Any time some new package is implemented, or we go through a conversion to
different platform, etc. there ought to be some consideration given to the
security rules. However, in any implementation or conversion, people tend
to be swamped ... IT, project team, testers, management, everyone.
In our Y2K conversion, we were going from BPCS/36 to BPCS/400, and our
project team got an education in choices on 400 and in BPCS. They saw that
it was possible to run this with no security whatsoever, and that's what
they called for. Normally I did everything the project team called for,
going to management for occasional help on prioritizing, and getting help
where some things were going to take forever. With what I considered to be
bad security decisions, I went to management to try to make the case that
we ought to have on the new system a level of security commensurate with
what we had before, then as time permits, study the new security
capabilities to see what bars ought to be raised.
I was particularly annoyed when our consultants took security off of the
system without first checking with me, and I told management that if you
ever want to have security in the future, that all the testing to date
could be for naught. The consultant's explanation was that they had a lot
of work to get done, and the security was getting in the way, so instead of
diagnosing the problem, they killed the security.
In any conversion, everyone is swamped, including management. So they made
a ruling to compromise between what I was calling for (such as a minimum of
4 characters in the passwords, and blocking ordinary users from running
end-fiscal stuff that could not be reversed) and what the project team was
calling for (no passwords). Management made a perfect compromise. Two
characters minimum for passwords. We still that way today.
As new managers come on board, I tell them that when they get familiar with
our system, I would like to brief them on what I consider are some of our
problem areas, such as poor security. Many opt out on this briefing, but
quite a few have been told about the 2 character password minimum, and have
consciously decided to continue that rule.
I guess it just depends on your priorities. It's been a long time since I
heard of a company where IT gives out profiles without some sort of
controls. Hell, we had to bend over backwards at SSA to get a user profile.
> From: rob@xxxxxxxxx
> Same as everyone else out there, look at the default for password on
> CRTUSRPRF. We get some who says "we gotta have a signon for ...". Then
> they never actually sign on and change their password.