× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. BPCS-L
  3. June 2004

Security Education (Was RE: DB2 Users)

I beg the indulgence of the group while I summarize for my benefit.  I assume 
that those more versed will correct any mis-statements, and so improve all of 
our knowledge!

I believe that there are several issues here:

   1. Unauthorized access
     1a. Security within the application
     1b. Green screen external tool security
     1c. External tool security

  2. Auditing for inappropriate authorized use

Regarding unauthorized access . . .
-- I think BPCS security is acceptable for the application itself; although 
like any system it could be improved.  Granular control is available when 
necessary.  This is a question of proper configuration rather than application 
capability.
-- Mr. Torres, in point #2 of his post, discussed how to secure the application 
from external green screen tools, although I believe that he left out that 
there is some adopted authority happening.  I believe this is a sound strategy.
-- There is numerous information available w.r.t. external security; the 
archives of this list and midrange-l should be of great help, as should the IBM 
Info Center.  I think there is a redbook about this topic.  This is something 
that you can done yourself, and tools and consultants available to make it 
easier and faster.  
-- The point about IS staff having unfettered access to production is valid, to 
a point.  For most iSeries applications, there is no way to get around the need 
to directly manipulate the data from time to time.  Which brings us to auditing 
. . ..

Regarding auditing . . . 
Basically, there needs to be auditing and/or approval of critical data changes 
to make sure that fraudulent or erroneous transactions are prevented or caught 
while still reversible.  Mr. Batmanghelidj and Mr. Habeck have dueling products 
that deal with these issues, and there are likely others.  Direct file access 
(for reading as well as updating) should be logged, and the logs reviewed on a 
regular basis.  If Sarbanes-Oxley or CFR Part 11 is relevant to your 
organization, the use of one of these tools is quite likely required.

Have I made sense?

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.