Thanks, Chris, Not fear of the unknown, to my thinking. More of a "what if" discussion and following the logical chain of access and rights when people get a fancy new tool to use, and how to get controls around it.
There were no controls like SMP/E jobs that only authorized users can run. The off handed way it was talked about, the ease of use, the slick install and run, was a selling point They use FTP to a loadlib specified in the GUI. Slip a CD in and fill in a few blanks, click install, when done, click on the new icon on your desktop, begin your work just as easy as installing a PC package. Your mainframe now has new code on it in a library your DBA has access to. Your DBA has a new icon on their desktop, with access to any data on your mainframe they would have access to. More importantly, their >>PC<< and all the processes running on it has access to that data. Did something more sinister get access, too? Where in your change control procedures are there the checks and balances to keep this from being an exposure? With SMP/E jobs some level of control is there, you get to track what goes in and where, and your auditors are what passes for "happy" for them. With this, the user is happy as they get to bypass normal channels. Maybe my paranoia is up, but when this topic was covered in a "Lunch and Learn" as a selling point for this vendor's software, the other Nissan employee in the room and I looked at each other and realized we had exposures here. Others may not see it as an issue, but I'm putting together ideas on how to control this sort of thing. How many people get a CD, pop it in, do what it says, and don't even think about the ramifications? How much is the much ballyhooed encryption going to help you if you now have this sort of thing going in? Maybe most of my data isn't as interesting as some other's might be. I thought I'd bring it up, see what you all thought, and see if anyone else was mobilizing on controls, etc. As I haven't seen things like this before I thought I'd ask. Thanks all for your input, /ptd -----Original Message----- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Craddock, Chris Sent: Friday, June 24, 2005 6:19 AM To: [email protected] Subject: Re: GUI Install Procedure for ISV Mainframe Software > The idea of programmers installing software via CD into product > libraries they have access to scares the willies out of me. It is one > of two issues I have with this. I can see some fear of the unknown, but I don't see any reason for panic. If your shop controls access to production libraries then there's nothing a user can do from FTP that they can't do from TSO/ISPF. There is no black magic behind the FTP curtain. ...snip... ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
