RE: Test Development System Survey (HIPAA)

["Walden H. Leverich III" <WaldenL@xxxxxxxxxxxxxxx>]

While I _DO_ believe you could secure a single iSeries partition
appropriately for HIPAA requirements, I think it's _much_ easier not to.

Let's face it, the big fear of HIPAA is an audit. If some
not-so-technical[1] federal agent comes in an audits your system would you
rather say:

"Here is our system. We run production and development on the same machine.
Our developers have access to the same machine as our production users.
Sure, we've properly implemented object-level-security and auditing. What?
You don't know what object-level-security is? Let me explain..." 

I'll promise that all he heard was "our developers have access to the same
machine"

Or would you like to say:

"We have two machines, one for development and one for production. Our
developers do not have any access what so ever to production. We've also
implemented object-level-security and auditing as additional precautions."

I'll promise that all he heard was "our developers do not have access"

-Walden

[1] Be careful, the no-so-technical guy has access to some _very_ technical
people if he smells blood.

------------
Walden H Leverich III
President
Tech Software
(516) 627-3800 x11
(208) 692-3308 eFax
WaldenL@xxxxxxxxxxxxxxx
http://www.TechSoftInc.com 

Quiquid latine dictum sit altum viditur.
(Whatever is said in Latin seems profound.)
 
-----Original Message-----
From: Steve Johnson [mailto:sjohnson@xxxxxxxx] 
Sent: Wednesday, October 22, 2003 10:27 AM
To: midrange-l@xxxxxxxxxxxx
Subject: RE: Test Development System Survey (HIPAA)

I went back to the archives to search for this discussion that I recalled
reading (it was from July 2003 titled "Test Development System Survey")... 

<clip>
We are currently using our AS400 production box for development as well 
(the test/production systems are separated by logins/environment variables).

How many of you all also combine both on one machine, and has this caused
performance problems for you? Or do you use a test machine for development
specifically because of this (or wish you had one)?
<clip>

We also have one iSeries partition housing all of our environments (Lawson
HCM).  I'm starting to hear news that we will be moving our dev/test
environments to a separate partition due to HIPAA requirements.  Has anyone
else started to hear the same, or already acted on HIPAA requirements by
splitting environments yet?  Any tips/benefits/drawbacks for having Lawson
7.2.2.6 Prod/Dev environments on separate iSeries partitions?

I saw a couple of strings in the archives that mentioned HIPAA requirements,
but they didn't appear to focus on the issue of splitting Prod/Dev/Test
environments in order to comply with the extensive set of privacy/security
standards that are defined by HIPAA. 

I don't want to resurrect the original discussion as to which methodology is
better...  However, as a sidebar, I would like to know if anyone has been
able to tie Osama Bin Laden or Al-Qaida to the creation of the HIPAA
requirements.  <grin>

Thanks,
Steve  
 
   



_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.