Re: Preventing the installation of unapproved software
On Wed, 5 Sep 2012 10:50:25 -0500, Greg Dorner gdor...@wpsic.com wrote: Will you pass these 'rants and expletives' to these auditors? :-D I will be passing them on to my manager. We are talking Federal auditors and billion dollar government contracts, so, no, I won't be telling the auditors anything. I let management (who are trained not to put their foot in their mouths) handle that. I may be a mainframe systems programmer, but I'm not suicidal yet. :-D Greg -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN Youtr managers are trained not to put their foot in their mouths. Amazing. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Preventing the installation of unapproved software
MEAS is a product that can monitor SMP and file activity and alert when something happens. For more information see http://www.infosecinc.com/meas.php. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Preventing the installation of unapproved software
W dniu 2012-09-05 14:21, Greg Dorner pisze: Man, the auditors came up with a new one! Gap noted. Automated controls to prevent the installation of unapproved software were not documented. So I have been assigned the task of researching how to provide Automated controls to prevent the installation of unapproved software. I'm hoping someone on the list has a clue to what could possibly do this. My brain already hurts thinking about it. Just thinking logically with my limited intellect tells me doing this is somewhat close to impossible. Any thoughts? I also accept rants and expletives. 1. The requirement is plain stupid. There is no reason to analyse case like Smith did bring and uploaded some CBT program. [*] 2. There is automated control: RACF or other security server. With proper setup only authorized personnel is able to install the software in terms of APF, SSI, proclib and parmlib members. I assume you have your security server set up properly. [*] Note: theorethically I can write 10 lines script, call it software product, copyright it and sell it for 1000$ per machine (MIPS, whatever). On every platform - MVS, Windows, Unix, Linux, VMS, VSE, VM there are folks who are able to create text file/dataset. So, they are able to upload my very copyrighted and extremely expensive (and possibly dangerous) software product. Of course on some platforms, like z/OS a product to be working, especially if it's considered as dangeours - do need authorities like APF, etc. So, the product in the regular file is NOT installed. BTW: it need not do be script. I can put myprg.exe to a dataset. -- Radoslaw Skorupka Lodz, Poland -- Treść tej wiadomości może zawierać informacje prawnie chronione Banku przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być jedynie jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś adresatem niniejszej wiadomości lub pracownikiem upoważnionym do jej przekazania adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie, rozprowadzanie lub inne działanie o podobnym charakterze jest prawnie zabronione i może być karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo, prosimy niezwłocznie zawiadomić nadawcę wysyłając odpowiedź oraz trwale usunąć tę wiadomość włączając w to wszelkie jej kopie wydrukowane lub zapisane na dysku. This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorised to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive. BRE Bank SA, 00-950 Warszawa, ul. Senatorska 18, tel. +48 (22) 829 00 00, fax +48 (22) 829 00 33, www.brebank.pl, e-mail: i...@brebank.pl Sąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, nr rejestru przedsiębiorców KRS 025237, NIP: 526-021-50-88. Według stanu na dzień 01.01.2012 r. kapitał zakładowy BRE Banku SA (w całości wpłacony) wynosi 168.410.984 złotych. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Preventing the installation of unapproved software
What about IP liability concerns? On Sep 5, 2012, at 06:47, R.S. wrote: W dniu 2012-09-05 14:21, Greg Dorner pisze: Man, the auditors came up with a new one! Gap noted. Automated controls to prevent the installation of unapproved software were not documented. 1. The requirement is plain stupid. There is no reason to analyse case like Smith did bring and uploaded some CBT program. [*] 2. There is automated control: RACF or other security server. With proper setup only authorized personnel is able to install the software in terms of APF, SSI, proclib and parmlib members. I assume you have your security server set up properly. [*] Note: theorethically I can write 10 lines script, call it software product, copyright it and sell it for 1000$ per machine (MIPS, whatever). On every platform - MVS, Windows, Unix, Linux, VMS, VSE, VM there are folks who are able to create text file/dataset. So, they are able to upload my very copyrighted and extremely expensive (and possibly dangerous) software product. Of course on some platforms, like z/OS a product to be working, especially if it's considered as dangeours - do need authorities like APF, etc. So, the product in the regular file is NOT installed. BTW: it need not do be script. I can put myprg.exe to a dataset. theorethically Is that a portmanteau word? (Your English is good enough that it might be a deliberate construct.) There's a genuine IP concern here. An employee might bring in from a former employer an SD RAM with a TSO TRANSMIT unloaded library containing a licensed program product, not licensed at the new site and expose the new employer to significant legal liability with no need for particular authorization. There might be an argument here for vendors' requiring APF authorization of their products not because of any intrinsic integrity concerns, but simply to force an audit of the installation. (But this might easily be bypassed with AMASPZAP's changing one BC instruction. Perhaps the auditor should require that use of AMASPZAP be restricted.) -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Preventing the installation of unapproved software
You have to show the whole picture of security involved in z/OS. 1) The instruction set is broken into general, semi-privileged and privileged. 2) The operating system has RACF, or equivalent, to control who can put what in what libraries and data sets. 3) Data set (read as libraries) control the level of instructions and functions that can execute. 4) If a user can put an 'unapproved' program in a library, but can't use it, is it a risk? The trick is to show that there are required procedures that must be followed to get programs into a situation that could be 'dangerous' to the system. Of course, you could write a program that scans every PDS/PDSE and verifies that every program is on an approved list, but then how do you verify that someone didn't put a 'bad' program with a 'good' name in a library. Of course your checker program could use a CRC check and verify what is there is what you think it should be, but what do you do when maintenance is applied? Send the question back to them. What product or system is available for you to use to do what they want? Chris Blaicher Senior Software Engineer, Software Services Syncsort Incorporated 50 Tice Boulevard, Woodcliff Lake, NJ 07677 P: 201-930-8260 | M: 512-627-3803 E: cblaic...@syncsort.com -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Greg Dorner Sent: Wednesday, September 05, 2012 7:22 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Preventing the installation of unapproved software Man, the auditors came up with a new one! Gap noted. Automated controls to prevent the installation of unapproved software were not documented. So I have been assigned the task of researching how to provide Automated controls to prevent the installation of unapproved software. I'm hoping someone on the list has a clue to what could possibly do this. My brain already hurts thinking about it. Just thinking logically with my limited intellect tells me doing this is somewhat close to impossible. Any thoughts? I also accept rants and expletives. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ATTENTION: - The information contained in this message (including any files transmitted with this message) may contain proprietary, trade secret or other confidential and/or legally privileged information. Any pricing information contained in this message or in any files transmitted with this message is always confidential and cannot be shared with any third parties without prior written approval from Syncsort. This message is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the reader of this message is not the intended recipient, you are on notice that any use, disclosure, copying or distribution of this message, in any form, is strictly prohibited. If you have received this message in error, please immediately notify the sender and/or Syncsort and destroy all copies of this message in your possession, custody or control. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Preventing the installation of unapproved software
W dniu 2012-09-05 15:16, Paul Gilmartin pisze: There's a genuine IP concern here. An employee might bring in from a former employer an SD RAM with a TSO TRANSMIT unloaded library containing a licensed program product, not licensed at the new site and expose the new employer to significant legal liability with no need for particular authorization. That's the point: As I wrote, an employee can always bring some licensed software, which is not licensed at new site. Bring could mean: a) install by running setup.exe on his workstation (assumed administrator rights) b) simply upload files to the host/server, but not install. Note: some software can be used without any special authorities, just it could be enough to create a file. c) bring to the office installation media: a tape, a CD, maybe USB stick. It could be illegal copy. Even stolen. So, from IP point of view, the only thing which can be controlled is the use of administrator rights. Case b) and c) are out of control and should not be considered as real use of the software. BTW: What about pedophile porn pictures and movies? How can we control it? Maybe your cow-worker keeps some of these pictures as members of JSMITH.COBOL.VAR.OBJECT library? Is it time to close all the shops, revoke any aceess? We knew, unpowered computer is the most secure one. -- Radoslaw Skorupka Lodz, Poland -- Tre tej wiadomoci moe zawiera informacje prawnie chronione Banku przeznaczone wycznie do uytku subowego adresata. Odbiorc moe by jedynie jej adresat z wyczeniem dostpu osób trzecich. Jeeli nie jeste adresatem niniejszej wiadomoci lub pracownikiem upowanionym do jej przekazania adresatowi, informujemy, e jej rozpowszechnianie, kopiowanie, rozprowadzanie lub inne dziaanie o podobnym charakterze jest prawnie zabronione i moe by karalne. Jeeli otrzymae t wiadomo omykowo, prosimy niezwocznie zawiadomi nadawc wysyajc odpowied oraz trwale usun t wiadomo wczajc w to wszelkie jej kopie wydrukowane lub zapisane na dysku. This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorised to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive. BRE Bank SA, 00-950 Warszawa, ul. Senatorska 18, tel. +48 (22) 829 00 00, fax +48 (22) 829 00 33, www.brebank.pl, e-mail: i...@brebank.pl Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, nr rejestru przedsibiorców KRS 025237, NIP: 526-021-50-88. Wedug stanu na dzie 01.01.2012 r. kapita zakadowy BRE Banku SA (w caoci wpacony) wynosi 168.410.984 zotych. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Preventing the installation of unapproved software
