|
Mark, You make a number of interesting points, but in the interest of time, I would like to focus on this very important one...
This means the problem is entirely composed of internal users and controllable. They sign the employment agreement for responsible behavior with corporate assets. <snip>
The information in our security study is heavily slanted towards exploits (intentional or accidental) that would most likely be perpetrated by employees, customers, vendors, etc. who already have access to the corporate network. This study does not indicate that OS/400 is open to wild technological attacks from brilliant 13 year olds coming across the internet from the other side of the earth. The problems are primarily (though not exclusively) from internal users, but that by itself does not make it entirely controllable. A signed agreement will not prevent system unavailability due to lost or damaged data that is the result of a error by a user wielding too much power. The signed agreement will give you prosecutorial rights against a malicious person, but that is typically small comfort when your systems team has spent days recovering data, or your company is front page news because you had a major breach. A signed agreement is an effort in prevention, but it is possibly the lowest possible barrier. IMHO, it is far more effective to use technology measures to enforce prevention efforts than to rely on threats of law suits and prosecution.
Is i5 security simply a matter of internal priorities? And the focus of the article perhaps far too narrow. Would it not be more credible with two sources one being the audit team or enterprise assessment rather than an i5 only audit?
We do what we can. To my knowledge our study is the only quantifiable measure of OS/400 security practices that is available. If someone else were doing a similar study, we could compare the two and surely come up with an even more insightful view on OS/400 security practices. But today, the PowerTech study is the only one I know of that is available.
Might the real question(s) be: #1 - Is the reason that i5 is neglected because it is not problematic, out of scope - year after year? In that same meeting everyone notes concerns about the weekly Microsoft catastrophe? -Squeaky wheel gets the grease.
I think you are right on target here. Everyone knows Windows systems have security problems and need attention, and organizations spend loads of time, money, and people on the problem. OS/400 does not squeak nearly as loud, and so organizations can get lulled into a false sense of security. They shouldn't be. It's a computer system. It has valuable data (arguably more important data than Windows systems). It should be properly protected from loss, damage and theft. jte -- John Earl | Chief Technology Officer The PowerTech Group 19426 68th Ave. S Seattle, WA 98032 (253) 872-7788 ext. 302 john.earl@xxxxxxxxxxxxx www.powertech.com Celebrating our 10th Anniversary Year! This email message and any attachments are intended only for the use of the intended recipients and may contain information that is privileged and confidential. If you are not the intended recipient, any dissemination, distribution, or copying is strictly prohibited. If you received this email message in error, please immediately notify the sender by replying to this email message, or by telephone, and delete the message from your email system. --
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
