Allan Staller has put you on the right track - gather information from experts on what *is* considered best practices. This will be needed for the management response to this finding.
If you can, ask the auditor where this recommendation came from. Who is it that claims this is a best practice? Many on this list would agree that it is not. I have my suspicions that if anyone has made such a claim, they are not running z/OS. It surely can't be a documented practice at your site that you are failing to follow. Lacking any intelligent reply to the above, and if the finding stands, your management team will need to formulate their response to it. I have seen responses that ended up in a management request that a given auditor not return because of his incompetence. This finding rates right up there with the one we discussed here a while ago where the auditor wrote a finding for the mainframe server not running the corporate standard antivirus product. Both of these auditors need to find another line of work, as they are wasting their client's time. Tom Chicklon > Our auditors (Feds) say we need to apply all new PTF's within 30 days of > availability. I'm speechless. Does anyone have the patience to form a cogent > argument without laughing, crying, or tying one on? > > I told my boss that if I did that, we'd be about as stable as a windows PC. This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