On Sep 5, 2012, at 8:16 AM, Paul Gilmartin paulgboul...@aim.com wrote: Perhaps the auditor should require that use of AMASPZAP be restricted. We've restricted AMASPZAP since before I started working for the University. We had a fun auditor request the other day. As a result of one request, one of my colleagues sent the auditors a screen shot of the results of running the ACCOUNT LISTI command. The auditors sent back another request asking who was responsible for the IKJ56590I account. -- Curtis Pew (c@its.utexas.edu) ITS Systems Core The University of Texas at Austin -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Preventing the installation of unapproved software
I strongly encourage programmers to write 'throwaway' programs that investigate the files associated with a system. The idea is to obtain answers to such questions as o How many As? How many Bs? o More Ds than Es after controlling for Cs? that characterize the objects being manipulated by a system. Answers to such questions are often crucial to making goof design/implementation decisions, and the notion that only official, 'approved' programs should be in use is at war with the use of such investigational programs. What needs to be understood here, and in many such situations, is that every organization has its own survival and aggrandisement as a primary objective. Auditors generate, among others, specious requirements that are obstacles to IT performance. Many of the programs of the American DEA are obstacles to any resolution of 'the war on drugs'. Etc., etc. These deleterious initiatives help to perpetuate the organizations that advance them. John Gilmore, Ashland, MA 01721 - USA -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Preventing the installation of unapproved software
Is this application software developed in house? ISV updates? What? Check out ISPW or SysChange tools. Mitch McCluhan -Original Message- From: Greg Dorner gdor...@wpsic.com To: IBM-MAIN IBM-MAIN@LISTSERV.UA.EDU Sent: Wed, Sep 5, 2012 5:21 am Subject: Preventing the installation of unapproved software Man, the auditors came up with a new one! Gap noted. Automated controls to prevent the installation of unapproved oftware were not documented. So I have been assigned the task of researching how to provide Automated ontrols to prevent the installation of unapproved software. I'm hoping someone on the list has a clue to what could possibly do this. My rain already hurts thinking about it. Just thinking logically with my limited ntellect tells me doing this is somewhat close to impossible. Any thoughts? I also accept rants and expletives. -- or IBM-MAIN subscribe / signoff / archive access instructions, end email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Preventing the installation of unapproved software
I *HATE* checklist auditors. This sounds like a WINTEL based checklist It does indeed sound like the auditor is applying Wintel security principles to a mainframe system. The right questions to ask re mainframe security are: (1) Are the users properly authenticated? (2) Is the data properly protected by security manager profiles? (3) Is the connection between user groups and data security profiles properly setup and managed? (4) Is there any way that the data security protection can be circumvented? This is where one aspect of unauthorized programs arises (e.g. APF authorization). (5) Is there proper management of the application production libraries including controls over who can modify these libraries? This is where a second aspect of unauthorized programs arises. If the auditor is thinking that some one-off COBOL program or REXX script sitting in a TSO user's own library is a danger, then he/she is not qualified. John -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Preventing the installation of unapproved software
On Wed, 5 Sep 2012 13:51:24 +, Pew, Curtis G wrote: We've restricted AMASPZAP since before I started working for the University. Seriously. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Preventing the installation of unapproved software
Greg Dorner wrote: Man, the auditors came up with a new one! Gap noted. Automated controls to prevent the installation of unapproved software were not documented. DANGER! ALARM! EVACUATE! START DRP! GAP NOTED IN AUDITORS BRAIN CELLS! ;-D After reading all those threads: I have one request for you: Ask them to give EXAMPLE(s) of 'Automated controls' as well as Documentation from IBM themselves including 'Statement of Integrity'. Oh, please define these words in this context: 'prevent', 'installation' and 'unapproved'. This is not that I'm being funny, but you will get a baseline to work with. That will shut them up for a while, while they fill up their gaps. For myself, I should be courtmartialed and fired for doing 'things' on my z/OS toy... (Writing programs in many different languages for 1001 things, upload CBT programs, installing and testing products, inventing custom RACF admin chores and reporting, assisting all my teams in 1001 things... etc.) Any thoughts? I also accept rants and expletives. Will you pass these 'rants and expletives' to these auditors? :-D Groete / Greetings Elardus Engelbrecht -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Preventing the installation of unapproved software
