What about IP liability concerns? On Sep 5, 2012, at 06:47, R.S. wrote:
> W dniu 2012-09-05 14:21, Greg Dorner pisze: >> Man, the auditors came up with a new one! >> >> "Gap noted. Automated controls to prevent the installation of >> unapproved software were not documented." > > 1. The requirement is plain stupid. There is no reason to analyse case like > "Smith did bring and uploaded some CBT program". [*] > 2. There is automated control: RACF or other security server. With proper > setup only authorized personnel is able to install the software in terms of > APF, SSI, proclib and parmlib members. I assume you have your security server > set up properly. > > > [*] Note: theorethically I can write 10 lines script, call it "software > product", copyright it and sell it for 10000000$ per machine (MIPS, > whatever). On every platform - MVS, Windows, Unix, Linux, VMS, VSE, VM there > are folks who are able to create text file/dataset. So, they are able to > upload my very copyrighted and extremely expensive (and possibly dangerous) > software product. Of course on some platforms, like z/OS a product to be > working, especially if it's considered as dangeours - do need authorities > like APF, etc. So, the product in the regular file is NOT installed. > BTW: it need not do be script. I can put myprg.exe to a dataset. > "theorethically" Is that a portmanteau word? (Your English is good enough that it might be a deliberate construct.) There's a genuine IP concern here. An employee might bring in from a former employer an SD RAM with a TSO TRANSMIT unloaded library containing a licensed program product, not licensed at the new site and expose the new employer to significant legal liability with no need for particular authorization. There might be an argument here for vendors' requiring APF authorization of their products not because of any intrinsic integrity concerns, but simply to force an audit of the installation. (But this might easily be bypassed with AMASPZAP's changing one BC instruction. Perhaps the auditor should require that use of AMASPZAP be restricted.) -- gil ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
