db2 v8 nfm, z/os 1.7

John Amsden

db2 v8 nfm, z/os 1.7
I've been asked to get some feedback from other companies on access to production DB2 subsystems from test//QA systems. Does anyone allow any access to production DB2 subsystems from non production entities (batch, online, distributed)?

Thanks in advance!





Notice of Confidentiality: **This E-mail and any of its attachments may contain
Lincoln National Corporation proprietary information, which is privileged, confidential,
or subject to copyright belonging to the Lincoln National Corporation family of
companies. This E-mail is intended solely for the use of the individual or entity to
which it is addressed. If you are not the intended recipient of this E-mail, you are
hereby notified that any dissemination, distribution, copying, or action taken in
relation to the contents of and attachments to this E-mail is strictly prohibited
and may be unlawful. If you have received this E-mail in error, please notify the
sender immediately and permanently delete the original and any copy of this E-mail
and any printout. Thank You.**

______________________________________________________________________

* IDUG 08 Bangalore, India * 21-23 August 2008 * http://IDUG.ORG/lsIN *
______________________________________________________________________


The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at http://www.idug.org/lsidug under the Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference information and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services at http://www.idug.org/lsms

Mark Vickers

Re: db2 v8 nfm, z/os 1.7
(in response to John Amsden)
John,
We are a grocery distributor and retailer, and as our data is
non-sensitive we allow within MIS (IT) developers:
data migration from production image copies (unload/load) into test
regions
read only access to production
emergency update access is granted temporarily for production fixes only

All MIS staff have signed confidentiality agreements and are not treated
as potential criminals and it works well.

Let me state that we are not a public company, so do not have to comply
with SOX, HIPAA etc. and all the other auditing pre-req's of public
companies.

This is a very "Company Specific" security policy decision that IMO should
be made firstly according to any Federal or State requirements and then
secondly consideration within your own organization for privacy
obligations and other related risks for sensitive data.
HTH
Mark Vickers.



"Amsden, John W" <[login to unmask email]>
Sent by: DB2 Data Base Discussion List <[login to unmask email]>
07/15/2008 08:10 AM
Please respond to
DB2 Database Discussion list at IDUG <[login to unmask email]>


To
[login to unmask email]
cc

Subject
db2 v8 nfm, z/os 1.7






I've been asked to get some feedback from other companies on access to
production DB2 subsystems from test//QA systems. Does anyone allow any
access to production DB2 subsystems from non production entities (batch,
online, distributed)?
Thanks in advance!




Notice of Confidentiality: **This E-mail and any of its attachments may
contain
Lincoln National Corporation proprietary information, which is privileged,
confidential,
or subject to copyright belonging to the Lincoln National Corporation
family of
companies. This E-mail is intended solely for the use of the individual or
entity to
which it is addressed. If you are not the intended recipient of this
E-mail, you are
hereby notified that any dissemination, distribution, copying, or action
taken in
relation to the contents of and attachments to this E-mail is strictly
prohibited
and may be unlawful. If you have received this E-mail in error, please
notify the
sender immediately and permanently delete the original and any copy of
this E-mail
and any printout. Thank You.**



IDUG 2008 - India * 21-23 August 2008 * Bangalore, India
The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L
list archives, FAQ, and delivery preferences are at IDUG.ORG under the
Listserv tab. While at the site, you can also access the IDUG Online
Learning Center, Tech Library and Code Place, see the latest IDUG
conference information, and much more. If you have not yet signed up for
Basic Membership in IDUG, available at no cost, click on Member Services




This e-mail (and any attachments) may contain information that is
confidential and/or protected by law. Any review, use, distribution or
disclosure to anyone other than the
intended recipient(s) is strictly prohibited. If you are not the intended
recipient, please contact the sender by reply email and delete all copies
of this message.



______________________________________________________________________

* IDUG 08 Bangalore, India * 21-23 August 2008 * http://IDUG.ORG/lsIN *
______________________________________________________________________


The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at http://www.idug.org/lsidug under the Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference information and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services at http://www.idug.org/lsms

Martin Kenney

Re: db2 v8 nfm, z/os 1.7
(in response to Mark Vickers)
We do not allow access to production from test/QA

here.



From: DB2 Data Base Discussion List [mailto:[login to unmask email] On
Behalf Of Amsden, John W
Sent: Tuesday, July 15, 2008 9:00 AM
To: [login to unmask email]
Subject: [DB2-L] db2 v8 nfm, z/os 1.7



I've been asked to get some feedback from other companies on access to
production DB2 subsystems from test//QA systems. Does anyone allow any
access to production DB2 subsystems from non production entities (batch,
online, distributed)?

