On 28 Apr 2016 18:43:27 -0700, in bit.listserv.ibm-main
(Message-ID:<[email protected]>)
[email protected] (gsg) wrote:
As part of a systems programmer duties, they have ALTER
access to many datasets. They need/require this access to
install, upgrade, maintain and resolve problems. Audit
has been pushing more and more to remove the ALTER access.
Has anyone else been experiencing this?
The following is opinion based on my experience:
Auditors feel they have to make recommendations in order to
justify their existence. Thus, if you have a secure system,
they start to make stuff up. Removing required sysprog
authorities is one of the easier demands to think of,
regardless of its impracticality.
Too many companies then make those ridiculous "recommended"
changes because they think the auditors know what they're
doing, or because it's easier to defend stupid things
ordered by auditors than smart things contrary to the
auditors advice.
I do know one person who managed to short-circuit this
particular suggestion. He said, "If I have enough tools to
do my job, I can access any dataset regardless of the
security system. If I have to bypass the security system,
I'll do so in a way that leaves no traces. But, it would
take time and effort I'd rather put into doing my actual
job. So, leave my access and just make sure to thoroughly
check my audit trail." It worked.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
