On 9/20/2006 3:25 AM, R.S. wrote:
I think the problem would be relieved (without re-design) by supplying
complete list of AUTHPGM'd programs from IBM. Or claim that any IBM
AC(1) program can be safely put on AUTHPGM list. Otherwise it is hard to
answer auditors' questions "why .... is on the list".
Since it's not clearly documented (is it ?) , it can cause doubts and
questions.
IBM ships an IKJTSO00 with our set of programs listed in AUTHPGM. If
the auditor asks you a question, you merely need to see whether the
program is one we put in the list upon installation or one you added.
For the second case you should have good documentation on why you added
the program to the list.
For the first case, tell them that they should be asking IBM, not you.
And you might also suggest that removing the item from the list could
cause disruption to the customer community or other problems, and ask
them if they will pay the costs of any such disruption if they force you
to remove the programs.
Walt Farrell, CISSP
z/OS Security Design, IBM
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