Thanks in advance!









______________________________________________________________________

* IDUG 08 Bangalore, India * 21-23 August 2008 * http://IDUG.ORG/lsIN *
______________________________________________________________________


The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at http://www.idug.org/lsidug under the Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference information and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services at http://www.idug.org/lsms

Cathy Taddei

Re: db2 v8 nfm, z/os 1.7
(in response to Martin Kenney)
I'm almost afraid to answer, because we are not as far along in our data scrubbing as we want to be. However, we do unload production data periodically (about every 6 weeks or so) and load it into test. One or two individuals can update production via spufi to fix data problems. There is no direct connection from a test CICS, DB2, or batch job to production.

________________________________
From: DB2 Data Base Discussion List [mailto:[login to unmask email] On Behalf Of Amsden, John W
Sent: Tuesday, July 15, 2008 6:00 AM
To: [login to unmask email]
Subject: db2 v8 nfm, z/os 1.7


I've been asked to get some feedback from other companies on access to production DB2 subsystems from test//QA systems. Does anyone allow any access to production DB2 subsystems from non production entities (batch, online, distributed)?

Thanks in advance!

------------------------------------------------------------------------------

This email is confidential and may be legally privileged.

It is intended solely for the addressee. Access to this email by anyone else, unless expressly approved by the sender or an authorized addressee, is unauthorized.

If you are not the intended recipient, any disclosure, copying, distribution or any action omitted or taken in reliance on it, is prohibited and may be unlawful. If you believe that you have received this email in error, please contact the sender, delete this e-mail and destroy all copies.

======

______________________________________________________________________

* IDUG 08 Bangalore, India * 21-23 August 2008 * http://IDUG.ORG/lsIN *
______________________________________________________________________


The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at http://www.idug.org/lsidug under the Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference information and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services at http://www.idug.org/lsms

Troy Coleman

Re: db2 v8 nfm, z/os 1.7
(in response to Cathy Taddei)
Hi John,
We "SoftBase" have a product called TestBase used  by many companies to copy, subset and mask production data to test.  Almost all of them have a DDF link from test to prod.  A few customers wanted to secure the connection so that only TestBase could connect so I built them a RLF rule to exclude all remote connections except TestBase.  We did have one customer who did not allow the DRDA connection so we added a feature to unload, subset, mask on production.  Then from Test pull the different sets of files over FTP or NDM and load into test.

In general if you have your security RACF setup then having a connection to production is not a problem.


Troy Coleman, Support Engineer IBM Certified Database Administrator - DB2 9 for z/OS and LUW SoftBase Systems, Inc. 847-776-0618 828-670-9900 ext. 334 [login to unmask email] Compliance Challenged with Test Data Privacy? White Papers and More at http://www.softbase.com/ The information contained in this message may be CONFIDENTIAL and is for the intended addressee only. Any unauthorized use, dissemination of the information, or copying of this message is prohibited. If you are not the intended addressee, please notify the sender immediately and delete this message.

Amsden, John W wrote:

I've been asked to get some feedback from other companies on access to production DB2 subsystems from test//QA systems. Does anyone allow any access to production DB2 subsystems from non production entities (batch, online, distributed)?

Thanks in advance!



Notice of Confidentiality: **This E-mail and any of its attachments may contain 
Lincoln National Corporation proprietary information, which is privileged, confidential,
or subject to copyright belonging to the Lincoln National Corporation family of 
companies. This E-mail is intended solely for the use of the individual or entity to 
which it is addressed. If you are not the intended recipient of this E-mail, you are 
hereby notified that any dissemination, distribution, copying, or action taken in 
relation to the contents of and attachments to this E-mail is strictly prohibited 
and may be unlawful. If you have received this E-mail in error, please notify the 
sender immediately and permanently delete the original and any copy of this E-mail 
and any printout. Thank You.**
  


IDUG 2008 - India * 21-23 August 2008 * Bangalore, India

The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at IDUG.ORG under the Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference information, and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services



IDUG 2008 - India * 21-23 August 2008 * Bangalore, India

The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at IDUG.ORG under the Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference information, and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services

