hi, if you can't get rid of the actual risk, such as CSA with key 8 in your case, or any other possible vulnerability, like apf-auth code, etc., you still have the opportunity to combat/cover the risk by corresponding fraud/misuse monitoring. removing the software thus is not the last and only option.
we made a lot of positive experience in satisfying auditors, stressed by SOX, PCI, and even more by common criteria requirements, with such a countermeasure; especially if you can prove effectiveness. best stephen Dr. Stephen Fedtke www.enterprise-it-security.com ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html