RE: Security Education (Was RE: DB2 Users)

["Ardi Batmanghelidj" <ardibatman@xxxxxxxxxxxxx>]

Al, 

 

Based on your comments, it is clear that I have done an inadequate job of
bringing our product to the attention of this group. In large part it has
been out of respect for the members, and the belief that we should keep
overt marketing to a minimum. 

 

As always, you raise some excellent points, and they resonate with me
because our product DataThread already provides much of the functionality
that you wish for. You can in fact configure DataThread to monitor for
specific data conditions and send notifications to supervisory personnel or
even execute application programs. The workflow component allows for capture
of signatures from supervisors acknowledging a change, and can in fact be
executed in series to address chain of management. The inquiry and reporting
that are standard with DataThread have been instrumental in us winning
multiple awards.

 

The product was originally designed for the stringent auditing and
electronic signature requirements of the pharmaceutical industry. Great
emphasis was given to rich functionality, reliability and robustness.
Because it is so configurable, DataThread can now satisfy the auditing needs
of Sarbanes-Oxley or any other regulation yet to come. It does so seamlessly
for any software, and after any software version upgrade keeping intact
audit records of each, without the need for conversions.  

 

DataThread has been available since 2002 and one company alone has it for
over 40 BPCS sites satisfying both SOX and FDA requirements. 

 

I would love the opportunity to demonstrate DataThread to anyone who is
interested. 

 

Please visit the DataThread web site at www.DataThread.com
<http://www.datathread.com/> 

 

Cheers

Ardi

 

Ardi Batmanghelidj 

Principal - Business Development 

Innovatum, Inc. 

ardibatman@xxxxxxxxxxxxx

 

Direct Line: 978 443 1304 

Main Office: 877 277 3016 

 

 

-----Original Message-----
From: bpcs-l-bounces@xxxxxxxxxxxx [mailto:bpcs-l-bounces@xxxxxxxxxxxx] On
Behalf Of Alister Wm Macintyre
Sent: Thursday, June 10, 2004 2:30 PM
To: BPCS_L discussion
Subject: Security Education (Was RE: DB2 Users)

 

I think that what BPCS using firms need is a combination of some good tools 

and some good education.  As more companies understand what is needed, and 

where the work load is, that Clare pointed out, this will create some nitch 

markets for improved tools.  We are beginning to see some great tools, but 

not enough.  Part of the problem is that owner management not going to lay 

out the bucks to buy tools when they not yet understand the problems why 

they needed.  That's one of the reasons why I so glad Milt's latest package 

documentation headed the direction it has gone, spelling out all the 

relevant gov regulations and the vast complexity of the security issues.  I 

think his eye chart is a great way to organize the info and inspire people 

to drill deeper. http://www.unbeatenpathintl.com/BOH-Benefits/source/1.html

 

My local AS/400 user group holds several classes a year that are of the 

caliber of IBM University or higher, but instead of costing upwards of 

thousands of dollars, they cost a few hundred.  We do this several 

ways.  The last of those classes that I attended had about 25 students from 

15 firms, some from as far away from Evansville as Purdue U, and was given 

by http://www.skyviewpartners.com/java-skyviewp/index.jsp Carol Woodbury of 

Skyview, and did in fact cover the challenges of BPCS.  The class cost $ 

450.00 in which my employer paid 1/2 and I paid 1/2, so it was extremely 

affordable, and needed, but I feel that I got to an understanding of what 

is needed, but not feel like I am ready to do it.  You need to get similar 

education.

 

There are many high quality Security 400 education places ... this is the 

first I have had in which the special needs of BPCS companies was part of 

the curriculum.  It was not a big part because there were only 3 companies 

at the class that were BPCS companies.  She had many other needs to 

address.  I suggest that the folks, who organize BPCS conventions, seek out 

more focus on this issue.

 

As for tools, Milt offers a lot, not just BPCS specific, such as

    * Bill of Health finds all the holes in your overall 400 security 

http://www.unbeatenpathintl.com/BOH/source/1.html but you still have to fix 

them, which as Clare pointed out can be a lot of work

    * More education in what all needs to be accomplished in general terms 

(not computer system specific) to satisfy Sarbanes Oxley and other 

government regulations (do you know about California's TWO special 

situations?)  http://www.unbeatenpathintl.com/ITstandards/source/1.html

    * I like the notion that there are ways to track file updates 

irrespective of whether they happened via BPCS front door or one of the 

many back doors, but I know from trying to do this kind of thing myself 

that we can get flooded with valid data (we were trying to log who was 

accessing confidential data in the General Ledger, after an unfortunate 

incident involving a sale rep's expense account being misconstrued) so 

Milt's http://www.unbeatenpathintl.com/stitch_in_time/source/1.html seems 

like a good step in the direction of focusing on what you want to focus on, 

and making the whole thing readable  to IT and non-IT alike.

 

What I have not yet seen in tool set offerings is translating the guidance 

of 400 security inspection tools into reality, then merging future BPCS 

upgrades with these massive security modifications.

The solutions are being presented as if we can do this conversion work on 

our current BPCS level without considering the later challenges of being 

able to upgrade our BPCS to the next version or PTF level.  It is like the 

Y2K conversion ... depending on how you implemented that, it can lock you 

into a box you can't get out of, and there are conversion tools that won't 

work on security level 40, so as I tried to say from the outset, this is a 

complex topic with many ramifications.

 

But I am confident that the way things are going with partnerships between 

400 Security firms and BPCS Vendors that before long we will see more 

solutions offered.  In the mean time we need more education so that as 

solutions come along, we can separate the con games from what is truely 

needed by our firms.  In the larger SOX market outside the 400, seems to me 

the level of con artists is astronomical, and it is only a matter of time 

before they come knocking on our doors.  We need to be ready for them.

 

I will be on vacation for a few days, and may pick up this thread later.

 

-

Al Macintyre  http://www.ryze.com/go/Al9Mac

BPCS/400 Computer Janitor at http://www.globalwiretechnologies.com/ 

_______________________________________________

This is the SSA's BPCS ERP System (BPCS-L) mailing list

To post a message email: BPCS-L@xxxxxxxxxxxx

To subscribe, unsubscribe, or change list options,

visit: http://lists.midrange.com/mailman/listinfo/bpcs-l

or email: BPCS-L-request@xxxxxxxxxxxx

Before posting, please take a moment to review the archives

at http://archive.midrange.com/bpcs-l.