Philip Gunning

Re: db2 v8 nfm, z/os 1.7
(in response to Troy Coleman)
John, most times we did not allow this as it was used to get around testing in qa or test. We did use similar products (Fileaid) to bring over subsets of data. That access was tightly controlled. Phil
------Original Message------
From: Troy Coleman
Sender: DB2 Data Base Discussion List
To: [login to unmask email]
ReplyTo: DB2 Database Discussion list at IDUG
Sent: Jul 15, 2008 1:26 PM
Subject: Re: [DB2-L] db2 v8 nfm, z/os 1.7

Hi John,
We "SoftBase" have a product called TestBase used  by many companies to copy, subset and mask production data to test.  Almost all of them have a DDF link from test to prod.  A few customers wanted to secure the connection so that only TestBase could connect so I built them a RLF rule to exclude all remote connections except TestBase.  We did have one customer who did not allow the DRDA connection so we added a feature to unload, subset, mask on production.  Then from Test pull the different sets of files over FTP or NDM and load into test.

In general if you have your security RACF setup then having a connection to production is not a problem.


Troy Coleman, Support Engineer IBM Certified Database Administrator - DB2 9 for z/OS and LUW SoftBase Systems, Inc. 847-776-0618 828-670-9900 ext. 334 [login to unmask email] <mailto:[login to unmask email]> Compliance Challenged with Test Data Privacy? White Papers and More at http://www.softbase.com/ < http://www.softbase.com/ > The information contained in this message may be CONFIDENTIAL and is for the intended addressee only. Any unauthorized use, dissemination of the information, or copying of this message is prohibited. If you are not the intended addressee, please notify the sender immediately and delete this message.

Amsden, John W wrote:

I've been asked to get some feedback from other companies on access to production DB2 subsystems from test//QA systems. Does anyone allow any access to production DB2 subsystems from non production entities (batch, online, distributed)?
Thanks in advance! Notice of Confidentiality: **This E-mail and any of its attachments may contain Lincoln National Corporation proprietary information, which is privileged, confidential, or subject to copyright belonging to the Lincoln National Corporation family of companies. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout. Thank You.**

----------------

< http://idug.org/lsin > IDUG 2008 - India * 21-23 August 2008 * Bangalore, India
The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at IDUG.ORG < http://www.idug.org/lsidug > under the Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference
information <http://www.idug.org/lsconf> , and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services < http://www.idug.org/lsms >

Sent via BlackBerry by AT&T

______________________________________________________________________

* IDUG 08 Bangalore, India * 21-23 August 2008 * http://IDUG.ORG/lsIN *
______________________________________________________________________


The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at http://www.idug.org/lsidug under the Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference information and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services at http://www.idug.org/lsms

Myron Miller

Re: db2 v8 nfm, z/os 1.7
(in response to Philip Gunning)
My client provides access fairly similarly except that certain management within the applications area have update auth and can do whatever to the data that they desire.  They own the data with their users so they should be able to change it.

Other than that, we allow programmers to copy from production to test, and have read-only access to production, provided their management approves.

In addition, we provide a complete copy of many of the production tables in a test controlled read-only environment daily  (and another one in Production for reporting only).

Myron

--- On Tue, 7/15/08, Mark Vickers <[login to unmask email]> wrote:
From: Mark Vickers <[login to unmask email]>
Subject: Re: [DB2-L] db2 v8 nfm, z/os 1.7
To: [login to unmask email]
Date: Tuesday, July 15, 2008, 10:33 AM



John,

We are a grocery distributor and retailer,
and as our data is non-sensitive we allow within MIS (IT) developers:

data migration from production
image copies (unload/load) into test regions
read only access to production
emergency update access is granted
temporarily for production fixes only

All MIS staff have signed confidentiality
agreements and are not treated as potential criminals and it works well.



Let me state that we are not a public
company, so do not have to comply with SOX, HIPAA etc. and all the other
auditing pre-req's of public companies.



This is a very "Company Specific"
security policy decision that IMO should be made firstly according to any
Federal or State requirements and then secondly consideration within your
own organization for privacy obligations and other related risks for sensitive
data.

HTH

Mark Vickers.








"Amsden, John W"
<[login to unmask email]>

Sent by: DB2 Data Base Discussion List
<[login to unmask email]>
07/15/2008 08:10 AM



Please respond to

DB2 Database Discussion list at IDUG <[login to unmask email]>






To
[login to unmask email]


cc




Subject
db2 v8 nfm, z/os 1.7















I've been asked to get some feedback from other companies
on access to production DB2 subsystems from test//QA systems. Does anyone
allow any access to production DB2 subsystems from non production entities
(batch, online, distributed)?
Thanks in advance!








