× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. June 2020

RE: Recommendation for IBMi privileges for an outsourcer to support an IBMi environment

One thing you didn't specify was what kind of production data you are trying to protect.

Is this system being used to process payroll? You have to protect your employee social security numbers. Don't limit that to the actual data files. Make sure there are no spool files containing payroll reports. I once did an audit for a company that did their own payroll. The CFO claimed she had everything locked down. I ran a couple of queries to be printed, and just happened to hit the function key allowing me to see all the printers on the system. I found an output queue labeled W2. That queue contained several years of W2's. I thought the CFO was going to pass out when she saw that.

In addition, do you take credit card information from your customers? I've seen a number of clients who thought credit card information was encrypted, but it really wasn't.

Make sure you check everything before you go down this path. Letting an outsourcer take over your system is like handing whiskey and your car keys to a teenage boy. 😊
-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Laurence Chiu
Sent: Thursday, June 25, 2020 7:25 PM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: Recommendation for IBMi privileges for an outsourcer to support an IBMi environment

We are about to embark on an outsourcing agreement with a supplier to support our IBMi environment.

We would prefer that they don't have the ability to look at our production data. The following security profiles were recommended

*IOSYSCFG, *JOBCTL, *SAVSYS, *SERVICE and *SPLCTL.

However they say they also need QSECOFR to be able install software, apply PTF's etc. There is a view (untested) that somebody with this privilege could run any application on the IBMi environment and view sensitive data.
Even if we had menus in front with internal application security, they could just dump the data. We don't think they would do that but our security folks don't like to have security holes like this.

For those organizations who are using outsourcers to manage their environments, are there some best practices (even good practices) that you could recommend that would ameliorate that risk? I think to install the OS you would need QSECOFR but what other reasons would you need it?

Thanks
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related questions.

Help support midrange.com by shopping at amazon.com with our affiliate link: https://amazon.midrange.com



As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.