Re: iSeries Security in Computerworld

A truly secure org would not give permission for such a report ...

the current picture seems to be that I can not get in anywhere without VPN...

This means the problem is entirely composed of internal users and controllable...

Internal is a big & controllable problem...but

jim franz

To: "Midrange Systems Technical Discussion" <midrange-l@xxxxxxxxxxxx>
Sent: Sunday, November 05, 2006 8:58 AM
Subject: Re: iSeries Security in Computerworld

Why would the CE need that access all the time ?

Good question. Sounds a little historic.

This is my opinion only, not necessarily fact, and I have not read the
report only the article. No offense to -anyone- and here is my view:
We've all had the math problem about finding the population
/distributions of sets - I will leave it at that as far as describing
what "I" think is a sample that applies to what I see in the field.
Additionally, the audience of such a report contains the best of the
best, so I did not think anyone worthy of the responsibility would
misinterpret ANYTHING reported.  Like so many others, I have
scrutinized what is reported for years, you become adept at
assimilating real content / value at hand - fast and getting your own
facts to continue forward or simply know that it is not your cup of
tea.

A truly secure org would not give permission for such a report or even
run the software for the purpose of outside entity reporting unless
for compliance, which was not mentioned. That population may be
omitted altogether. Therefore, I conclude that the article is for
management fright effect/wake-up call, since no one else cares. Now we
have: -CONTEXT.  I know this is an emotional topic (and it should not
be) but the recent posts about the unreported side of the house are in
line with my observations. Excluding vendors with accepted risk boxes
for clients, the current picture seems to be that I can not get in
anywhere without VPN.

This means the problem is entirely composed of internal users and controllable.

They sign the employment agreement for responsible behavior with
corporate assets. The set of sec issues at risk seemingly will be
accidental/lack of knowledge in origin excluding VPN hackers and lost
portables. The disgruntled element of risk is enough to justify
uniformity of all the systems -yes but it seems we tend to cap the
bottle with VPN rather than apply security uniformly.

As a side note, I think IBM and ALL OS vendors have done a terrible
job at making this an easily managed asset. It is ridiculous that we
have to try so hard to see what users might be able to peek at
payroll. It has ALWAYS been this way and has not improved much. Of
course, we expect a lot sometimes, it's not as simple as a telephone
or water meter in the yard and it helps keep people like me busy.

Is i5 security simply a matter of internal priorities?  And the focus
of the article perhaps far too narrow. Would it not be more credible
with two sources one being the audit team or enterprise assessment
rather than an i5 only audit?
Might the real question(s) be:
#1 - Is the reason that i5 is neglected because it is not problematic,
out of scope - year after year? In that same meeting everyone notes
concerns about the weekly Microsoft catastrophe?
-Squeaky wheel gets the grease.

#2-Is the reason because it is too complex and they have not loaded
software to manage the solution?
-Hardly, you get what you pay for.
--
Mark Villa
Summerville, SC
--

This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list

To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.