Notice of Confidentiality: **This E-mail and any of its attachments may
contain

Lincoln National Corporation proprietary information, which is privileged,
confidential,

or subject to copyright belonging to the Lincoln National Corporation family
of

companies. This E-mail is intended solely for the use of the individual
or entity to

which it is addressed. If you are not the intended recipient of this E-mail,
you are

hereby notified that any dissemination, distribution, copying, or action
taken in

relation to the contents of and attachments to this E-mail is strictly
prohibited

and may be unlawful. If you have received this E-mail in error, please
notify the

sender immediately and permanently delete the original and any copy of
this E-mail

and any printout. Thank You.**








IDUG 2008
- India * 21-23 August 2008 * Bangalore, India

The IDUG DB2-L Listserv is only part of your membership
in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at
IDUG.ORG
under the Listserv tab. While at the site, you can also access the IDUG
Online Learning Center, Tech Library and Code Place, see the latest IDUG
conference
information, and much more. If you have not
yet signed up for Basic Membership in IDUG, available at no cost, click
on Member
Services








This e-mail (and any attachments) may contain information that is confidential
and/or protected by law. Any review, use, distribution or disclosure to
anyone other than the

intended recipient(s) is strictly prohibited. If you are not the intended
recipient, please contact the sender by reply email and delete all copies
of this message.







IDUG 2008 - India * 21-23 August 2008 * Bangalore, India

The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at
IDUG.ORG under the Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference information, and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services

______________________________________________________________________

* IDUG 08 Warsaw, Poland * 13-17 October 2008 * http://IDUG.ORG/lsEU *
______________________________________________________________________


The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at http://www.idug.org/lsidug under the Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference information and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services at http://www.idug.org/lsms

Ted MacNEIL

Re: db2 v8 nfm, z/os 1.7
(in response to Myron Miller)
>read-only access to production, provided their management approves.

What if their management has no idea about the exposure granting that access?
Not exactly a secure process!

-
Too busy driving to stop for gas!

______________________________________________________________________

* IDUG 08 Warsaw, Poland * 13-17 October 2008 * http://IDUG.ORG/lsEU *
______________________________________________________________________


The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at http://www.idug.org/lsidug under the Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference information and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services at http://www.idug.org/lsms

John Amsden

Re: db2 v8 nfm, z/os 1.7
(in response to Ted MacNEIL)
Many thanks for all the replies. What a great resource!

-----Original Message-----
From: DB2 Data Base Discussion List [mailto:[login to unmask email]On
Behalf Of Ted MacNEIL
Sent: Tuesday, July 15, 2008 8:45 PM
To: [login to unmask email]
Subject: Re: [DB2-L] db2 v8 nfm, z/os 1.7


>read-only access to production, provided their management approves.

What if their management has no idea about the exposure granting that access?
Not exactly a secure process!

-
Too busy driving to stop for gas!

______________________________________________________________________

* IDUG 08 Warsaw, Poland * 13-17 October 2008 * http://IDUG.ORG/lsEU *
______________________________________________________________________


The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at http://www.idug.org/lsidug under the Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference information and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services at http://www.idug.org/lsms




Notice of Confidentiality: **This E-mail and any of its attachments may contain
Lincoln National Corporation proprietary information, which is privileged, confidential,
or subject to copyright belonging to the Lincoln National Corporation family of
companies. This E-mail is intended solely for the use of the individual or entity to
which it is addressed. If you are not the intended recipient of this E-mail, you are
hereby notified that any dissemination, distribution, copying, or action taken in
relation to the contents of and attachments to this E-mail is strictly prohibited
and may be unlawful. If you have received this E-mail in error, please notify the
sender immediately and permanently delete the original and any copy of this E-mail
and any printout. Thank You.**

______________________________________________________________________

* IDUG 08 Warsaw, Poland * 13-17 October 2008 * http://IDUG.ORG/lsEU *
______________________________________________________________________


The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at http://www.idug.org/lsidug under the Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference information and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services at http://www.idug.org/lsms

Myron Miller

Re: db2 v8 nfm, z/os 1.7
(in response to John Amsden)
Somebody has to be responsible somewhere.  Audits follow the access as well as other checks and balances.  But I suppose one can always assume to trust nobody anywhere.  Then in that case, don't provide any access to the users either, after all who knows the exposure that they can create.

