> On Friday, August 4, 2023 at 01:25:32 PM PDT, Wayne Bickerdike
> <[email protected]> wrote:
> The idea that a systems programmer of any type would be able to
> perpetrate fraud is a stretch.
A sysprog who can't perpetrate fraud is not a good sysprog. There is a huge
difference between desire having the ability. Not having the time does not mean
you couldn't have done so.
> To implement this would require systems that implement application security.
z/OS implements security in ways that are not apparent. There are obvious SAF
calls implemented in CICS and IMS. There are many more that you never hear
about built into most products. Think about all the SAF classes that can be
activated. They are used somewhere. A security admin can secure every little
thing but rarely has the will to do so. Not one security admin creates rules
specific to each user. Not one security admin activates all security classes.
Some take the view they are keeping honest people honest while others are very
restrictive.
On Friday, August 4, 2023 at 01:25:32 PM PDT, Wayne Bickerdike
<[email protected]> wrote:
To implement this would require systems that implement application
security. The idea that a systems programmer of any type would be able to
perpetrate fraud is a stretch.
I had access to everything mainframe (RACF, CICS, z/OS) in a top secret
installation. I wouldn't be able to place a purchase order but I could nuke
any dataset. I was also too damn busy doing my job to compromise the
systems.
The worst case is where staff inherit privileges as they change roles. That
was a problem. Makes a case for role based security. Change roles > New
role based ID.
On Fri, Aug 4, 2023 at 11:34 PM Michael Babcock <[email protected]>
wrote:
> I ran across this in a CICS security admin book (which should also apply
> to z/OS sysprogs):
>
> Roles and separation of duties
>
> A key security principle is the separation of duties between
> different users so that no one person has sufficient access privilege to
> perpetrate damaging fraud. *This configuration is required by various
> audit regulations such as the United States Federal Law known as the
> Sarbanes-Oxley Act of 2002
> <
> https://www.ibm.com/links?url=https%3A%2F%2Fwww.govinfo.gov%2Fcontent%2Fpkg%2FPLAW-107publ204%2Fpdf%2FPLAW-107publ204.pdf
> >.*
>
> An example of this separation of duties, is that someone with the
> role of CICS System Programmer must not also have the role of RACF
> Security Administrator.
>
>
> Does anyone know exactly which section of SOX it's referring to?
>
> ----------------------------------------------------------------------
> For IBM-MAIN subscribe / signoff / archive access instructions,
> send email to [email protected] with the message: INFO IBM-MAIN
>
--
Wayne V. Bickerdike
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