Radoslaw Skorupka wrote: BTW: What about pedophile porn pictures and movies? How can we control it? Maybe your cow-worker keeps some of these pictures as members of JSMITH.COBOL.VAR.OBJECT library? Ahem, how did you know that dataset and its contents? ;-D hm. ;-D No, I'm just joking, but seriously, you have asked avery good question how can it be controlled? As it was repeately said, switch the machine off and be safe! Groete / Greetings Elardus Engelbrecht -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Preventing the installation of unapproved software
Will you pass these 'rants and expletives' to these auditors? :-D I will be passing them on to my manager. We are talking Federal auditors and billion dollar government contracts, so, no, I won't be telling the auditors anything. I let management (who are trained not to put their foot in their mouths) handle that. I may be a mainframe systems programmer, but I'm not suicidal yet. :-D Greg -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Preventing the installation of unapproved software
Greg, I've always believed the mainframe allows the installation of software with the ability to certify only authorized data access is allowed via RACF (or equivalent), access to potentially harmful actions against the OS must be granted, (APF or otherwise), and all access is (or at least should be) monitored / logged via SMF. as stated in the certification document replies. rant I seems to me this is the workstation / server audit question of the form can you harden the mainframe? The answer is, if WinDoze was as good as the mainframe, this question would never have to be asked for any platform in the first place. Concerning protection of the environment and data: unapproved software is not an issue. /rant The concern with unapproved software might be the licensing. This would seems to give the auditors some traction. What would stop me from bringing a bootleg copy of some software in-house (if it doesn't require a CPU key) and using it? Of course, the company would be at risk of loss without some key / expiration ability, but that is not a requirement to be able to run. The company or government entity would be under a legal obligation for running unlicensed software. Chip Grantham | Ameritas | Sr. IT Consultant | cgrant...@ameritas.com 5900 O Street, Lincoln NE 68510 | p: 402-467-7382 | c: 402-429-3579 | f: 402-325-4030 From: Greg Dorner gdor...@wpsic.com To: IBM-MAIN@LISTSERV.UA.EDU Date: 09/05/2012 10:50 AM Subject:Re: Preventing the installation of unapproved software Sent by:IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU Will you pass these 'rants and expletives' to these auditors? :-D I will be passing them on to my manager. We are talking Federal auditors and billion dollar government contracts, so, no, I won't be telling the auditors anything. I let management (who are trained not to put their foot in their mouths) handle that. I may be a mainframe systems programmer, but I'm not suicidal yet. :-D Greg -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN *** This message may contain confidential information intended only for the use of the addressee(s) named above and may contain information that is legally privileged. If you are not the addressee, or the person responsible for delivering it to the addressee, you are hereby notified that reading, disseminating, distributing or copying this message is strictly prohibited. If you have received this message by mistake, please immediately notify us by replying to the message and delete the original message immediately thereafter. Thank you. *** -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Preventing the installation of unapproved software
On Wed, 5 Sep 2012 16:59:16 +0100, haralder haralder wrote: We explained our auditor that the software instalation tool in z/OS is SMP/E, which is protected by the GIM.* profile in the FACILITY class in our RACF. We printed the accesses for that profile and they were satisfied enough after we explained that the admins don't need UPDATE but READ access to install software. Ah, so you can thank IBM for not fixing that integrity exposure circa April, 2010. And the auditors understood why READ but not UPDATE access sufficed. And you didn't mention to them that SMP/E could be bypassed using IEBCOPY directly, and leaving far less audit trail. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Preventing the installation of unapproved software
Sounds like these auditors are smoking funny cigarettes ...and not sharing ... Scott J Ford Software Engineer http://www.identityforge.com/ From: Elardus Engelbrecht elardus.engelbre...@sita.co.za To: IBM-MAIN@LISTSERV.UA.EDU Sent: Wednesday, September 5, 2012 11:37 AM Subject: Re: Preventing the installation of unapproved software Greg Dorner wrote: Man, the auditors came up with a new one! Gap noted. Automated controls to prevent the installation of unapproved software were not documented. DANGER! ALARM! EVACUATE! START DRP! GAP NOTED IN AUDITORS BRAIN CELLS! ;-D After reading all those threads: I have one request for you: Ask them to give EXAMPLE(s) of 'Automated controls' as well as Documentation from IBM themselves including 'Statement of Integrity'. Oh, please define these words in this context: 'prevent', 'installation' and 'unapproved'. This is not that I'm being funny, but you will get a baseline to work with. That will shut them up for a while, while they fill up their gaps. For myself, I should be courtmartialed and fired for doing 'things' on my z/OS toy... (Writing programs in many different languages for 1001 things, upload CBT programs, installing and testing products, inventing custom RACF admin chores and reporting, assisting all my teams in 1001 things... etc.) Any thoughts? I also accept rants and expletives. Will you pass these 'rants and expletives' to these auditors? :-D Groete / Greetings Elardus Engelbrecht -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Preventing the installation of unapproved software