After the best security is that which no one can access, period.  Never trust anybody.

--- On Tue, 7/15/08, Ted MacNEIL <[login to unmask email]> wrote:
From: Ted MacNEIL <[login to unmask email]>
Subject: Re: [DB2-L] db2 v8 nfm, z/os 1.7
To: [login to unmask email]
Date: Tuesday, July 15, 2008, 8:44 PM

>read-only access to production, provided their management approves.

What if their management has no idea about the exposure granting that access?
Not exactly a secure process!

-
Too busy driving to stop for gas!

______________________________________________________________________

* IDUG 08 Warsaw, Poland * 13-17 October 2008 * http://IDUG.ORG/lsEU *
______________________________________________________________________


The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L
list archives, FAQ, and delivery preferences are at http://www.idug.org/lsidug
under the Listserv tab. While at the site, you can also access the IDUG Online
Learning Center, Tech Library and Code Place, see the latest IDUG conference
information and much more. If you have not yet signed up for Basic Membership
in IDUG, available at no cost, click on Member Services at
http://www.idug.org/lsms

______________________________________________________________________

* IDUG 08 Bangalore, India * 21-23 August 2008 * http://IDUG.ORG/lsIN *
______________________________________________________________________


The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at http://www.idug.org/lsidug under the Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference information and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services at http://www.idug.org/lsms

Ted MacNEIL

Re: db2 v8 nfm, z/os 1.7
(in response to Myron Miller)
>But I suppose one can always assume to trust nobody anywhere.  Then in that case, don't provide any access to the users either, after all who knows the exposure that they can create.

I realise that, but I got RACF Audit once because my manager didn't even know what it meant.
He was a non-mainframer, and didn't even realise I could change audit options.

There needs to be a stronger control than using a manager's approval.
-
Too busy driving to stop for gas!

______________________________________________________________________

* IDUG 08 Bangalore, India * 21-23 August 2008 * http://IDUG.ORG/lsIN *
______________________________________________________________________


The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at http://www.idug.org/lsidug under the Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference information and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services at http://www.idug.org/lsms

Raymond Bell

Re: db2 v8 nfm, z/os 1.7
(in response to Ted MacNEIL)
I don't trust you, Myron. But do you trust I don't trust you? Ah,
forgeddaboudit. I'm just getting my shots in early as I'm mostly out of
the office tomorrow.



Cheers,





Raymond

PS. You haven't seen me, right?



From: DB2 Data Base Discussion List [mailto:[login to unmask email] On
Behalf Of Myron Miller
Sent: 17 July 2008 01:42
To: [login to unmask email]
Subject: Re: [DB2-L] db2 v8 nfm, z/os 1.7



Somebody has to be responsible somewhere. Audits follow the access as
well as other checks and balances. But I suppose one can always assume
to trust nobody anywhere. Then in that case, don't provide any access
to the users either, after all who knows the exposure that they can
create.

After the best security is that which no one can access, period. Never
trust anybody.

--- On Tue, 7/15/08, Ted MacNEIL <[login to unmask email]> wrote:

From: Ted MacNEIL <[login to unmask email]>
Subject: Re: [DB2-L] db2 v8 nfm, z/os 1.7
To: [login to unmask email]
Date: Tuesday, July 15, 2008, 8:44 PM

>read-only access to production, provided their management approves.



What if their management
has no idea about the exposure granting that access?

Not exactly a secure process!



-

Too busy driving to stop for gas!



______________________________________________________________________



* IDUG 08 Warsaw, Poland * 13-17 October 2008 * http://IDUG.ORG/lsEU *

______________________________________________________________________





The IDUG DB2-L Listserv is only part of your membership in IDUG. The
DB2-L

list archives, FAQ, and delivery preferences are at
http://www.idug.org/lsidug

under the Listserv tab. While at the site, you can also access the IDUG
Online

Learning Center, Tech Library and Code Place, see the latest IDUG
conference

information and much more. If you have not yet signed up for Basic
Membership

in IDUG, available at no cost, click on Member Services at

http://www.idug.org/lsms



________________________________

IDUG 2008 - India * 21-23 August 2008 * Bangalore, India
< http://idug.org/lsin >

