RE: Separation of Duties...

How can a one person shop "afford it" when that one person is not given the
budget? Many of my clients have several Windows server support people. Who
do they have for their System i support? Me, and I'm not even on site.

Always remember that the auditors are also consulting services vendors. They
like to make recommendations that will get their consultants in the door.

Paul Nelson
Cell 708-670-6978
Office 512-392-2577
nelsonp@xxxxxxxxxxxxx


-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Dave Odom
Sent: Thursday, November 01, 2007 4:21 PM
To: midrange-l@xxxxxxxxxxxx
Subject: Separation of Duties...

Kenneth,

It is reasonable and prudent to have a separation of people/duties for all
major privileged (System Programmer, Security Officer, DBA, Programmer,
etc.) personnel. It is an accepted practice in any well run and mature IT
shop AND any well managed business where protection of company assets is
taken seriously.

Most i5/AS/400 shops don't qualify as they are much like Windows-only shops
when it comes to having one or a few people that are "chief cooks and bottle
washers" and being expedient and cheap is more important then proper
business controls. I notice that at least one shop, a bank and I think an
i5 shop, understood what good business practices means and had many controls
in place to protect assets and force serious collusion to "steal" or harm
assets without anyone knowing.

It is a shame that most i5-centric folks on here sneer at such things and
think their system and "business practices" superior.

If you do what the auditor suggests, if you can afford it, you'll be in
better stead over time and pass your audits when it comes to good business
and IT practices.

Sincerely,

David Odom
Arizona