subject:"Re\: Preventing the installation of \"unapproved\" software"

Re: Preventing the installation of unapproved software

2012-09-06 Thread Jeff Holst

On Wed, 5 Sep 2012 10:50:25 -0500, Greg Dorner gdor...@wpsic.com wrote:

 Will you pass these 'rants and expletives' to these auditors? :-D

I will be passing them on to my manager. We are talking Federal auditors and 
billion dollar government contracts, so, no, I won't be telling the auditors 
anything. I let management (who are trained not to put their foot in their 
mouths) handle that. I may be a mainframe systems programmer, but I'm not 
suicidal yet. :-D 

Greg

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Youtr managers are trained not to put their foot in their mouths. Amazing.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Preventing the installation of unapproved software

2012-09-06 Thread Donald Likens

MEAS is a product that can monitor SMP and file activity and alert when 
something happens. 

For more information see http://www.infosecinc.com/meas.php.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Preventing the installation of unapproved software

2012-09-05 Thread R.S.

W dniu 2012-09-05 14:21, Greg Dorner pisze:

Man, the auditors came up with a new one!

Gap noted. Automated controls to prevent the installation of
unapproved software were not documented.

So I have been assigned the task of researching how to provide
Automated controls to prevent the installation of unapproved
software.

I'm hoping someone on the list has a clue to what could possibly do
this. My brain already hurts thinking about it. Just thinking
logically with my limited intellect tells me doing this is somewhat
close to impossible.

Any thoughts? I also accept rants and expletives.

1. The requirement is plain stupid. There is no reason to analyse case
like Smith did bring and uploaded some CBT program. [*]
2. There is automated control: RACF or other security server. With
proper setup only authorized personnel is able to install the software
in terms of APF, SSI, proclib and parmlib members. I assume you have
your security server set up properly.

[*] Note: theorethically I can write 10 lines script, call it software
product, copyright it and sell it for 1000$ per machine (MIPS,
whatever). On every platform - MVS, Windows, Unix, Linux, VMS, VSE, VM
there are folks who are able to create text file/dataset. So, they are
able to upload my very copyrighted and extremely expensive (and possibly
dangerous) software product. Of course on some platforms, like z/OS a
product to be working, especially if it's considered as dangeours - do
need authorities like APF, etc. So, the product in the regular file is
NOT installed.

BTW: it need not do be script. I can put myprg.exe to a dataset.

--
Radoslaw Skorupka
Lodz, Poland

--
Treść tej wiadomości może zawierać informacje prawnie chronione Banku
przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być jedynie
jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś adresatem
niniejszej wiadomości lub pracownikiem upoważnionym do jej przekazania
adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie, rozprowadzanie
lub inne działanie o podobnym charakterze jest prawnie zabronione i może być
karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo, prosimy niezwłocznie
zawiadomić nadawcę wysyłając odpowiedź oraz trwale usunąć tę wiadomość
włączając w to wszelkie jej kopie wydrukowane lub zapisane na dysku.

This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorised to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive.

BRE Bank SA, 00-950 Warszawa, ul. Senatorska 18, tel. +48 (22) 829 00 00, fax
+48 (22) 829 00 33, www.brebank.pl, e-mail: i...@brebank.pl
Sąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, nr rejestru przedsiębiorców KRS 025237, NIP: 526-021-50-88.
Według stanu na dzień 01.01.2012 r. kapitał zakładowy BRE Banku SA (w całości wpłacony) wynosi 168.410.984 złotych.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Preventing the installation of unapproved software

2012-09-05 Thread Paul Gilmartin

What about IP liability concerns?

On Sep 5, 2012, at 06:47, R.S. wrote:

 W dniu 2012-09-05 14:21, Greg Dorner pisze:
 Man, the auditors came up with a new one!
 
 Gap noted. Automated controls to prevent the installation of
 unapproved software were not documented.
 
 1. The requirement is plain stupid. There is no reason to analyse case like 
 Smith did bring and uploaded some CBT program. [*]
 2. There is automated control: RACF or other security server. With proper 
 setup only authorized personnel is able to install the software in terms of 
 APF, SSI, proclib and parmlib members. I assume you have your security server 
 set up properly.
 
