W dniu 2012-09-05 14:21, Greg Dorner pisze:
Man, the auditors came up with a new one!
"Gap noted. Automated controls to prevent the installation of
unapproved software were not documented."
So I have been assigned the task of researching how to provide
"Automated controls to prevent the installation of unapproved
software".
I'm hoping someone on the list has a clue to what could possibly do
this. My brain already hurts thinking about it. Just thinking
logically with my limited intellect tells me doing this is somewhat
close to impossible.
Any thoughts? I also accept rants and expletives.
1. The requirement is plain stupid. There is no reason to analyse case
like "Smith did bring and uploaded some CBT program". [*]
2. There is automated control: RACF or other security server. With
proper setup only authorized personnel is able to install the software
in terms of APF, SSI, proclib and parmlib members. I assume you have
your security server set up properly.
[*] Note: theorethically I can write 10 lines script, call it "software
product", copyright it and sell it for 10000000$ per machine (MIPS,
whatever). On every platform - MVS, Windows, Unix, Linux, VMS, VSE, VM
there are folks who are able to create text file/dataset. So, they are
able to upload my very copyrighted and extremely expensive (and possibly
dangerous) software product. Of course on some platforms, like z/OS a
product to be working, especially if it's considered as dangeours - do
need authorities like APF, etc. So, the product in the regular file is
NOT installed.
BTW: it need not do be script. I can put myprg.exe to a dataset.
--
Radoslaw Skorupka
Lodz, Poland
--
Treść tej wiadomości może zawierać informacje prawnie chronione Banku
przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być jedynie
jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś adresatem
niniejszej wiadomości lub pracownikiem upoważnionym do jej przekazania
adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie, rozprowadzanie
lub inne działanie o podobnym charakterze jest prawnie zabronione i może być
karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo, prosimy niezwłocznie
zawiadomić nadawcę wysyłając odpowiedź oraz trwale usunąć tę wiadomość
włączając w to wszelkie jej kopie wydrukowane lub zapisane na dysku.
This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorised to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive.
BRE Bank SA, 00-950 Warszawa, ul. Senatorska 18, tel. +48 (22) 829 00 00, fax
+48 (22) 829 00 33, www.brebank.pl, e-mail: i...@brebank.pl
Sąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, nr rejestru przedsiębiorców KRS 0000025237, NIP: 526-021-50-88.
Według stanu na dzień 01.01.2012 r. kapitał zakładowy BRE Banku SA (w całości wpłacony) wynosi 168.410.984 złotych.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN