On Mon, 6 Mar 2006 20:54:15 -0600, Laura Prill <[EMAIL PROTECTED]> wrote:
>Thanks for all the comments so far. This third-party product has its own >segregated CSIs, which is a good thing. But the product includes APF- >authorized libraries and SVCs, which is a bad thing. I suppose we could >implement some convoluted scheme whereby Systems has to install anything >that touches those modules, but in my mind it seems to be more trouble >than it's worth. I really just wondered if anyone out there was allowing <SMP/E use outside of Systems, period! APF libraries and SVCs ought to have enough Red Flags attached to them for you to take the request to your organization's risk management group for review. Failing such a group, see your friendly neighborhood auditor. The issues are: How can you verify that the SVC and APF modules in the load libraries are, in fact, the modules produced by the SMP/E audit trails? What controls are in place to keep a user (any user) from updating the libraries OUTSIDE of SMP/E's control? What controls exist to prohibit a rogue APAR/PTF/USERMOD (or FMID for that matter) from altering any module in a manner unsupported by the vendor? Can you verify that every SMP/E process has all of the appropriate SMPLOG files available for review? Failing all of that... is your resume up-to-date and offline? -- Tom Schmidt Madison, WI (Yes, I have been asked those questions by auditor(s) before.) ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
