On Tue, 1 Nov 2005 12:54:03 -0500, Farley, Peter x23353 <[EMAIL PROTECTED]> wrote:
>Shouldn't any competent auditor who is asking about a vendor's programs know >that they have to ask the vendor, not the user? Shouldn't your only >response have to be "Ask IBM"? >... I suppose an auditor might be trained to ask "Does the vendor say these modules have to be in an authorized library?" and pass the question to the vendor only if the answer is "Yes". >.. >> >>We are going through a security audit and Sarbannes-Oxley compliance. I >>keep getting questions about obscure modules and their functions. I usually >>search IBMLink for APARs that describe the module. >... Mark, I guess you could post the questions here. Does the auditor ever ask "Does this Unix program really have to run under uid(0)?"? That's a question that vendors (including IBM) really ought to be asked. I think the answer is often "Yes. We were to lazy to make the answer 'No'". Pat O'Keefe ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