 
 [*] Note: theorethically I can write 10 lines script, call it software 
 product, copyright it and sell it for 1000$ per machine (MIPS, 
 whatever). On every platform - MVS, Windows, Unix, Linux, VMS, VSE, VM there 
 are folks who are able to create text file/dataset. So, they are able to 
 upload my very copyrighted and extremely expensive (and possibly dangerous) 
 software product. Of course on some platforms, like z/OS a product to be 
 working, especially if it's considered as dangeours - do need authorities 
 like APF, etc. So, the product in the regular file is NOT installed.
 BTW: it need not do be script. I can put myprg.exe to a dataset.
  
theorethically  Is that a portmanteau word?  (Your English is
good enough that it might be a deliberate construct.)

There's a genuine IP concern here.  An employee might bring in from
a former employer an SD RAM with a TSO TRANSMIT unloaded library
containing a licensed program product, not licensed at the new
site and expose the new employer to significant legal liability
with no need for particular authorization.

There might be an argument here for vendors' requiring APF
authorization of their products not because of any intrinsic
integrity concerns, but simply to force an audit of the
installation.  (But this might easily be bypassed with
AMASPZAP's changing one BC instruction.  Perhaps the auditor
should require that use of AMASPZAP be restricted.)

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Preventing the installation of unapproved software

2012-09-05 Thread Blaicher, Christopher Y.

You have to show the whole picture of security involved in z/OS.
1) The instruction set is broken into general, semi-privileged and privileged.
2) The operating system has RACF, or equivalent, to control who can put what in 
what libraries and data sets.
3) Data set (read as libraries) control the level of instructions and functions 
that can execute.
4) If a user can put an 'unapproved' program in a library, but can't use it, is 
it a risk?

The trick is to show that there are required procedures that must be followed 
to get programs into a situation that could be 'dangerous' to the system.

Of course, you could write a program that scans every PDS/PDSE and verifies 
that every program is on an approved list, but then how do you verify that 
someone didn't put a 'bad' program with a 'good' name in a library.  Of course 
your checker program could use a CRC check and verify what is there is what you 
think it should be, but what do you do when maintenance is applied?

Send the question back to them.  What product or system is available for you to 
use to do what they want?

Chris Blaicher
Senior Software Engineer, Software Services
Syncsort Incorporated
50 Tice Boulevard, Woodcliff Lake, NJ 07677
P: 201-930-8260  |  M: 512-627-3803
E: cblaic...@syncsort.com

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Greg Dorner
Sent: Wednesday, September 05, 2012 7:22 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Preventing the installation of unapproved software

Man, the auditors came up with a new one!

Gap noted. Automated controls to prevent the installation of unapproved 
software were not documented.

So I have been assigned the task of researching how to provide Automated 
controls to prevent the installation of unapproved software.

I'm hoping someone on the list has a clue to what could possibly do this. My 
brain already hurts thinking about it. Just thinking logically with my limited 
intellect tells me doing this is somewhat close to impossible.

Any thoughts? I also accept rants and expletives.

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN



ATTENTION: -

The information contained in this message (including any files transmitted with 
this message) may contain proprietary, trade secret or other  confidential 
and/or legally privileged information. Any pricing information contained in 
this message or in any files transmitted with this message is always 
confidential and cannot be shared with any third parties without prior written 
approval from Syncsort. This message is intended to be read only by the 
individual or entity to whom it is addressed or by their designee. If the 
reader of this message is not the intended recipient, you are on notice that 
any use, disclosure, copying or distribution of this message, in any form, is 
strictly prohibited. If you have received this message in error, please 
immediately notify the sender and/or Syncsort and destroy all copies of this 
message in your possession, custody or control.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Preventing the installation of unapproved software

2012-09-05 Thread R.S.

W dniu 2012-09-05 15:16, Paul Gilmartin pisze:

There's a genuine IP concern here. An employee might bring in from
a former employer an SD RAM with a TSO TRANSMIT unloaded library
containing a licensed program product, not licensed at the new
site and expose the new employer to significant legal liability
with no need for particular authorization.

That's the point: As I wrote, an employee can always bring some licensed
software, which is not licensed at new site. Bring could mean:
a) install by running setup.exe on his workstation (assumed
administrator rights)
b) simply upload files to the host/server, but not install. Note: some
software can be used without any special authorities, just it could be
enough to create a file.
c) bring to the office installation media: a tape, a CD, maybe USB
stick. It could be illegal copy. Even stolen.

