Any time some new package is implemented, or we go through a conversion to different platform, etc. there ought to be some consideration given to the security rules. However, in any implementation or conversion, people tend to be swamped ... IT, project team, testers, management, everyone.

In our Y2K conversion, we were going from BPCS/36 to BPCS/400, and our project team got an education in choices on 400 and in BPCS. They saw that it was possible to run this with no security whatsoever, and that's what they called for. Normally I did everything the project team called for, going to management for occasional help on prioritizing, and getting help where some things were going to take forever. With what I considered to be bad security decisions, I went to management to try to make the case that we ought to have on the new system a level of security commensurate with what we had before, then as time permits, study the new security capabilities to see what bars ought to be raised.

I was particularly annoyed when our consultants took security off of the system without first checking with me, and I told management that if you ever want to have security in the future, that all the testing to date could be for naught. The consultant's explanation was that they had a lot of work to get done, and the security was getting in the way, so instead of diagnosing the problem, they killed the security.

In any conversion, everyone is swamped, including management. So they made a ruling to compromise between what I was calling for (such as a minimum of 4 characters in the passwords, and blocking ordinary users from running end-fiscal stuff that could not be reversed) and what the project team was calling for (no passwords). Management made a perfect compromise. Two characters minimum for passwords. We still that way today.

As new managers come on board, I tell them that when they get familiar with our system, I would like to brief them on what I consider are some of our problem areas, such as poor security. Many opt out on this briefing, but quite a few have been told about the 2 character password minimum, and have consciously decided to continue that rule.

I guess it just depends on your priorities.  It's been a long time since I
heard of a company where IT gives out profiles without some sort of
controls.  Hell, we had to bend over backwards at SSA to get a user profile.


> From: rob@xxxxxxxxx
> Same as everyone else out there, look at the default for password on
> CRTUSRPRF.  We get some who says "we gotta have a signon for ...".  Then
> they never actually sign on and change their password.

This thread ...


Return to Archive home page | Return to MIDRANGE.COM home page