I guess I'm getting ornery in my old age. I would reply, 'No users have Admin access on the mainframe.' Start of a whole new conversation.
. . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-302-7535 Office [email protected] -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Jerry Whitteridge Sent: Monday, May 16, 2016 12:48 PM To: [email protected] Subject: (External):Re: EXTERNAL: Re: [EXTERNAL] Re: smp/e sha-2 support? I'd reply to the Auditor "Please define Admin access as there is no one privilege that grants all access" Jerry Whitteridge Manager Mainframe Systems & Storage Albertsons - Safeway Inc. 925 738 9443 Corporate Tieline - 89443 If you feel in control you just aren't going fast enough. -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Lester, Bob Sent: Monday, May 16, 2016 12:40 PM To: [email protected] Subject: Re: EXTERNAL: Re: [EXTERNAL] Re: smp/e sha-2 support? Hi All, What would you make of this request: "Show me all the users that have admin. Access on the mainframe". ? Thanks! BobL -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Jerry Whitteridge Sent: Monday, May 16, 2016 1:38 PM To: [email protected] Subject: Re: EXTERNAL: Re: [EXTERNAL] Re: smp/e sha-2 support? [ EXTERNAL ] And anyone that thinks Auditors don't set policy and rules hasn't worked in the commercial environment for a while. Let alone the fact of having to train PCI Auditors that the Mainframe isn't just a slightly bigger PC or Windows server. Some shops could best be summarized as "What the Auditor Wants - The Auditor Gets (Even if it makes no sense at all)" Even though John is absolutely correct on the implications of using SHA1 for the purposes of receiving patches - the knee jerk reaction is "SHA1 has been superseded as its insecure - everyone must move to SHA2" (unsaid is even though it makes no sense for what the purpose is) Jerry Whitteridge Manager Mainframe Systems & Storage Albertsons - Safeway Inc. 925 738 9443 Corporate Tieline - 89443 If you feel in control you just aren't going fast enough. -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Dyck, Lionel B. (TRA) Sent: Monday, May 16, 2016 12:26 PM To: [email protected] Subject: EXTERNAL: Re: [EXTERNAL] Re: smp/e sha-2 support? What's going to happen is that IBM will not support SHA-2 (or -3) and every shop with any degree of security (hipaa, sox, dod, ...) will cease to be able to use the internet delivery option. Being told to create an RFE for something that is obvious is troubling and to be told that it doesn't matter is worse. This is not my first shop where auditors dictate a higher level of security than most think required but they are following guidelines from someone higher up that can't be argued with. Somehow I don't think I'm the first to raise this nor will I be the last. -------------------------------------------------------------------------- Lionel B. Dyck --- Opinions expressed are my own and not my employer --- -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Phil Smith III Sent: Monday, May 16, 2016 10:48 AM To: [email protected] Subject: [EXTERNAL] Re: smp/e sha-2 support? Charles Mills wrote: >I suspect you've got a problem, however. There's a saying in sales >"when you >explain, you lose." I can hear auditors saying "SHA-1 -- no good -- security >exposure" and I would not want to be the one explaining what you say >below >to them. >Perhaps I underestimate IT auditors. I just know the "buzzword kneejerk" >problem. I reluctantly have to support this position (not because I don't generally agree with Charles, but because it flies in the face of reason). "Trouble is, sheep are very dim. Once they get an idea in their 'eads, there's no shiftin' it." Same applies to far too many auditors/QSAs/et al. SHA-1 is dead; "good enough" or not, there's no reason to use it any more, given that SHA-2 (and, hey, SHA-3!) exist, eh? .phsiii ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
