× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. BPCS-L
  3. January 2001

RE: BPCS Security (was AS/SET Repository Installation 6.1.0)

  • Subject: RE: BPCS Security (was AS/SET Repository Installation 6.1.0)
  • From: "Nathan Bennett" <nabennis@xxxxxxxxx>
  • Date: Wed, 31 Jan 2001 23:47:05 +0100
  • Importance: Normal
 
Applying a security plan or implementing a security policy is not a painless
nor quick task.

First you need a risk assesment of WHAT your plan to protect before
considering HOW you plan to protect it.  Ask yourself, are you concerned
with data, hardware, both?  What is your scope (IT related only)?  What
support (backing from management will be required) do you have?  Budget?

It is pointless to develop a security policy which is data or application
related only, that will only HELP to protect you from known users.

Once you have an idea of what you want to protect now all you need to do is
work out how :-)  No, seriously once you have your risks identified then
each must be examined to determine what action(s) can be taken to reduce the
risk - use experts and specialists as much as possible.

In regards to trust, well personally I have none..view all access (physical
or data) as potentially hostile and protect yourself accordingly.  Why give
access to users if they don't need it?  I'm not advocating the withdrawal of
service on a security basis but it is important that you ALLOW access, if
you find yourself DENYING access then you obviously have a problem.

Every user should know and, if required, agree to the Company security
policy.  A lot of security changes and plans are discontinued because it
upsets the users - IT people being the worst by far - it would upset them a
lot more if someone cleared your database!

Don't leave things to chance, to be secure you have to be proactive...ensure
passwords are changed frequently and they are changed to a nth degree.
During the evening, do you need your remote lines/modems active?  Can
call-back be implemented for support?  Do all your PC's require ODBC?  Do
you wish to define authority by individual user,  groups or adopted?  Are
your staff aware of potential risks?

The list is endless but you can only ask the questions once you know what
you plan to secure.

You touch on one of the big problems - money!  Security is investment, it's
not a Y2K one-off cost, but is as important as the hardware or applications
your company has invested in..you can spend millions of pounds to implement
a system and save a 100,000 to put it all at risk!

In terms of BPCS security...least said the better!  But, and the big plus
here is you work on one of the most secure capable machines in the
commercial world.  The downside to that is the technical area of security on
the AS/400 is a field within itself.  Security, even for BPCS, can be
enhanced using some common sense and common AS/400 commands in conjunction
with a good degree of knowledge of the application.

For example, can you split your users within BPCS?  Does the warehouseman
need authority within BPCS and within OS/400 really require access to all
BPCS files when all he does is print pickslips or confirm deliveries?  Can
you change the system to an adopted authority model to disallow user direct
access to the database?  I would say I personally think its better to have
500 well maintained and upto date user authorities than 300 insecure ones.

A good security plan won't stop your business but will protect it now and
ensure any further emerging insecure technologies can be embraced and
implemented quicker, due to the better understanding of the risks, and more
SAFELY.


-----Original Message-----
From: owner-bpcs-l@midrange.com [mailto:owner-bpcs-l@midrange.com]On
Behalf Of MacWheel99@aol.com
Sent: Wednesday, January 31, 2001 6:45 PM
To: BPCS-L@midrange.com
Subject: Re: BPCS Security (was AS/SET Repository Installation 6.1.0)


Is it possible to share some outlines of Security Policies that work for
various versions of BPCS without spelling out for the bad guys what risks
they can exploit with companies not with these policies?

Our budget is for doing the best job we can for the company with a minimum
of
additional expenditures to the computer infrastructure.

Our policy starts with the notion that we TRUST our employees, and we trust
the personnel of companies with which we have trading partner agreements,
what we do not trust is if & when we connect anything to dial in or internet
for connection by any random unknown persons, thus we need security for
outside world connections to our system that we do not need for our internal
staff.

This is one reason why I have been asking my management to put LANSA Smart
Web for BPCS all versions on our budget for the future.  It makes for secure
internet connection to BPCS as far as I am concerned, so that down the road
we can have our customers connect to our information about them, using any
browser, and drill down factory work by customer to see how we are doing on
parts in production that is specific to that customer.

I believe that there are times it makes sense to piecemeal add useful stuff
for users & trading partners, but internet security is not one of those
scenarios.

If I was a betting man, the only security risk I would expect from
co-workers
is theft of information if someone was about to leave our employ to go work
for a competitor.

However no computer is an island in our dangerous world.

The most frequent known attempts at breaches, of which we have foiled so
far,
have been from work stations unattended, such as in unlocked offices during
lunch time, or exposed due to different work shifts, or sitting very close
to
entrances & exits from the building.  In other words, we do know that
unauthorized people try to get into our system, using whatever doors there
are into it.

Now while we do have security for our internal staff, it is more for
productivity purposes than suspicion purposes ... a person who only needs a
limited number of menu options, can be given a menu with everything they
need, organized according to their job function.  We want to help trainees,
learning some areas that are new to them, avoid accidentally deleting
something, messing up contents of files, or messing up layout of files.
Internal security is to maintain data integrity & help our work force become
more productive.

We have people connected to our BPCS 405 CD mixed mode via twinax, 5250
emulation, client access, and remote VPN ethernet emulating a local
workstation controller.

CA can get into 400 data without a 400 sign on or password.

What are the risks?
Without spelling out a road map to hackers.

We have defined a secondary group of power users category system helpers ...
they help their less skilled co-workers.  Our system helpers have been
granted job control so that they can get into messed up stuff & attempt
repairs.

However, only the people who have been told the password for security
officer
have also been granted hardware configuration authority.

For example, we permit people within a department to access each other's
reports.  We accomplish this by giving spool job authority to the BPCS user
group that everyone is in.
This means that once in a blue moon person-A accidentally deletes person-B
report(s). that person-B did not want deleted ... also I am making judgement
calls every week to delete hundreds of audit trails that are weeks old.
We know an accident happens because the end user sends a message ... oops I
did this, what do we do now?

Can the kinds of miskeying oops that might occur via a CA user do more
damage?
Are there risks that someone who is not a hot shot PC user might mess
something up & not know that they did so, so that we do not get the oops
message?
How do I know something just went out my barn door so I can recover it from
a
recent backup?

MacWheel99@aol.com (Alister Wm Macintyre) (Al Mac)
AS/400 Data Manager & Programmer for BPCS 405 CD Rel-02 mixed mode (twinax
interactive & batch) @ http://www.cen-elec.com Central Industries of
Indiana--->Quality manufacturer of wire harnesses and electrical
sub-assemblies - fax # 812-424-6838

>  From:    Rob.Angermann@YAMAHA-MOTOR.NL (Rob Angermann)
>
>  Nathan,
>
>  Perhaps we should discuss the security policy which we have to apply, now
we
>  work with BPCS.
>  Let us discuss soon.
>  Rob
+---
| This is the BPCS Users Mailing List!
| To submit a new message, send your mail to BPCS-L@midrange.com.
| To subscribe to this list send email to BPCS-L-SUB@midrange.com.
| To unsubscribe from this list send email to BPCS-L-UNSUB@midrange.com.
| Questions should be directed to the list owner: dasmussen@aol.com
+---

+---
| This is the BPCS Users Mailing List!
| To submit a new message, send your mail to BPCS-L@midrange.com.
| To subscribe to this list send email to BPCS-L-SUB@midrange.com.
| To unsubscribe from this list send email to BPCS-L-UNSUB@midrange.com.
| Questions should be directed to the list owner: dasmussen@aol.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.