In our organization the security staff (which includes me) never make access decisions. Never, never. Our data assets are owned by various business units, including system programming type assets, and all access decisions are made by their respective owners.
Middle of the night callers have begged me to make these ad hoc decisions. I repeat policy, then wake up managers to share the joy. Our department never intrinsically "knows" , nor do we seek to know who needs access to assets, we simply maintain access lists based on advice from rightful owners. -----Original Message----- From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of Arthur T. Sent: Saturday, April 03, 2010 12:44 AM To: IBM-MAIN@bama.ua.edu Subject: Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition required for any SMP/E use On 2 Apr 2010 21:41:10 -0700, in bit.listserv.ibm-main (Message-ID:<OFA817FC6F.38DDD672-ON852576FA.0017EA06-85 2576fa.0019b...@us.ibm.com>) d10j...@us.ibm.com (Jim Mulder) wrote: >>And this whole idea of trying to hide "Integrity" APARs has outlived >>its usefulness. If it ever had any. >>I have no gripe with fixing the hole then letting the cat out of the >>bag, but never doing it ?. Don't vendors ever learn ?. > > We have no way of knowing when all customers have applied a System >Integrity fix to all systems, so that there are no longer any exposed >systems anywhere in the world. Discussions right here on IBM-MAIN >suggest that some customers run releases which are no longer supported, >and a fix will never be available for those unsupported releases. As a >courtesy to customers with exposed systems, we do not discuss the >nature of System Integrity APARs, since understanding an exposure is >one of the steps towards formulating a method of attack on an exposed >system. Naturally, you may be curious about the nature of an exposure, >and of course, we would love to show off how clever we were in >discovering an exposure by telling you all about it. However, we feel >that your curiosity and our desire to show off are overridden by the >need to avoid unnecessarily assisting potential attackers. This particular fix, though, requires each company's security department to define who can use SMP/E and in what way. Without knowing what the security hole is, how can they know how to assign access? -- I cannot receive mail at the address this was sent from. To reply directly, send to ar23hur "at" pobox "dot" com ------------------------------------------------------- --------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