So, from IP point of view, the only thing which can be controlled is the
use of administrator rights. Case b) and c) are out of control and
should not be considered as real use of the software.

BTW: What about pedophile porn pictures and movies?
How can we control it? Maybe your cow-worker keeps some of these
pictures as members of JSMITH.COBOL.VAR.OBJECT library?
Is it time to close all the shops, revoke any aceess? We knew, unpowered
computer is the most secure one.

--
Radoslaw Skorupka
Lodz, Poland

--
Tre tej wiadomoci moe zawiera informacje prawnie chronione Banku
przeznaczone wycznie do uytku subowego adresata. Odbiorc moe by jedynie
jej adresat z wyczeniem dostpu osób trzecich. Jeeli nie jeste adresatem
niniejszej wiadomoci lub pracownikiem upowanionym do jej przekazania
adresatowi, informujemy, e jej rozpowszechnianie, kopiowanie, rozprowadzanie
lub inne dziaanie o podobnym charakterze jest prawnie zabronione i moe by
karalne. Jeeli otrzymae t wiadomo omykowo, prosimy niezwocznie
zawiadomi nadawc wysyajc odpowied oraz trwale usun t wiadomo
wczajc w to wszelkie jej kopie wydrukowane lub zapisane na dysku.

BRE Bank SA, 00-950 Warszawa, ul. Senatorska 18, tel. +48 (22) 829 00 00, fax
+48 (22) 829 00 33, www.brebank.pl, e-mail: i...@brebank.pl
Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, nr rejestru przedsibiorców KRS 025237, NIP: 526-021-50-88.
Wedug stanu na dzie 01.01.2012 r. kapita zakadowy BRE Banku SA (w caoci wpacony) wynosi 168.410.984 zotych.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Preventing the installation of unapproved software

2012-09-05 Thread Pew, Curtis G

On Sep 5, 2012, at 8:16 AM, Paul Gilmartin paulgboul...@aim.com wrote:

 Perhaps the auditor
 should require that use of AMASPZAP be restricted.

We've restricted AMASPZAP since before I started working for the University.

We had a fun auditor request the other day. As a result of one request, one of 
my colleagues sent the auditors a screen shot of the results of running the 
ACCOUNT LISTI command. The auditors sent back another request asking who was 
responsible for the IKJ56590I account.

-- 
Curtis Pew (c@its.utexas.edu)
ITS Systems Core
The University of Texas at Austin

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Preventing the installation of unapproved software

2012-09-05 Thread John Gilmore

I strongly encourage programmers to write 'throwaway' programs that
investigate the files associated with a system.  The idea is to obtain
answers to such questions as

o How many As?  How many Bs?

o More Ds than Es after controlling for Cs?

that characterize the objects being manipulated by a system.

Answers to such questions are often crucial to making goof
design/implementation decisions, and the notion that only official,
'approved' programs should be in use is at war with the use of such
investigational programs.

What needs to be understood here, and in many such situations, is that
every organization has its own survival and aggrandisement as a
primary objective.

Auditors generate, among others, specious requirements that are
obstacles to IT performance.  Many of the programs of the American DEA
are obstacles to any resolution of 'the war on drugs'.  Etc., etc.
These deleterious initiatives help to perpetuate the organizations
that advance them.

John Gilmore, Ashland, MA 01721 - USA

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Preventing the installation of unapproved software

2012-09-05 Thread Mitch

Is this application software developed in house?  ISV updates?  What?  Check 
out ISPW or SysChange tools.


Mitch McCluhan



-Original Message-
From: Greg Dorner gdor...@wpsic.com
To: IBM-MAIN IBM-MAIN@LISTSERV.UA.EDU
Sent: Wed, Sep 5, 2012 5:21 am
Subject: Preventing the installation of unapproved software


Man, the auditors came up with a new one! 
Gap noted. Automated controls to prevent the installation of unapproved 
oftware were not documented.
So I have been assigned the task of researching how to provide Automated 
ontrols to prevent the installation of unapproved software. 
I'm hoping someone on the list has a clue to what could possibly do this. My 
rain already hurts thinking about it. Just thinking logically with my limited 
ntellect tells me doing this is somewhat close to impossible. 
Any thoughts? I also accept rants and expletives.
--
or IBM-MAIN subscribe / signoff / archive access instructions,
end email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Preventing the installation of unapproved software

2012-09-05 Thread Roberts, John J

I *HATE* checklist auditors. This sounds like a WINTEL based checklist

It does indeed sound like the auditor is applying Wintel security principles 
to a mainframe system.