The IDUG DB2-L Listserv is only part of your membership in IDUG. The
DB2-L list archives, FAQ, and delivery preferences are at IDUG.ORG
< http://www.idug.org/lsidug > under the Listserv tab. While at the site,
you can also access the IDUG Online Learning Center, Tech Library and
Code Place, see the latest IDUG conference information
< http://www.idug.org/lsconf > , and much more. If you have not yet signed
up for Basic Membership in IDUG, available at no cost, click on Member
Services < http://www.idug.org/lsms >


______________________________________________________________________

* IDUG 08 Bangalore, India * 21-23 August 2008 * http://IDUG.ORG/lsIN *
______________________________________________________________________


The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at http://www.idug.org/lsidug under the Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference information and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services at http://www.idug.org/lsms

Cathy Taddei

Re: db2 v8 nfm, z/os 1.7
(in response to Raymond Bell)
Once upon a time this was true in many shops. I can't speak for other shops, but since Sarbanes-Oxley, our managers take their approval authorities very seriously. If they don't understand what a request is for, they ask before they approve.

-----Original Message-----
From: DB2 Data Base Discussion List [mailto:[login to unmask email] On Behalf Of Ted MacNEIL
Sent: Wednesday, July 16, 2008 6:13 PM
To: [login to unmask email]
Subject: Re: db2 v8 nfm, z/os 1.7

>But I suppose one can always assume to trust nobody anywhere. Then in that case, don't provide any access to the users either, after all who knows the exposure that they can create.

I realise that, but I got RACF Audit once because my manager didn't even know what it meant.
He was a non-mainframer, and didn't even realise I could change audit options.

There needs to be a stronger control than using a manager's approval.
-
Too busy driving to stop for gas!


------------------------------------------------------------------------------

This email is confidential and may be legally privileged.

It is intended solely for the addressee. Access to this email by anyone else, unless expressly approved by the sender or an authorized addressee, is unauthorized.

If you are not the intended recipient, any disclosure, copying, distribution or any action omitted or taken in reliance on it, is prohibited and may be unlawful. If you believe that you have received this email in error, please contact the sender, delete this e-mail and destroy all copies.

=====

______________________________________________________________________

* IDUG 08 Bangalore, India * 21-23 August 2008 * http://IDUG.ORG/lsIN *
______________________________________________________________________


The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at http://www.idug.org/lsidug under the Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference information and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services at http://www.idug.org/lsms

Myron Miller

Re: db2 v8 nfm, z/os 1.7
(in response to Cathy Taddei)
Was the management aware of the new security legal requirements in this and most countries where they could be held personally legally responsible if they knowing violated generally accepted security practices?  And was this before Sarbanes-Oxley?  Nowadays any manager that does things like this is really asking for trouble if they don't fully understand the ramnifications of the security items they're approving.  Jail time or civil suits are not something to pass off lightly.

Myron

--- On Wed, 7/16/08, Ted MacNEIL <[login to unmask email]> wrote:
From: Ted MacNEIL <[login to unmask email]>
Subject: Re: [DB2-L] db2 v8 nfm, z/os 1.7
To: [login to unmask email]
Date: Wednesday, July 16, 2008, 9:13 PM

>But I suppose one can always assume to trust nobody anywhere.  Then in that
case, don't provide any access to the users either, after all who knows the
exposure that they can create.

I realise that, but I got RACF Audit once because my manager didn't even
know what it meant.
He was a non-mainframer, and didn't even realise I could change audit
options.

There needs to be a stronger control than using a manager's approval.
-
Too busy driving to stop for gas!

______________________________________________________________________

* IDUG 08 Bangalore, India * 21-23 August 2008 * http://IDUG.ORG/lsIN *
______________________________________________________________________


The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L
list archives, FAQ, and delivery preferences are at http://www.idug.org/lsidug
under the Listserv tab. While at the site, you can also access the IDUG Online
Learning Center, Tech Library and Code Place, see the latest IDUG conference
information and much more. If you have not yet signed up for Basic Membership
in IDUG, available at no cost, click on Member Services at
http://www.idug.org/lsms

______________________________________________________________________

* IDUG 08 Bangalore, India * 21-23 August 2008 * http://IDUG.ORG/lsIN *
______________________________________________________________________


The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at http://www.idug.org/lsidug under the Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference information and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services at http://www.idug.org/lsms

Ted MacNEIL

Re: db2 v8 nfm, z/os 1.7
(in response to Myron Miller)
This was in 2006.
Well after SOX.
I was/am in Canada, he was/is in Santa Ana, CA.
I told him why I needed it, not what it did.
It also blew right by our security team and our auditors.

