A little background... I am new to the compliance and auditing field and recently introduced to the AS/400 system and I am constantly seeing in best practice environments that the CLI be restricted from most users and or at least limited capabilities set to *YES.
To the point... The system administrator for the AS400 is adamant that the current menu structure security method is sufficient without restricting the CLI or changing the setting limited capabilities to *YES.
My question, is there a way to prove or disprove the menu control is sufficient to secure the system? Additionally, I have reservations that the sole administrator has all special authorities, is that unjustified or what is the recommended special authorities for the system administrator?