Any thoughts? I also accept rants and expletives. -- ok, here's a rant for you: auditors: their only function in life is to show up on the battlefield after the battle, and shoot the wounded. /s/ tuco bonno; Graduate, College of Conflict Management; University of SouthEast Asia; I partied on the Ho Chi Minh Trail - tiến lên !! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Preventing the installation of unapproved software
W dniu 2012-09-05 17:50, Elardus Engelbrecht pisze: Radoslaw Skorupka wrote: BTW: What about pedophile porn pictures and movies? How can we control it? Maybe your cow-worker keeps some of these pictures as members of JSMITH.COBOL.VAR.OBJECT library? Ahem, how did you know that dataset and its contents? ;-D Haven't you heard about GUI based WSA? BTW: I really met graphical files in PDS members. It was content-neutral set of icons used by HTTP Server - a part of STK/Sun/Oracle software suite for their tapes. BTW: I made a typo above. COW-WORKER should be co-worker. No cows here. -- Radoslaw Skorupka Lodz, Poland -- Treść tej wiadomości może zawierać informacje prawnie chronione Banku przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być jedynie jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś adresatem niniejszej wiadomości lub pracownikiem upoważnionym do jej przekazania adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie, rozprowadzanie lub inne działanie o podobnym charakterze jest prawnie zabronione i może być karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo, prosimy niezwłocznie zawiadomić nadawcę wysyłając odpowiedź oraz trwale usunąć tę wiadomość włączając w to wszelkie jej kopie wydrukowane lub zapisane na dysku. This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorised to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive. BRE Bank SA, 00-950 Warszawa, ul. Senatorska 18, tel. +48 (22) 829 00 00, fax +48 (22) 829 00 33, www.brebank.pl, e-mail: i...@brebank.pl Sąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, nr rejestru przedsiębiorców KRS 025237, NIP: 526-021-50-88. Według stanu na dzień 01.01.2012 r. kapitał zakładowy BRE Banku SA (w całości wpłacony) wynosi 168.410.984 złotych. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Preventing the installation of unapproved software
In 50475f32.9050...@acm.org, on 09/05/2012 at 09:18 AM, Joel C. Ewing jcew...@acm.org said: and this is the only locally produced documentation that makes sense on z/OS, While the auditors in question may be stark raving bonkers, there is other relevant documentation; change control procedures for production libraries. If they were competent auditors they would know this. rara avis We were fortunate in that our corporation had its own audit department that interfaced with the annual external auditors and our auditors were fairly well versed in z/OS security concepts from interfacing with Technical Services over several decades. If the external auditors were ever totally clueless, we could reasonably expect our own auditors to recognize requests that didn't make sense in the context of the mainframe and side with us on suggesting sensible alternatives. I'm jealous. I hope that management appreciates them. -- Shmuel (Seymour J.) Metz, SysProg and JOAT Atid/2http://patriot.net/~shmuel We don't care. We don't have to care, we're Congress. (S877: The Shut up and Eat Your spam act of 2003) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Preventing the installation of unapproved software
Implement a RACF program control rule - if that is really what they want you to do. You'll have everybody screaming, but you prevented the unauthorized execution of programs. Jerry Whitteridge Lead Systems Programmer Safeway Inc. 925 951 4184 If you feel in control you just aren't going fast enough. -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Greg Dorner Sent: Wednesday, September 05, 2012 5:22 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Preventing the installation of unapproved software Man, the auditors came up with a new one! Gap noted. Automated controls to prevent the installation of unapproved software were not documented. So I have been assigned the task of researching how to provide Automated controls to prevent the installation of unapproved software. I'm hoping someone on the list has a clue to what could possibly do this. My brain already hurts thinking about it. Just thinking logically with my limited intellect tells me doing this is somewhat close to impossible. Any thoughts? I also accept rants and expletives. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN Email Firewall made the following annotations. -- Warning: All e-mail sent to this address will be received by the corporate e-mail system, and is subject to archival and review by someone other than the recipient. This e-mail may contain proprietary information and is intended only for the use of the intended recipient(s). If the reader of this message is not the intended recipient(s), you are notified that you have received this message in error and that any review, dissemination, distribution or copying of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately. == -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN