In my experience, many, if not most, auditors "trigger" on program name,
rather than asking about function and capabilities. Somebody told them
that XYZ is a bad program, therefore, any program of that name is bad,
without regard to where it's located or its actual function/capabilities.
Hal Merritt wrote:
Respectfully, what you suggest is futile.
A path that may (or may not) be worth pursuing is to try to pry loose exactly what the auditors really want. What I'm seeing is that the auditors perceive a potential exposure and then they try to come up with some way to mitigate the issue. Never mind that they have no idea how the stuff works.
Something else you might try is to find out which Windows vulnerability they are addressing. This can sometimes help you understand what they are asking.
If you can dig down to the root issue, you can sometimes gain value. That is, find an actual weakness and identify ways to mitigate that weakness.
-----Original Message-----
From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of
Rick Fochtman
Sent: Thursday, June 04, 2009 12:39 PM
To: [email protected]
Subject: Re: RACF - CLASS(PROGRAM)
You should explain to your auditors: anyoine can give any name they like
to any program. The FUNCTION and CAPABILITIES of a program are FAR more
important than the name. Is it APF authorized? is the loadlib APF
authorized? Without proper authorization, with respect to z/OS rules,
it's not very likely to compromise anything other than the programmer
who MIGHT have included malicious content. (CAN HIS ASS.) Like
Shakespeare said, "A rose by any other name would smell as sweet."
Next step: find auditors that are computer-literate, so that they can
understand these "nuances". :-)
Mark Baron wrote:
Rick -
Your analysis is exactly correct - that is precisely what we have been asked
to do (by the auditors).
Thanks for confirming my suspicions.
Mark
NOTICE: This electronic mail message and any files transmitted with it are
intended
exclusively for the individual or entity to which it is addressed. The message,
together with any attachment, may contain confidential and/or privileged information.
Any unauthorized review, use, printing, saving, copying, disclosure or distribution
is strictly prohibited. If you have received this message in error, please
immediately advise the sender by reply email and delete all copies.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
--
Rick
--
Remember that if you're not the lead dog, the view never changes.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
