I hope your auditors never visit a shop I am at. They are not worth the money. My auditores use tools that identify each active user SVC, non user SVCs that IBM does has not supplied, and all SVCs that have been updated. Vendors must certify that the SVC does not override the problem state protection or provide source for the SVC. Yes, we have dropped vendors for lack of compliance.
All opinions expressed by me are mine and may not agree with my employer or any person, company, or thing, living or dead, on or near this or any other planet, moon, asteroid, or other spatial object, natural or manufactured, since the beginning of time. -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Ted MacNEIL Sent: Friday, April 22, 2011 12:43 PM To: [email protected] Subject: EXTERNAL: Re: Mixing Auth and Non-Auth Modules >You must not have auditors. This is not an audit issue. >This is a security breach waiting to happen. Auditors can only monitor procedures. And, they can only point out issues that SMEs have identified. >How do you prevent someone from calling their program the same name as one in >the internal table? That's the third part: compliance. - Ted MacNEIL [email protected] Twitter: @TedMacNEIL ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