-
Too busy driving to stop for gas!

-----Original Message-----
From: Myron Miller <[login to unmask email]>

Date: Thu, 17 Jul 2008 15:45:09
To: <[login to unmask email]>
Subject: Re: [DB2-L] db2 v8 nfm, z/os 1.7


Was the management aware of the new security legal requirements in this and most countries where they could be held personally legally responsible if they knowing violated generally accepted security practices? And was this before Sarbanes-Oxley? Nowadays any manager that does things like this is really asking for trouble if they don't fully understand the ramnifications of the security items they're approving. Jail time or civil suits are not something to pass off lightly.

Myron

--- On Wed, 7/16/08, Ted MacNEIL <[login to unmask email]> wrote:
From: Ted MacNEIL <[login to unmask email]>
Subject: Re: [DB2-L] db2 v8 nfm, z/os 1.7
To: [login to unmask email]
Date: Wednesday, July 16, 2008, 9:13 PM

>But I suppose one can always assume to trust nobody anywhere. Then in that
case, don't provide any access to the users either, after all who knows the
exposure that they can create.

I realise that, but I got RACF Audit once because my manager didn't even
know what it meant.
He was a non-mainframer, and didn't even realise I could change audit
options.

There needs to be a stronger control than using a manager's approval.
-
Too busy driving to stop for gas!

______________________________________________________________________

* IDUG 08 Bangalore, India * 21-23 August 2008 * http://IDUG.ORG/lsIN *
______________________________________________________________________


The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L
list archives, FAQ, and delivery preferences are at http://www.idug.org/lsidug
under the Listserv tab. While at the site, you can also access the IDUG Online
Learning Center, Tech Library and Code Place, see the latest IDUG conference
information and much more. If you have not yet signed up for Basic Membership
in IDUG, available at no cost, click on Member Services at
http://www.idug.org/lsms

______________________________________________________________________

* IDUG 08 Bangalore, India * 21-23 August 2008 * http://IDUG.ORG/lsIN *
______________________________________________________________________


The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at http://www.idug.org/lsidug under the Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference information and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services at http://www.idug.org/lsms

Cathy Taddei

Re: db2 v8 nfm, z/os 1.7
(in response to Ted MacNEIL)
Sounds like you did your manager a disservice by failing to explain the full ramifications of your request. You can't blame your manager when you withhold information from him/her. I would have explained the risk and offered possible compensating controls (extra reporting, etc.) to mitigate that risk.

________________________________
From: DB2 Data Base Discussion List [mailto:[login to unmask email] On Behalf Of Ted MacNEIL
Sent: Thursday, July 17, 2008 4:14 PM
To: [login to unmask email]
Subject: Re: db2 v8 nfm, z/os 1.7

This was in 2006.
Well after SOX.
I was/am in Canada, he was/is in Santa Ana, CA.
I told him why I needed it, not what it did.
It also blew right by our security team and our auditors.

-
Too busy driving to stop for gas!

________________________________
From: Myron Miller <[login to unmask email]>
Date: Thu, 17 Jul 2008 15:45:09 -0700
To: <[login to unmask email]>
Subject: Re: [DB2-L] db2 v8 nfm, z/os 1.7

Was the management aware of the new security legal requirements in this and most countries where they could be held personally legally responsible if they knowing violated generally accepted security practices? And was this before Sarbanes-Oxley? Nowadays any manager that does things like this is really asking for trouble if they don't fully understand the ramnifications of the security items they're approving. Jail time or civil suits are not something to pass off lightly.

Myron

--- On Wed, 7/16/08, Ted MacNEIL <[login to unmask email]> wrote:
From: Ted MacNEIL <[login to unmask email]>
Subject: Re: [DB2-L] db2 v8 nfm, z/os 1.7
To: [login to unmask email]
Date: Wednesday, July 16, 2008, 9:13 PM


>But I suppose one can always assume to trust nobody anywhere. Then in that
case, don't provide any access to the users either, after all who knows the
exposure that they can create.

I realise that, but I got RACF Audit once because my manager didn't even
know what it meant.
He was a non-mainframer, and didn't even realise I could change audit
options.

There needs to be a stronger control than using a manager's approval.
-
Too busy driving to stop for gas!

