Dear Jim  ~  response #3,

Response #2 spoke about the distinction between the authority
granted by BPCS SYS600 to use BPCS objects and the outright 
ownership of BPCS objects granted by OS/400 to all members 
of the SSA group profile. That distinction opens the door for BPCS 
user ROGERCOBY to delete the entire BPCS item master file 
even though he's excluded from item master maintenance. SOX 
auditors would surely complain about that security risk.

Please click here: 
http://www.unbeatenpathintl.com/9sixeye-openers/source/1.html 
for more details about the distinction between the use and 
ownership of objects; look for the subject entitled:  

 >> Drawing the line between use and ownership

The same URL presents five other topics nominated by BPCS 
technical experts as the most surprising OS/400 security 
eye-openers revealed by our new risk assessment product: 
Bill of Health (tm) Security Diagnostics and Rx for iSeries. 
Here are the other five titles:

 >> Like father like son  (el hijo del tigre sale pintado)
 >> Not all batch jobs are created equal
 >> Over-the-horizon radar for exit point vulnerabilities
 >> Another invention breeds another vulnerability: validation lists
 >> Finding vulnerable directories

Please see these subsequent responses for BPCS/SOX topics:

  #4 ~~ learn about dozens of other OS/400 security risks
             identified by Bill of Health software.

  #5 ~~ information about a much more SOX-friendly idea than
             BPCS' clunky SYS600 security system.

  #6 ~~ learn how the PCAOB interpretation of SOX compels
             external auditors to look at the details of each BPCS business
             processes to identify internal control deficits and the
             consequent BPCS data integrity issues.

  #7 ~~ information about our award-winning Stitch-in-Time (tm)
             Data Integrity software that enables you to respond to SOX
             auditor inquiries about the integrity of DB2 information.

  #8 ~~ introduction to several other clever and affordable
             Stocking Stuffers (tm) for SOX products designed to help
             enterprises prepare for Sarbanes-Oxley.

God bless,

Milt Habeck
Unbeaten Path International

Toll free North America:  (888) 874-8008
International voice: (262) 681-3151
European contact: (44) 1-737-824248
mhabeck@xxxxxxxxxx
www.unbeatenpathintl.com



++++++++   +++++++   +++++++   +++++++   +++++++   +++++
From: Reinardy, James
To: bpcs-l@xxxxxxxxxxxx
Sent: Wednesday, June 09, 2004 3:17 PM
Subject: DB2 Users

Hello All,

We are running BPCS 6.04 on iSeries.  I am trying to understand the
relationship between iSeries users, BPCS users and DB2 file access. The
concern is arising because of Sarbanes-Oxley.  Our auditors are
suggesting that we need to lock down file privileges against the BPCS
database, but we are a little unclear about what user BPCS uses for data
access against DB2.  Is it the individual user that is logged into BPCS,
that user with a changed profile (SSA perhaps vs. *PUBLIC), or some other
generic user?

The idea here is to restrict access on a file by file basis for AS400Query,
SQL queries, ODBC connections, etc.  However, we want to be sure if
we lock things down that we don't break BPCS screens and batch
jobs.  Any suggestions on how to improve our understanding in this area
would be appreciated.

Regards,

Jim Reinardy
Director-IS
Badger Meter, Inc.



This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].