Auditors don't like anything they can't stub their toe on. I have the scares to prove it.
On Fri, Mar 5, 2010 at 10:52 AM, Staller, Allan <[email protected]>wrote: > At the end of the day, this discussion comes down to business > requirements. Many institutions, due to audit, regulatory, or industry > standards need to separate SANDBOX/DEV/TEST/QA/PROD. This can be done at > the administrative level (1 big LPAR with all information(os testing > excluded)), or the image level(separate LPARS for each), z/VM guests, or > anything in between. > > The trick in the single image environment is proving that the > non-production user CANNOT access production data, which will be a > concern for even the most incompetent of auditors. Yes this can be > accomplished, but how many auditors will understand the nuances of > RACF/ACF2/TS enough to even test the premise. Not to mention the > administrative overhead required to establish, document, and maintain > the separation of the environments within a single image. > > A separate LPAR(or guest) can be easily defended (with backup doc from > IBM and others) by saying "This LPAR cannot access that LPAR's data > unless explicitly allowed". Most auditors can understand and test that > premise, even if they are not security experts. > > In other words, whatever works best for your business is the method you > should use. > > Just my 0.02 USD worth, > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- George Henke (C) 845 401 5614 ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
