Security Education (Was RE: DB2 Users) -- BPCS-L

I think that what BPCS using firms need is a combination of some good tools and some good education. As more companies understand what is needed, and where the work load is, that Clare pointed out, this will create some nitch markets for improved tools. We are beginning to see some great tools, but not enough. Part of the problem is that owner management not going to lay out the bucks to buy tools when they not yet understand the problems why they needed. That's one of the reasons why I so glad Milt's latest package documentation headed the direction it has gone, spelling out all the relevant gov regulations and the vast complexity of the security issues. I think his eye chart is a great way to organize the info and inspire people to drill deeper. http://www.unbeatenpathintl.com/BOH-Benefits/source/1.html

My local AS/400 user group holds several classes a year that are of the caliber of IBM University or higher, but instead of costing upwards of thousands of dollars, they cost a few hundred. We do this several ways. The last of those classes that I attended had about 25 students from 15 firms, some from as far away from Evansville as Purdue U, and was given by http://www.skyviewpartners.com/java-skyviewp/index.jsp Carol Woodbury of Skyview, and did in fact cover the challenges of BPCS. The class cost $ 450.00 in which my employer paid 1/2 and I paid 1/2, so it was extremely affordable, and needed, but I feel that I got to an understanding of what is needed, but not feel like I am ready to do it. You need to get similar education.

There are many high quality Security 400 education places ... this is the first I have had in which the special needs of BPCS companies was part of the curriculum. It was not a big part because there were only 3 companies at the class that were BPCS companies. She had many other needs to address. I suggest that the folks, who organize BPCS conventions, seek out more focus on this issue.

As for tools, Milt offers a lot, not just BPCS specific, such as * Bill of Health finds all the holes in your overall 400 security http://www.unbeatenpathintl.com/BOH/source/1.html but you still have to fix them, which as Clare pointed out can be a lot of work * More education in what all needs to be accomplished in general terms (not computer system specific) to satisfy Sarbanes Oxley and other government regulations (do you know about California's TWO special situations?) http://www.unbeatenpathintl.com/ITstandards/source/1.html * I like the notion that there are ways to track file updates irrespective of whether they happened via BPCS front door or one of the many back doors, but I know from trying to do this kind of thing myself that we can get flooded with valid data (we were trying to log who was accessing confidential data in the General Ledger, after an unfortunate incident involving a sale rep's expense account being misconstrued) so Milt's http://www.unbeatenpathintl.com/stitch_in_time/source/1.html seems like a good step in the direction of focusing on what you want to focus on, and making the whole thing readable to IT and non-IT alike.

What I have not yet seen in tool set offerings is translating the guidance of 400 security inspection tools into reality, then merging future BPCS upgrades with these massive security modifications. The solutions are being presented as if we can do this conversion work on our current BPCS level without considering the later challenges of being able to upgrade our BPCS to the next version or PTF level. It is like the Y2K conversion ... depending on how you implemented that, it can lock you into a box you can't get out of, and there are conversion tools that won't work on security level 40, so as I tried to say from the outset, this is a complex topic with many ramifications.

But I am confident that the way things are going with partnerships between 400 Security firms and BPCS Vendors that before long we will see more solutions offered. In the mean time we need more education so that as solutions come along, we can separate the con games from what is truely needed by our firms. In the larger SOX market outside the 400, seems to me the level of con artists is astronomical, and it is only a matter of time before they come knocking on our doors. We need to be ready for them.

I will be on vacation for a few days, and may pick up this thread later.

- Al Macintyre http://www.ryze.com/go/Al9Mac BPCS/400 Computer Janitor at http://www.globalwiretechnologies.com/