system. Compare the system values with the recommended values in the chart below. Click on the link in the system value name to learn more about its meaning.


System Value	Description	Audit Importance	COBIT 4.0	ISO27002 (17799)	PCI	PowerTech Policy Recommendation
QSECURITY	System Security Level	HIGH	PO2.3 Data Classification Scheme			40 or 50
QINACTITV	Time-out Period for Inactive Jobs	HIGH		11.5.5	8.5.15	30 = 30 Minutes
QINACTMSGQ	Action/Message Queue for Inactive Jobs	Low	DS5.9 Malicious Software Prevention; DS5.5 Security Testing, Surveillance and Monitoring	11.5.5		*DSCJOB - or - a monitored message queue name
QDSCJOBITV	Period before disconnected jobs end	MEDIUM		11.5.6		180 Minutes
QDSPSGNINF	Display Sign-on Information	Medium	DS5.4 User Account Management; DS5.5 Security Testing, Surveillance and Monitoring	11.5.1(a)		1 = Display Sign On information
QMAXSIGN	No. of unsuccessful login attempts allowed for this account	HIGH	DS5.3 Identity Management	11.5.1(e)	8.5.13	5
QMAXSGNACN	Action after number of signon attempts exceeds the max	HIGH	DS5.3 Identity Management	11.5.1.(e)	8.5.13	2 = Disable Profile
QCRTAUT	Create Default Public Authority	HIGH	DS5.3 Identity Management			*USE, then control at Library Level
QUSEADPAUT	Use Adopted Authority Authorization List	Low	DS5.3 Identity Management	11.2.2(e)		An authorization list
QALWUSRDMN	Which libraries on the system may contain User Domain Objects	Medium	DS5.9 Malicious Software Prevention	12.4.1		The values ALL or DIR are not recommended
QALWOBJRST	Allow Restore of Security-Sensitive Objects	HIGH	DS5.9 Malicious Software Prevention	12.4.1(b)		None and toggle to ALWPGMADP or *ALWPTF when necessary
QSHRMEMCTL	Shared Memory Control	Low				1 = Allow
QVFYOBJRST	Verify Object on Restore	MEDIUM	DS5.9 Malicious Software Prevention	12.4.1		3 or 5

QPWDEXPITV	Number of days before a user must change a password	HIGH	DS5.3 Identity Management	11.2.3 (b) 11.2.3 (h) 11.3.1 (d)	8.5.9	90 = 90 days
QPWDLMTAJC	Adjacent digits are allowed in passwords	Low	DS5.3 Identity Management	11.3.1 (d)		1 = Not Allowed
QPWDLMTCHR	Limit characters	Low	DS5.3 Identity Management	11.3.1 (d)		*NONE
QPWDLMTREP	Repeat characters are allowed in passwords	Low	DS5.3 Identity Management	11.3.1		2 = Consec characters cannot be repeated
QPWDMINLEN	Minimum password length	HIGH	DS5.3 Identity Management	11.3.1	8.5.10	6 = 6 Character minimum
QPWDMAXLEN	Maximum password length	MEDIUM	DS5.3 Identity Management			8 or higher
QPWDPOSDIF	Limit character position in passwords	LOW	DS5.3 Identity Management	11.3.1		0 = Positional difference not enforced
QPWDRQDDGT	Digits required in passwords	MEDIUM	DS5.3 Identity Management	11.3.1		1 = Digit Required
QPWDRQDDIF	Duplicate password allowed?	HIGH	DS5.3 Identity Management	11.3.1	8.5.12	5 = Must be different than last 10 passwords (at least)
QPWDVLDPGM	Is there a password validation program in place?	MEDIUM	DS5.3 Identity Management	11.3.1		*None
QPWDLVL	Password Level	MEDIUM	DS5.3 Identity Management	11.3.1		1 or 3

QAUDCTL	Auditing control	HIGH	DS5.9 Malicious Software Prevention; DS5.5 Security Testing, Surveillance and Monitoring	10.10.1 10.10.2		AUDLVL, OBJAUD, *NOQTEMP = Audit these values
QAUDLVL QAUDLVL2	Security auditing level	HIGH	DS5.9 Malicious Software Prevention; DS5.5 Security Testing, Surveillance and Monitoring	10.10.1 10.10.2 10.10.1 10.10.2		See QAUDLVL Recommendations
QAUDENDACN	Auditing end action	HIGH	DS5.9 Malicious Software Prevention; DS5.5 Security Testing, Surveillance and Monitoring	10.10.3		*NOTIFY - Send a message if auditing is ended
QAUDFRCLVL	Auditing force level	LOW	DS5.9 Malicious Software Prevention; DS5.5 Security Testing, Surveillance and Monitoring			*SYS
QCRTOBJAUD	Auditing of new objects	HIGH	DS5.9 Malicious Software Prevention; DS5.5 Security Testing, Surveillance and Monitoring	10.10.1 10.10.2		*NONE, then control at Library Level

QAUTOVRT	Allow auto-create of virtual devices	LOW				Less than 100
QAUTOCFG	Automatic configuration	HIGH				0 = Disabled
QLMTDEVSSN	User limited to one device session	LOW	DS5.3 Identity Management			1 = Limit number of concurrent sessions & control at the user profile level
QLMTSECOFR	Limit SECOFR to allowed terminals	LOW	DS5.3 Identity Management			1 = Limit Security Officer sign on
QAUTORMT	Auto-configure remote controllers	HIGH	DS5.11 Exchange of Sensitive Data			0 = Disabled
QRETSVRSEC	Retain server security data	LOW				0 = Do not retain server security data
QDEVRCYACN	Device I/O error action	LOW		11.5.6		DSCMSG, DSCENDRQS, ENDJOB, ENDJOBNOLIST
QRMTSIGN	Remote sign-on control	HIGH	DS5.11 Exchange of Sensitive Data			Not *SAMEPRF
QATNPGM	Default Attention Key handling program	MEDIUM				*None
QRMTIPL	Remote power on and IPL	MEDIUM	DS5.11 Exchange of Sensitive Data			0 = Do not allow Remote IPL
QSTRUPPGM	Program that is called from an autostart job when the controlling subsystem is started	MEDIUM				Named program
QFRCCVNRST	Force object conversion during restore	Low				1 = Objects with validation errors are converted