To implement this would require systems that implement application security. The idea that a systems programmer of any type would be able to perpetrate fraud is a stretch.
I had access to everything mainframe (RACF, CICS, z/OS) in a top secret installation. I wouldn't be able to place a purchase order but I could nuke any dataset. I was also too damn busy doing my job to compromise the systems. The worst case is where staff inherit privileges as they change roles. That was a problem. Makes a case for role based security. Change roles > New role based ID. On Fri, Aug 4, 2023 at 11:34 PM Michael Babcock <[email protected]> wrote: > I ran across this in a CICS security admin book (which should also apply > to z/OS sysprogs): > > Roles and separation of duties > > A key security principle is the separation of duties between > different users so that no one person has sufficient access privilege to > perpetrate damaging fraud. *This configuration is required by various > audit regulations such as the United States Federal Law known as the > Sarbanes-Oxley Act of 2002 > < > https://www.ibm.com/links?url=https%3A%2F%2Fwww.govinfo.gov%2Fcontent%2Fpkg%2FPLAW-107publ204%2Fpdf%2FPLAW-107publ204.pdf > >.* > > An example of this separation of duties, is that someone with the > role of CICS System Programmer must not also have the role of RACF > Security Administrator. > > > Does anyone know exactly which section of SOX it's referring to? > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > -- Wayne V. Bickerdike ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
