In an ideal world: 1. Subject matter experts set the guidelines (with mgt approval) 2. Auditors have no authourity, they merely report. 3. Compliance officers enforce the rules.
-teD Original Message From: Arthur Sent: Friday, April 29, 2016 00:31 To: IBM-MAIN@LISTSERV.UA.EDU Reply To: IBM Mainframe Discussion List Subject: Re: Alter access to datasets On 28 Apr 2016 18:43:27 -0700, in bit.listserv.ibm-main (Message-ID:<9982011699705061.wa.gsg808yahoo....@listserv.ua.edu>) 00000053fe88ed35-dmarc-requ...@listserv.ua.edu (gsg) wrote: >As part of a systems programmer duties, they have ALTER >access to many datasets. They need/require this access to >install, upgrade, maintain and resolve problems. Audit >has been pushing more and more to remove the ALTER access. > >Has anyone else been experiencing this? The following is opinion based on my experience: Auditors feel they have to make recommendations in order to justify their existence. Thus, if you have a secure system, they start to make stuff up. Removing required sysprog authorities is one of the easier demands to think of, regardless of its impracticality. Too many companies then make those ridiculous "recommended" changes because they think the auditors know what they're doing, or because it's easier to defend stupid things ordered by auditors than smart things contrary to the auditors advice. I do know one person who managed to short-circuit this particular suggestion. He said, "If I have enough tools to do my job, I can access any dataset regardless of the security system. If I have to bypass the security system, I'll do so in a way that leaves no traces. But, it would take time and effort I'd rather put into doing my actual job. So, leave my access and just make sure to thoroughly check my audit trail." It worked. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN