Role-based security ("RBAC") is a ton of work to set up the first time, but I'm
sold on its worth. More companies I've worked for than not, in the past 20
years, have implemented it or are implementing it, despite the huge effort
required.
---
Bob Bridges, [email protected], cell 336 382-7313
/* Most people are not avoiding our gospel, they are avoiding ~us~. -from
"Shame off You" by Alan D Wright */
-----Original Message-----
From: IBM Mainframe Discussion List <[email protected]> On Behalf Of
Wayne Bickerdike
Sent: Friday, August 4, 2023 16:25
To implement this would require systems that implement application security.
The idea that a systems programmer of any type would be able to perpetrate
fraud is a stretch.
I had access to everything mainframe (RACF, CICS, z/OS) in a top secret
installation. I wouldn't be able to place a purchase order but I could nuke any
dataset. I was also too damn busy doing my job to compromise the systems.
The worst case is where staff inherit privileges as they change roles. That was
a problem. Makes a case for role based security. Change roles > New role based
ID.
--- On Fri, Aug 4, 2023 at 11:34 PM Michael Babcock <[email protected]>
wrote:
> I ran across this in a CICS security admin book (which should also
> apply to z/OS sysprogs):
>
> Roles and separation of duties
>
> A key security principle is the separation of duties between
> different users so that no one person has sufficient access privilege
> to perpetrate damaging fraud. *This configuration is required by
> various audit regulations such as the United States Federal Law known
> as the Sarbanes-Oxley Act of 2002 <
> https://www.ibm.com/links?url=https%3A%2F%2Fwww.govinfo.gov%2Fcontent%
> 2Fpkg%2FPLAW-107publ204%2Fpdf%2FPLAW-107publ204.pdf
> >.*
>
> An example of this separation of duties, is that someone with the
> role of CICS System Programmer must not also have the role of RACF
> Security Administrator.
>
>
> Does anyone know exactly which section of SOX it's referring to?
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