The right questions to ask re mainframe security are:
(1) Are the users properly authenticated?
(2) Is the data properly protected by security manager profiles?
(3) Is the connection between user groups and data security profiles properly 
setup and managed?
(4) Is there any way that the data security protection can be circumvented?  
This is where one aspect of unauthorized programs arises (e.g. APF 
authorization).
(5) Is there proper management of the application production libraries 
including  controls over who can modify these libraries?  This is where a 
second aspect of unauthorized programs arises.

If the auditor is thinking that some one-off COBOL program or REXX script 
sitting in a TSO user's own library is a danger, then he/she is not qualified.

John

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Preventing the installation of unapproved software

2012-09-05 Thread Paul Gilmartin

On Wed, 5 Sep 2012 13:51:24 +, Pew, Curtis G wrote:

We've restricted AMASPZAP since before I started working for the University.
 
Seriously.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Preventing the installation of unapproved software

2012-09-05 Thread Elardus Engelbrecht

Greg Dorner  wrote:

Man, the auditors came up with a new one! 

Gap noted. Automated controls to prevent the installation of unapproved 
software were not documented.

DANGER! ALARM! EVACUATE! START DRP! GAP NOTED IN AUDITORS BRAIN CELLS! ;-D

After reading all those threads: I have one request for you: Ask them to give 
EXAMPLE(s) of 'Automated controls' as well as Documentation from IBM themselves 
including 'Statement of Integrity'.

Oh, please define these words in this context: 'prevent', 'installation' and 
'unapproved'. This is not that I'm being funny, but you will get a baseline to 
work with.

That will shut them up for a while, while they fill up their gaps.

For myself, I should be courtmartialed and fired for doing 'things' on my z/OS 
toy... (Writing programs in many different languages for 1001 things, upload 
CBT programs, installing and testing products, inventing custom RACF admin 
chores and reporting, assisting all my teams in 1001 things... etc.)

Any thoughts? I also accept rants and expletives.

Will you pass these 'rants and expletives' to these auditors? :-D

Groete / Greetings
Elardus Engelbrecht

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Preventing the installation of unapproved software

2012-09-05 Thread Elardus Engelbrecht

Radoslaw Skorupka wrote:

BTW: What about pedophile porn pictures and movies? How can we control it? 
Maybe your cow-worker keeps some of these pictures as members of 

JSMITH.COBOL.VAR.OBJECT library?


Ahem, how did you know that dataset and its contents? ;-D

hm. ;-D


No, I'm just joking, but seriously, you have asked avery good question how can 
it be controlled? As it was repeately said, switch the machine off and be safe!

Groete / Greetings
Elardus Engelbrecht

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Preventing the installation of unapproved software

2012-09-05 Thread Greg Dorner

 Will you pass these 'rants and expletives' to these auditors? :-D

I will be passing them on to my manager. We are talking Federal auditors and 
billion dollar government contracts, so, no, I won't be telling the auditors 
anything. I let management (who are trained not to put their foot in their 
mouths) handle that. I may be a mainframe systems programmer, but I'm not 
suicidal yet. :-D 

Greg

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Preventing the installation of unapproved software

2012-09-05 Thread Chip Grantham

Greg, 

I've always believed the mainframe allows the installation of software 
with the ability to certify 
only authorized data access is allowed via RACF (or equivalent),
access to potentially harmful actions against the OS must be granted, (APF 
or otherwise),  and 
all access is (or at least should be) monitored / logged via SMF. 

as stated in the certification document replies. 

rant 
I seems to me this is the workstation / server audit question of the form 
can you harden the mainframe? The answer is, if WinDoze was as good as 
the mainframe, this question would never have to be asked for any platform 
in the first place. 
Concerning protection of the environment and data: unapproved software is 
not an issue. 
/rant 

The concern with unapproved software might be the licensing.  This would 
seems to give the auditors some traction. 

What would stop me from bringing a bootleg copy of some software in-house 
(if it doesn't require a CPU key) and using it?  Of course, the company 
would be at risk of loss without some key / expiration ability, but that 
is not a requirement to be able to run.  The company or government entity 
would be under a legal obligation for running unlicensed software. 

Chip Grantham  |  Ameritas  |  Sr. IT Consultant | cgrant...@ameritas.com 
5900 O Street, Lincoln NE 68510 | p: 402-467-7382 | c: 402-429-3579 | f: 
402-325-4030

 



From:   Greg Dorner gdor...@wpsic.com
To: IBM-MAIN@LISTSERV.UA.EDU
Date:   09/05/2012 10:50 AM
Subject:Re: Preventing the installation of unapproved software
Sent by:IBM Mainframe Discussion List IBM-MAIN@LISTSERV.UA.EDU



 Will you pass these 'rants and expletives' to these auditors? :-D

I will be passing them on to my manager. We are talking Federal auditors 
and billion dollar government contracts, so, no, I won't be telling the 
auditors anything. I let management (who are trained not to put their foot 
in their mouths) handle that. I may be a mainframe systems programmer, but 
I'm not suicidal yet. :-D 

Greg

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

***
This message may contain confidential information intended only
for the use of the addressee(s) named above and may contain
information that is legally privileged. If you are not the
addressee, or the person responsible for delivering it to the
addressee, you are hereby notified that reading, disseminating,
distributing or copying this message is strictly prohibited.  If you
have received this message by mistake, please immediately notify
us by replying to the message and delete the original message
immediately thereafter.  Thank you.
***


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Preventing the installation of unapproved software

2012-09-05 Thread Paul Gilmartin

On Wed, 5 Sep 2012 16:59:16 +0100, haralder haralder wrote:

We explained our auditor that the software instalation tool in z/OS is
SMP/E, which is protected by the GIM.* profile in the FACILITY class
in our RACF. We printed the accesses for that profile and they were
satisfied enough after we explained that the admins don't need UPDATE
but READ access to install software.
 
Ah, so you can thank IBM for not fixing that integrity exposure circa
April, 2010.

And the auditors understood why READ but not UPDATE access
sufficed.

And you didn't mention to them that SMP/E could be bypassed using
IEBCOPY directly, and leaving far less audit trail.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Preventing the installation of unapproved software

2012-09-05 Thread Scott Ford

Sounds like these auditors are smoking funny cigarettes ...and not sharing ...


Scott J Ford
Software Engineer
http://www.identityforge.com/
 
 


 From: Elardus Engelbrecht elardus.engelbre...@sita.co.za
To: IBM-MAIN@LISTSERV.UA.EDU 
Sent: Wednesday, September 5, 2012 11:37 AM
Subject: Re: Preventing the installation of unapproved software
  
Greg Dorner  wrote:

Man, the auditors came up with a new one! 

Gap noted. Automated controls to prevent the installation of unapproved 
software were not documented.

DANGER! ALARM! EVACUATE! START DRP! GAP NOTED IN AUDITORS BRAIN CELLS! ;-D

After reading all those threads: I have one request for you: Ask them to give 
EXAMPLE(s) of 'Automated controls' as well as Documentation from IBM themselves 
including 'Statement of Integrity'.

Oh, please define these words in this context: 'prevent', 'installation' and 
'unapproved'. This is not that I'm being funny, but you will get a baseline to 
work with.

That will shut them up for a while, while they fill up their gaps.

For myself, I should be courtmartialed and fired for doing 'things' on my z/OS 
toy... (Writing programs in many different languages for 1001 things, upload 
CBT programs, installing and testing products, inventing custom RACF admin 
chores and reporting, assisting all my teams in 1001 things... etc.)

Any thoughts? I also accept rants and expletives.

Will you pass these 'rants and expletives' to these auditors? :-D

Groete / Greetings
Elardus Engelbrecht

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Preventing the installation of unapproved software

2012-09-05 Thread Bonno, Tuco


 Any thoughts? I also accept rants and expletives. 

--  ok, here's a rant for you:

auditors: their only function in life is to show up on the battlefield after 
the battle, and shoot the wounded.


/s/ tuco bonno; 
Graduate, College of Conflict Management;
University of SouthEast Asia;
I partied on the Ho Chi Minh Trail - tiến lên !! 



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Preventing the installation of unapproved software

2012-09-05 Thread R.S.

W dniu 2012-09-05 17:50, Elardus Engelbrecht pisze:

Radoslaw Skorupka wrote:

BTW: What about pedophile porn pictures and movies? How can we control it?
Maybe your cow-worker keeps some of these pictures as members of

JSMITH.COBOL.VAR.OBJECT library?

Ahem, how did you know that dataset and its contents? ;-D

Haven't you heard about GUI based WSA?

BTW: I really met graphical files in PDS members. It was content-neutral
set of icons used by HTTP Server - a part of STK/Sun/Oracle software
suite for their tapes.

BTW: I made a typo above. COW-WORKER should be co-worker. No cows here.

--
Radoslaw Skorupka
Lodz, Poland

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Preventing the installation of unapproved software

2012-09-05 Thread Shmuel Metz (Seymour J.)

In 50475f32.9050...@acm.org, on 09/05/2012
   at 09:18 AM, Joel C. Ewing jcew...@acm.org said:

and this is the only 
locally produced documentation that makes sense on z/OS,

While the auditors in question may be stark raving bonkers, there is
other relevant documentation; change control procedures for production
libraries.

If they were competent auditors they would know this.

rara avis

We were fortunate in that our corporation had its own audit
department  that interfaced with the annual external auditors and
our auditors were  fairly well versed in z/OS security concepts from
interfacing with  Technical Services over several decades. If the
external auditors were  ever totally clueless, we could reasonably
expect our own auditors to  recognize requests that didn't make
sense in the context of the  mainframe and side with us on
suggesting sensible alternatives.

I'm jealous. I hope that management appreciates them.

-- 
 Shmuel (Seymour J.) Metz, SysProg and JOAT
 Atid/2http://patriot.net/~shmuel
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Preventing the installation of unapproved software

2012-09-05 Thread Jerry Whitteridge

Implement a RACF program control rule - if that is really what they want you to 
do. You'll have everybody screaming, but you prevented the unauthorized 
execution of programs.

Jerry Whitteridge
Lead Systems Programmer
Safeway Inc.
925 951 4184

If you feel in control
you just aren't going fast enough.


-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Greg Dorner
Sent: Wednesday, September 05, 2012 5:22 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Preventing the installation of unapproved software

Man, the auditors came up with a new one! 

Gap noted. Automated controls to prevent the installation of unapproved 
software were not documented.

So I have been assigned the task of researching how to provide Automated 
controls to prevent the installation of unapproved software. 

I'm hoping someone on the list has a clue to what could possibly do this. My 
brain already hurts thinking about it. Just thinking logically with my limited 
intellect tells me doing this is somewhat close to impossible. 

Any thoughts? I also accept rants and expletives. 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN


Email Firewall made the following annotations.
--

Warning: 
All e-mail sent to this address will be received by the corporate e-mail 
system, and is subject to archival and review by someone other than the 
recipient.  This e-mail may contain proprietary information and is intended 
only for the use of the intended recipient(s).  If the reader of this message 
is not the intended recipient(s), you are notified that you have received this 
message in error and that any review, dissemination, distribution or copying of 
this message is strictly prohibited.  If you have received this message in 
error, please notify the sender immediately.   
 
==

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Preventing the installation of unapproved software

Re: Preventing the installation of unapproved software

Re: Preventing the installation of unapproved software

Re: Preventing the installation of unapproved software

Re: Preventing the installation of unapproved software

Re: Preventing the installation of unapproved software

Re: Preventing the installation of unapproved software

Re: Preventing the installation of unapproved software

Re: Preventing the installation of unapproved software

Re: Preventing the installation of unapproved software

Re: Preventing the installation of unapproved software

Re: Preventing the installation of unapproved software

Re: Preventing the installation of unapproved software

Re: Preventing the installation of unapproved software

Re: Preventing the installation of unapproved software

Re: Preventing the installation of unapproved software

Re: Preventing the installation of unapproved software

Re: Preventing the installation of unapproved software

Re: Preventing the installation of unapproved software

Re: Preventing the installation of unapproved software

Re: Preventing the installation of unapproved software

21 matches

Site Navigation

Mail list logo

Footer information