Respectfully, what you suggest is futile. A path that may (or may not) be worth pursuing is to try to pry loose exactly what the auditors really want. What I'm seeing is that the auditors perceive a potential exposure and then they try to come up with some way to mitigate the issue. Never mind that they have no idea how the stuff works.
Something else you might try is to find out which Windows vulnerability they are addressing. This can sometimes help you understand what they are asking. If you can dig down to the root issue, you can sometimes gain value. That is, find an actual weakness and identify ways to mitigate that weakness. -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Rick Fochtman Sent: Thursday, June 04, 2009 12:39 PM To: [email protected] Subject: Re: RACF - CLASS(PROGRAM) You should explain to your auditors: anyoine can give any name they like to any program. The FUNCTION and CAPABILITIES of a program are FAR more important than the name. Is it APF authorized? is the loadlib APF authorized? Without proper authorization, with respect to z/OS rules, it's not very likely to compromise anything other than the programmer who MIGHT have included malicious content. (CAN HIS ASS.) Like Shakespeare said, "A rose by any other name would smell as sweet." Next step: find auditors that are computer-literate, so that they can understand these "nuances". :-) Mark Baron wrote: >Rick - > >Your analysis is exactly correct - that is precisely what we have been asked >to do (by the auditors). > >Thanks for confirming my suspicions. > >Mark > NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
