Carol discusses the characteristics she’s observed over the years that are indications an organization isn’t taking IBM i security as seriously as it should.

By Carol Woodbury

I’ve seen the entire range of IBM i organizations when it comes to implementing security. There are organizations that have implemented “deny by default” and “least privilege access” postures such that, when I do a penetration test, I have little to no success in attaining access when I shouldn’t. Then there are organizations that are still running at QSECURITY level 20, where all profiles have *ALLOBJ—but at least they’re asking for help and are moving in the right direction. Unfortunately, and to put it bluntly, not all organizations care about IBM i security. Here are the characteristics I’ve observed over the years that indicate to me that an organization isn’t serious about attaining a secure IBM i.