By Rich Loeber,
There are a number of good practices that you can adopt in the area of password administration that will also help to keep things healthy. First, you should have a procedure in place to disable user profiles for people who have left your company. I normally recommend that the HR department include the IT security officer on all termination notifications. I must admit, however, that this does not always do the trick.
An alternative to this is the use the Analyze Profile Activity (ANZPRFACT) command on your system about once a month. This command will search out the unused profiles on your system and set them to disabled status. There is a variable number of days that you can use, but 30 is a pretty good bet.
You should also require all users to periodically change their passwords. The following system value will help with this:
QPWDEXPITV – “Password expiration interval”
This will force your users to change their password at the interval, in days, that you specify on the system value. Very secure installations may require passwords to change every day, but most business installations can get along just fine with a 60 day cycle, which is what I normally recommend. This is one that is unpopular with users, but if you are going to take security seriously, it is a must.
You should also do a period review of your user profile base. In this review, I recommend that you check for profiles that have permanent passwords assigned. In some shops, the programmers tend to appropriate this right for themselves, but they should be on rotating passwords just like the rest of the user community.
I also recommend that you look at the options offered on the SECTOOLS menu. Space limitations here do not let me go into these in more depth, but take a look and you may discover some interesting exposures on your system. There are also many more system values that you can employ in your quest for the perfect security setup. One last item I like to recommend is a periodic physical inspection of your user community workstations. It is amazing how often this will turn up passwords written down and “hidden” under mouse pads and even posted right on the face of terminals. All the password controls in the world will not overcome this problem. If you find one of these, I would recommend that you revoke the user’s access to the system and wait for them to complain, then go into detail about why their access rights were revoked. They should get the message.