______________________________________________________________________

* IDUG 08 Bangalore, India * 21-23 August 2008 * http://IDUG.ORG/lsIN *
______________________________________________________________________


The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L
list archives, FAQ, and delivery preferences are at http://www.idug.org/lsidug
under the Listserv tab. While at the site, you can also access the IDUG Online
Learning Center, Tech Library and Code Place, see the latest IDUG conference
information and much more. If you have not yet signed up for Basic Membership
in IDUG, available at no cost, click on Member Services at
http://www.idug.org/lsms





------------------------------------------------------------------------------

This email is confidential and may be legally privileged.

It is intended solely for the addressee. Access to this email by anyone else, unless expressly approved by the sender or an authorized addressee, is unauthorized.

If you are not the intended recipient, any disclosure, copying, distribution or any action omitted or taken in reliance on it, is prohibited and may be unlawful. If you believe that you have received this email in error, please contact the sender, delete this e-mail and destroy all copies.

======

______________________________________________________________________

* IDUG 08 Bangalore, India * 21-23 August 2008 * http://IDUG.ORG/lsIN *
______________________________________________________________________


The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at http://www.idug.org/lsidug under the Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference information and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services at http://www.idug.org/lsms

Ted MacNEIL

Re: db2 v8 nfm, z/os 1.7
(in response to Cathy Taddei)
>Sounds like you did your manager a disservice by failing to explain the full ramifications of your request.  You can't blame your manager when you withhold information from him/her.  I would have explained the risk and offered possible compensating controls (extra reporting, etc.) to mitigate that risk.


I did all that, but it still should have been checked by our admins and auditors.
I tried to explain it to him, but he either didn't want to understand, or was afraid to admit his ignorance.
I needed audit to quickly test and install VANGUARD, and I knew the power of the attribute, so I wasn't going to abuse it.
I also requested the removal of the attribute as soon as the project was completed.

My point was not about disservice, or abuse of power; rather that a manager's approval is not necessarily safe.
-
Too busy driving to stop for gas!

______________________________________________________________________

* IDUG 08 Warsaw, Poland * 13-17 October 2008 * http://IDUG.ORG/lsEU *
______________________________________________________________________


The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at http://www.idug.org/lsidug under the Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference information and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services at http://www.idug.org/lsms

Nick Dordea

Re: db2 v8 nfm, z/os 1.7
(in response to Ted MacNEIL)
Where's the beef? Where's DB2 ? Could you switch to private emailing
please?


-----Original Message-----
From: DB2 Data Base Discussion List [mailto:[login to unmask email] On
Behalf Of Ted MacNEIL
Sent: Thursday, July 17, 2008 7:05 PM
To: [login to unmask email]
Subject: Re: [DB2-L] db2 v8 nfm, z/os 1.7

>Sounds like you did your manager a disservice by failing to explain the
full ramifications of your request.  You can't blame your manager when
you withhold information from him/her.  I would have explained the risk
and offered possible compensating controls (extra reporting, etc.) to
mitigate that risk.


I did all that, but it still should have been checked by our admins and
auditors.
I tried to explain it to him, but he either didn't want to understand,
or was afraid to admit his ignorance.
I needed audit to quickly test and install VANGUARD, and I knew the
power of the attribute, so I wasn't going to abuse it.
I also requested the removal of the attribute as soon as the project was
completed.

My point was not about disservice, or abuse of power; rather that a
manager's approval is not necessarily safe.
-
Too busy driving to stop for gas!

______________________________________________________________________

* IDUG 08 Warsaw, Poland * 13-17 October 2008 * http://IDUG.ORG/lsEU *
______________________________________________________________________


The IDUG DB2-L Listserv is only part of your membership in IDUG. The
DB2-L list archives, FAQ, and delivery preferences are at
http://www.idug.org/lsidug under the Listserv tab. While at the site,
you can also access the IDUG Online Learning Center, Tech Library and
Code Place, see the latest IDUG conference information and much more.
If you have not yet signed up for Basic Membership in IDUG, available at
no cost, click on Member Services at http://www.idug.org/lsms

______________________________________________________________________

* IDUG 08 Warsaw, Poland * 13-17 October 2008 * http://IDUG.ORG/lsEU *
______________________________________________________________________


The IDUG DB2-L Listserv is only part of your membership in IDUG. The DB2-L list archives, FAQ, and delivery preferences are at http://www.idug.org/lsidug under the Listserv tab. While at the site, you can also access the IDUG Online Learning Center, Tech Library and Code Place, see the latest IDUG conference information and much more. If you have not yet signed up for Basic Membership in IDUG, available at no cost, click on Member Services at http://www.idug.org/lsms