Timothy I always enjoy your well reasoned points. I could sign on to many of them if I was in an environment with the resources and talents you listed. I am in a small shop where mainframe support is Me and The Other Guy.
z/CX is a dream. A "dedicated, centralized security operations team" that is capable is another dream. Me and The Other Guy have spent years just getting them to agree to clean out users that have Never logged on or last logged on in the 1990's. Asking for anything 'quick' could lead to a multi week delay. How they pass external Audits is a mystery to me. Same sort of response window from our Virtual Machine teams. (It is Him and His Other Guy). Too overloaded to respond. Five months to get the two GKLM VMs at home and DR sites. Most things related to making progress is based on either pressure from bosses or trading favors in smoke filled rooms. My world devolves into a lot of "break glass" scenarios so we can respond when needed, not when we have completed the obstacle course to success. We do our best with separated passwords stored off site and encrypted. We do have 'functional groups' where we can connect and disconnect staff in accordance with their duties. The RACF database is set up to support this across applications but the security staff still build each new user by hand or by randomly copying some other user. This can leave side by side workers with the same task but variant security access. This is one of the cores of my 'Security begins at home' . Particularly if you have no trust in 'away'. Thanks again for a glimpse into the promised land of a place where mainframes are respected and valued. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN