Re: Are these auditors competent? was Re: Anyway to save ISRDDN output?
Even Jove nods. I'll never object to someone looking over my shoulder if they actually know what they're doing. We all see what we expect to see, and sometimes a second pair of eyes will spot something obvious that's been staring us in the face all along. That said, I agree that an incompetent auditor is worse than no auditor; a bad one may demand something that actually weakens security. But should you stumble on a good auditor, keep him if you can. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of Carmen Vitullo [cvitu...@hughes.net] Sent: Tuesday, February 23, 2021 10:38 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Are these auditors competent? was Re: Anyway to save ISRDDN output? I actually would rather have the IBM folks come in and perform their Health check. We had a team of IBM folks come onsite a couple of years ago to perform a checkup, I didn't like the fact our leadership had NO FAITH in me and my team to have the systems built and configured correctly . we passed with flying colors and we did get some good insight on some configuration changes we should review, I don't see any Auditor today knowing enough about my environment to help at all. Carmen Vitullo -Original Message- From: Seymour To: IBM-MAIN Date: Tuesday, 23 February 2021 9:26 AM CST Subject: Re: Are these auditors competent? was Re: Anyway to save ISRDDN output? Your faux auditors may be a RPITA, but a *qualified* auditor is a joy forever, should you be so fortunate as to be audited by one. They will find things that actually do need fixing, and will make it easier to get management buy-in for what needs to be done. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of Carmen Vitullo [cvitu...@hughes.net] Sent: Tuesday, February 23, 2021 8:39 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Are these auditors competent? was Re: Anyway to save ISRDDN output? In my case that is true, the Auditor works for another Health care company, their parent company are HITRUST Cert Auditors, so these folks are not true auditors, they are hired to guarantee HITRUST certification. they do not know what an emulator is or have the need or desire to logon and gather the requirements they request, so anything can be spoofed ! I remember the auditors from the 70's and 80's when I worked for Sears, they came to the data center with their object deck and ran their programs to check and audit our systems, the knew the mainframe because most of these guys were SYSPROGS at one time Carmen Vitullo -Original Message- From: Radoslaw To: IBM-MAIN Date: Monday, 22 February 2021 5:45 PM CST Subject: Re: Are these auditors competent? was Re: Anyway to save ISRDDN output? W dniu 21.02.2021 o 19:55, Paul Gilmartin pisze: > On Sun, 21 Feb 2021 18:23:03 +0100, Radoslaw Skorupka wrote: >>> ... >>> When the only tool you've mastered is printscreen, everything >>> looks like a bitmap. >> That was the requirement: to make Windows printscreen - a bitmap. >> Did I forgot to mention it's plain stupid? >> > You mentioned that the volume requested was plain stupid. > > A possible justification for a bitmap beyond the requestor's ignorance > is that your setup involves an elaborate macro for an emulator not > supporting capture as text. > > And the emulator authors' justification for not supporting text capture > is that resources are better spent supporting that macro language > given that the OS supports graphic capture. > > But we were using Hummingbird Exceed which has text capture. > Simply, most users didn't care to learn the technique. No! No, and no! You assumed the auditor know the details and understand what emulator is. That's plain wrong. I learnt many years ago such auditors are uneducated, but they mask their ignorancy with some mask. This is complex topic, I cannot describe it clearly in English. -- Radoslaw Skorupka (looking for new job) Lodz, Poland -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---
Re: Are these auditors competent? was Re: Anyway to save ISRDDN output?
Most IT auditors I've dealt with recently cut their IT teeth on non-mainframe platforms and have no clue as to how the mainframe works. Therefore, they push for rules that are silly, limit productivity, and even create exposures that don't exist on the mainframe. Even the young one I worked with in 1991, had no clue about the mainframe. Just because someone puts auditor next to their name, doesn't suddenly make them an auditor. And as was seen during the 90's, fraud was pretty frequent among the big 6. In Phar Mor's case, the fraud was covered up by making one of the Cooper and Lybrand managers an executive for Phar Mor. Yes, there was Phar Mor than met the eye. 2 other executives also got prison time. On Tuesday, February 23, 2021, 12:04:33 PM EST, ITschak Mugzach wrote: Nice story. However I think the discussion is limited to IT status auditing. ITschak ITschak Mugzach *|** IronSphere Platform* *|* *Information Security Continuous Monitoring for z/OS, x/Linux & IBM I **| z/VM coming soon * On Tue, Feb 23, 2021 at 6:49 PM Bill Johnson < 0047540adefe-dmarc-requ...@listserv.ua.edu> wrote: > I worked for a company 30 years ago that at the time was part of the > largest fraud in corporate history. The CEO and executives had 2 sets of > books. The auditors were actively involved with the fraud. Anyone who has > been around for a few decades remembers that a number of the big 6 auditing > firms were involved with fraudulent corporate activities. The company was > Phar Mor. The CEO was Mickey Monus who went to prison for 10 years. The > auditing firm was Coopers and Lybrand. I worked with some of the people > from Deloite who came in to help clean up the bankruptcy that ensued from > the fraud. I ran reports using Easytrieve to tally up the almost 500 > million in debt we had no intention of paying. Many of the "auditors" who > were running around the corporate office like rats in a sinking ship were > only there to extract $200 an hour from the Debtor in Possession financing > that bankrupt companies acquire. The one "auditor" I worked with was barely > out of college and was computer illiterate. Her accounting skills were > limited as well. > IBM fanboy > > On Tuesday, February 23, 2021, 9:40:02 AM EST, Radoslaw Skorupka < > r.skoru...@hotmail.com> wrote: > > W dniu 23.02.2021 o 00:44, Radoslaw Skorupka pisze: > > W dniu 21.02.2021 o 19:55, Paul Gilmartin pisze: > >> On Sun, 21 Feb 2021 18:23:03 +0100, Radoslaw Skorupka wrote: > ... > When the only tool you've mastered is printscreen, everything > looks like a bitmap. > >>> That was the requirement: to make Windows printscreen - a bitmap. > >>> Did I forgot to mention it's plain stupid? > >>> > >> You mentioned that the volume requested was plain stupid. > >> > >> A possible justification for a bitmap beyond the requestor's ignorance > >> is that your setup involves an elaborate macro for an emulator not > >> supporting capture as text. > >> > >> And the emulator authors' justification for not supporting text capture > >> is that resources are better spent supporting that macro language > >> given that the OS supports graphic capture. > >> > >> But we were using Hummingbird Exceed which has text capture. > >> Simply, most users didn't care to learn the technique. > > > > No! > > No, and no! > > You assumed the auditor know the details and understand what emulator is. > > That's plain wrong. > > I learnt many years ago such auditors are uneducated, but they mask > > their ignorancy with some mask. This is complex topic, I cannot > > describe it clearly in English. > > Explanation: I should say *some* auditors are so uneducated. Or "there > are such auditors". There are also reasonable auditor, and even with > very small or none mainframe knowledge they may do quite good job. > Of course it depends on who's paying for the audit and what the > expectations are. First - managers don't want to spend money if they do > not have to. So, usually the audits are mandatory and main goal (the > only goal) is to pass it with good result. > > > -- > Radoslaw Skorupka > (looking for new job) > Lodz, Poland > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the mess
Re: Are these auditors competent? was Re: Anyway to save ISRDDN output?
Are you saying there was . PHAR MOR going on than met the eyes? Chris Hoelscher Lead Sys DBA IBM Global Technical Services on assignmemt to Humana Inc. T 502.476.2538 or 502.407.7266 -Original Message- From: IBM Mainframe Discussion List On Behalf Of Bill Johnson Sent: Tuesday, February 23, 2021 11:48 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: [IBM-MAIN] Are these auditors competent? was Re: Anyway to save ISRDDN output? [External Email: Use caution with links and attachments] I worked for a company 30 years ago that at the time was part of the largest fraud in corporate history. The CEO and executives had 2 sets of books. The auditors were actively involved with the fraud. Anyone who has been around for a few decades remembers that a number of the big 6 auditing firms were involved with fraudulent corporate activities. The company was Phar Mor. The CEO was Mickey Monus who went to prison for 10 years. The auditing firm was Coopers and Lybrand. I worked with some of the people from Deloite who came in to help clean up the bankruptcy that ensued from the fraud. I ran reports using Easytrieve to tally up the almost 500 million in debt we had no intention of paying. Many of the "auditors" who were running around the corporate office like rats in a sinking ship were only there to extract $200 an hour from the Debtor in Possession financing that bankrupt companies acquire. The one "auditor" I worked with was barely out of college and was computer illiterate. Her accounting skills were limited as well. IBM fanboy On Tuesday, February 23, 2021, 9:40:02 AM EST, Radoslaw Skorupka wrote: W dniu 23.02.2021 o 00:44, Radoslaw Skorupka pisze: > W dniu 21.02.2021 o 19:55, Paul Gilmartin pisze: >> On Sun, 21 Feb 2021 18:23:03 +0100, Radoslaw Skorupka wrote: ... When the only tool you've mastered is printscreen, everything looks like a bitmap. >>> That was the requirement: to make Windows printscreen - a bitmap. >>> Did I forgot to mention it's plain stupid? >>> >> You mentioned that the volume requested was plain stupid. >> >> A possible justification for a bitmap beyond the requestor's >> ignorance is that your setup involves an elaborate macro for an >> emulator not supporting capture as text. >> >> And the emulator authors' justification for not supporting text >> capture is that resources are better spent supporting that macro >> language given that the OS supports graphic capture. >> >> But we were using Hummingbird Exceed which has text capture. >> Simply, most users didn't care to learn the technique. > > No! > No, and no! > You assumed the auditor know the details and understand what emulator is. > That's plain wrong. > I learnt many years ago such auditors are uneducated, but they mask > their ignorancy with some mask. This is complex topic, I cannot > describe it clearly in English. Explanation: I should say *some* auditors are so uneducated. Or "there are such auditors". There are also reasonable auditor, and even with very small or none mainframe knowledge they may do quite good job. Of course it depends on who's paying for the audit and what the expectations are. First - managers don't want to spend money if they do not have to. So, usually the audits are mandatory and main goal (the only goal) is to pass it with good result. -- Radoslaw Skorupka (looking for new job) Lodz, Poland -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN The information transmitted is intended only for the person or entity to which it is addressed and may contain CONFIDENTIAL material. If you receive this material/information in error, please contact the sender and delete or destroy the material/information. Humana Inc. and its subsidiaries comply with applicable Federal civil rights laws and do not discriminate on the basis of race, color, national origin, ancestry, age, disability, sex, marital status, gender, sexual orientation, gender identity, or religion. Humana Inc. and its subsidiaries do not exclude people or treat them differently because of race, color, national origin, ancestry, age, disability, sex, marital status, gender, sexual orientation, gender identity, or religion. English: ATTENTION: If you do not speak English, language assistance services, free of charge, are available to you. Call 1‐877‐320‐1235 (TTY: 711). Español (Spanish): ATENCIÓN: Si habla español, tiene a su disposición servicios gratuitos de asistencia lingüística. Llame al 1‐877‐320‐1235 (TTY: 711). 繁體中文(Chinese):注意:如果您使用繁體中文,您可以免費獲得語言援助 服務。請致電 1‐877‐320‐1235 (TTY: 711)。 Kreyòl Ayisyen (Haitian Cr
Re: Are these auditors competent? was Re: Anyway to save ISRDDN output?
Nice story. However I think the discussion is limited to IT status auditing. ITschak ITschak Mugzach *|** IronSphere Platform* *|* *Information Security Continuous Monitoring for z/OS, x/Linux & IBM I **| z/VM coming soon * On Tue, Feb 23, 2021 at 6:49 PM Bill Johnson < 0047540adefe-dmarc-requ...@listserv.ua.edu> wrote: > I worked for a company 30 years ago that at the time was part of the > largest fraud in corporate history. The CEO and executives had 2 sets of > books. The auditors were actively involved with the fraud. Anyone who has > been around for a few decades remembers that a number of the big 6 auditing > firms were involved with fraudulent corporate activities. The company was > Phar Mor. The CEO was Mickey Monus who went to prison for 10 years. The > auditing firm was Coopers and Lybrand. I worked with some of the people > from Deloite who came in to help clean up the bankruptcy that ensued from > the fraud. I ran reports using Easytrieve to tally up the almost 500 > million in debt we had no intention of paying. Many of the "auditors" who > were running around the corporate office like rats in a sinking ship were > only there to extract $200 an hour from the Debtor in Possession financing > that bankrupt companies acquire. The one "auditor" I worked with was barely > out of college and was computer illiterate. Her accounting skills were > limited as well. > IBM fanboy > > On Tuesday, February 23, 2021, 9:40:02 AM EST, Radoslaw Skorupka < > r.skoru...@hotmail.com> wrote: > > W dniu 23.02.2021 o 00:44, Radoslaw Skorupka pisze: > > W dniu 21.02.2021 o 19:55, Paul Gilmartin pisze: > >> On Sun, 21 Feb 2021 18:23:03 +0100, Radoslaw Skorupka wrote: > ... > When the only tool you've mastered is printscreen, everything > looks like a bitmap. > >>> That was the requirement: to make Windows printscreen - a bitmap. > >>> Did I forgot to mention it's plain stupid? > >>> > >> You mentioned that the volume requested was plain stupid. > >> > >> A possible justification for a bitmap beyond the requestor's ignorance > >> is that your setup involves an elaborate macro for an emulator not > >> supporting capture as text. > >> > >> And the emulator authors' justification for not supporting text capture > >> is that resources are better spent supporting that macro language > >> given that the OS supports graphic capture. > >> > >> But we were using Hummingbird Exceed which has text capture. > >> Simply, most users didn't care to learn the technique. > > > > No! > > No, and no! > > You assumed the auditor know the details and understand what emulator is. > > That's plain wrong. > > I learnt many years ago such auditors are uneducated, but they mask > > their ignorancy with some mask. This is complex topic, I cannot > > describe it clearly in English. > > Explanation: I should say *some* auditors are so uneducated. Or "there > are such auditors". There are also reasonable auditor, and even with > very small or none mainframe knowledge they may do quite good job. > Of course it depends on who's paying for the audit and what the > expectations are. First - managers don't want to spend money if they do > not have to. So, usually the audits are mandatory and main goal (the > only goal) is to pass it with good result. > > > -- > Radoslaw Skorupka > (looking for new job) > Lodz, Poland > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Are these auditors competent? was Re: Anyway to save ISRDDN output?
I worked for a company 30 years ago that at the time was part of the largest fraud in corporate history. The CEO and executives had 2 sets of books. The auditors were actively involved with the fraud. Anyone who has been around for a few decades remembers that a number of the big 6 auditing firms were involved with fraudulent corporate activities. The company was Phar Mor. The CEO was Mickey Monus who went to prison for 10 years. The auditing firm was Coopers and Lybrand. I worked with some of the people from Deloite who came in to help clean up the bankruptcy that ensued from the fraud. I ran reports using Easytrieve to tally up the almost 500 million in debt we had no intention of paying. Many of the "auditors" who were running around the corporate office like rats in a sinking ship were only there to extract $200 an hour from the Debtor in Possession financing that bankrupt companies acquire. The one "auditor" I worked with was barely out of college and was computer illiterate. Her accounting skills were limited as well. IBM fanboy On Tuesday, February 23, 2021, 9:40:02 AM EST, Radoslaw Skorupka wrote: W dniu 23.02.2021 o 00:44, Radoslaw Skorupka pisze: > W dniu 21.02.2021 o 19:55, Paul Gilmartin pisze: >> On Sun, 21 Feb 2021 18:23:03 +0100, Radoslaw Skorupka wrote: ... When the only tool you've mastered is printscreen, everything looks like a bitmap. >>> That was the requirement: to make Windows printscreen - a bitmap. >>> Did I forgot to mention it's plain stupid? >>> >> You mentioned that the volume requested was plain stupid. >> >> A possible justification for a bitmap beyond the requestor's ignorance >> is that your setup involves an elaborate macro for an emulator not >> supporting capture as text. >> >> And the emulator authors' justification for not supporting text capture >> is that resources are better spent supporting that macro language >> given that the OS supports graphic capture. >> >> But we were using Hummingbird Exceed which has text capture. >> Simply, most users didn't care to learn the technique. > > No! > No, and no! > You assumed the auditor know the details and understand what emulator is. > That's plain wrong. > I learnt many years ago such auditors are uneducated, but they mask > their ignorancy with some mask. This is complex topic, I cannot > describe it clearly in English. Explanation: I should say *some* auditors are so uneducated. Or "there are such auditors". There are also reasonable auditor, and even with very small or none mainframe knowledge they may do quite good job. Of course it depends on who's paying for the audit and what the expectations are. First - managers don't want to spend money if they do not have to. So, usually the audits are mandatory and main goal (the only goal) is to pass it with good result. -- Radoslaw Skorupka (looking for new job) Lodz, Poland -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Are these auditors competent? was Re: Anyway to save ISRDDN output?
I actually would rather have the IBM folks come in and perform their Health check. We had a team of IBM folks come onsite a couple of years ago to perform a checkup, I didn't like the fact our leadership had NO FAITH in me and my team to have the systems built and configured correctly . we passed with flying colors and we did get some good insight on some configuration changes we should review, I don't see any Auditor today knowing enough about my environment to help at all. Carmen Vitullo -Original Message- From: Seymour To: IBM-MAIN Date: Tuesday, 23 February 2021 9:26 AM CST Subject: Re: Are these auditors competent? was Re: Anyway to save ISRDDN output? Your faux auditors may be a RPITA, but a *qualified* auditor is a joy forever, should you be so fortunate as to be audited by one. They will find things that actually do need fixing, and will make it easier to get management buy-in for what needs to be done. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of Carmen Vitullo [cvitu...@hughes.net] Sent: Tuesday, February 23, 2021 8:39 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Are these auditors competent? was Re: Anyway to save ISRDDN output? In my case that is true, the Auditor works for another Health care company, their parent company are HITRUST Cert Auditors, so these folks are not true auditors, they are hired to guarantee HITRUST certification. they do not know what an emulator is or have the need or desire to logon and gather the requirements they request, so anything can be spoofed ! I remember the auditors from the 70's and 80's when I worked for Sears, they came to the data center with their object deck and ran their programs to check and audit our systems, the knew the mainframe because most of these guys were SYSPROGS at one time Carmen Vitullo -Original Message- From: Radoslaw To: IBM-MAIN Date: Monday, 22 February 2021 5:45 PM CST Subject: Re: Are these auditors competent? was Re: Anyway to save ISRDDN output? W dniu 21.02.2021 o 19:55, Paul Gilmartin pisze: > On Sun, 21 Feb 2021 18:23:03 +0100, Radoslaw Skorupka wrote: >>> ... >>> When the only tool you've mastered is printscreen, everything >>> looks like a bitmap. >> That was the requirement: to make Windows printscreen - a bitmap. >> Did I forgot to mention it's plain stupid? >> > You mentioned that the volume requested was plain stupid. > > A possible justification for a bitmap beyond the requestor's ignorance > is that your setup involves an elaborate macro for an emulator not > supporting capture as text. > > And the emulator authors' justification for not supporting text capture > is that resources are better spent supporting that macro language > given that the OS supports graphic capture. > > But we were using Hummingbird Exceed which has text capture. > Simply, most users didn't care to learn the technique. No! No, and no! You assumed the auditor know the details and understand what emulator is. That's plain wrong. I learnt many years ago such auditors are uneducated, but they mask their ignorancy with some mask. This is complex topic, I cannot describe it clearly in English. -- Radoslaw Skorupka (looking for new job) Lodz, Poland -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Are these auditors competent? was Re: Anyway to save ISRDDN output?
W dniu 23.02.2021 o 00:44, Radoslaw Skorupka pisze: W dniu 21.02.2021 o 19:55, Paul Gilmartin pisze: On Sun, 21 Feb 2021 18:23:03 +0100, Radoslaw Skorupka wrote: ... When the only tool you've mastered is printscreen, everything looks like a bitmap. That was the requirement: to make Windows printscreen - a bitmap. Did I forgot to mention it's plain stupid? You mentioned that the volume requested was plain stupid. A possible justification for a bitmap beyond the requestor's ignorance is that your setup involves an elaborate macro for an emulator not supporting capture as text. And the emulator authors' justification for not supporting text capture is that resources are better spent supporting that macro language given that the OS supports graphic capture. But we were using Hummingbird Exceed which has text capture. Simply, most users didn't care to learn the technique. No! No, and no! You assumed the auditor know the details and understand what emulator is. That's plain wrong. I learnt many years ago such auditors are uneducated, but they mask their ignorancy with some mask. This is complex topic, I cannot describe it clearly in English. Explanation: I should say *some* auditors are so uneducated. Or "there are such auditors". There are also reasonable auditor, and even with very small or none mainframe knowledge they may do quite good job. Of course it depends on who's paying for the audit and what the expectations are. First - managers don't want to spend money if they do not have to. So, usually the audits are mandatory and main goal (the only goal) is to pass it with good result. -- Radoslaw Skorupka (looking for new job) Lodz, Poland -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Are these auditors competent? was Re: Anyway to save ISRDDN output?
Your faux auditors may be a RPITA, but a *qualified* auditor is a joy forever, should you be so fortunate as to be audited by one. They will find things that actually do need fixing, and will make it easier to get management buy-in for what needs to be done. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of Carmen Vitullo [cvitu...@hughes.net] Sent: Tuesday, February 23, 2021 8:39 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Are these auditors competent? was Re: Anyway to save ISRDDN output? In my case that is true, the Auditor works for another Health care company, their parent company are HITRUST Cert Auditors, so these folks are not true auditors, they are hired to guarantee HITRUST certification. they do not know what an emulator is or have the need or desire to logon and gather the requirements they request, so anything can be spoofed ! I remember the auditors from the 70's and 80's when I worked for Sears, they came to the data center with their object deck and ran their programs to check and audit our systems, the knew the mainframe because most of these guys were SYSPROGS at one time Carmen Vitullo -Original Message- From: Radoslaw To: IBM-MAIN Date: Monday, 22 February 2021 5:45 PM CST Subject: Re: Are these auditors competent? was Re: Anyway to save ISRDDN output? W dniu 21.02.2021 o 19:55, Paul Gilmartin pisze: > On Sun, 21 Feb 2021 18:23:03 +0100, Radoslaw Skorupka wrote: >>> ... >>> When the only tool you've mastered is printscreen, everything >>> looks like a bitmap. >> That was the requirement: to make Windows printscreen - a bitmap. >> Did I forgot to mention it's plain stupid? >> > You mentioned that the volume requested was plain stupid. > > A possible justification for a bitmap beyond the requestor's ignorance > is that your setup involves an elaborate macro for an emulator not > supporting capture as text. > > And the emulator authors' justification for not supporting text capture > is that resources are better spent supporting that macro language > given that the OS supports graphic capture. > > But we were using Hummingbird Exceed which has text capture. > Simply, most users didn't care to learn the technique. No! No, and no! You assumed the auditor know the details and understand what emulator is. That's plain wrong. I learnt many years ago such auditors are uneducated, but they mask their ignorancy with some mask. This is complex topic, I cannot describe it clearly in English. -- Radoslaw Skorupka (looking for new job) Lodz, Poland -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Are these auditors competent? was Re: Anyway to save ISRDDN output?
In my case that is true, the Auditor works for another Health care company, their parent company are HITRUST Cert Auditors, so these folks are not true auditors, they are hired to guarantee HITRUST certification. they do not know what an emulator is or have the need or desire to logon and gather the requirements they request, so anything can be spoofed ! I remember the auditors from the 70's and 80's when I worked for Sears, they came to the data center with their object deck and ran their programs to check and audit our systems, the knew the mainframe because most of these guys were SYSPROGS at one time Carmen Vitullo -Original Message- From: Radoslaw To: IBM-MAIN Date: Monday, 22 February 2021 5:45 PM CST Subject: Re: Are these auditors competent? was Re: Anyway to save ISRDDN output? W dniu 21.02.2021 o 19:55, Paul Gilmartin pisze: > On Sun, 21 Feb 2021 18:23:03 +0100, Radoslaw Skorupka wrote: >>> ... >>> When the only tool you've mastered is printscreen, everything >>> looks like a bitmap. >> That was the requirement: to make Windows printscreen - a bitmap. >> Did I forgot to mention it's plain stupid? >> > You mentioned that the volume requested was plain stupid. > > A possible justification for a bitmap beyond the requestor's ignorance > is that your setup involves an elaborate macro for an emulator not > supporting capture as text. > > And the emulator authors' justification for not supporting text capture > is that resources are better spent supporting that macro language > given that the OS supports graphic capture. > > But we were using Hummingbird Exceed which has text capture. > Simply, most users didn't care to learn the technique. No! No, and no! You assumed the auditor know the details and understand what emulator is. That's plain wrong. I learnt many years ago such auditors are uneducated, but they mask their ignorancy with some mask. This is complex topic, I cannot describe it clearly in English. -- Radoslaw Skorupka (looking for new job) Lodz, Poland -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Are these auditors competent? was Re: Anyway to save ISRDDN output?
On Tue, 23 Feb 2021 00:44:06 +0100, Radoslaw Skorupka wrote: > >No! >No, and no! >You assumed the auditor know the details and understand what emulator is. >That's plain wrong. >I learnt many years ago such auditors are uneducated, but they mask >their ignorancy with some mask. This is complex topic, I cannot describe >it clearly in English. > Yes, and more: http://eljeiffel.blogspot.com/2014/04/the-seven-sins-of-specifier-bertrand.html ... o Overspecification: The presence in the text of an element that corresponds not to a feature of the problem but to features of a possible solution. [some apparent typos corrected] -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Are these auditors competent? was Re: Anyway to save ISRDDN output?
W dniu 21.02.2021 o 19:55, Paul Gilmartin pisze: On Sun, 21 Feb 2021 18:23:03 +0100, Radoslaw Skorupka wrote: ... When the only tool you've mastered is printscreen, everything looks like a bitmap. That was the requirement: to make Windows printscreen - a bitmap. Did I forgot to mention it's plain stupid? You mentioned that the volume requested was plain stupid. A possible justification for a bitmap beyond the requestor's ignorance is that your setup involves an elaborate macro for an emulator not supporting capture as text. And the emulator authors' justification for not supporting text capture is that resources are better spent supporting that macro language given that the OS supports graphic capture. But we were using Hummingbird Exceed which has text capture. Simply, most users didn't care to learn the technique. No! No, and no! You assumed the auditor know the details and understand what emulator is. That's plain wrong. I learnt many years ago such auditors are uneducated, but they mask their ignorancy with some mask. This is complex topic, I cannot describe it clearly in English. -- Radoslaw Skorupka (looking for new job) Lodz, Poland -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Are these auditors competent? was Re: Anyway to save ISRDDN output?
On Sun, 21 Feb 2021 18:23:03 +0100, Radoslaw Skorupka wrote: >>... >> When the only tool you've mastered is printscreen, everything >> looks like a bitmap. > >That was the requirement: to make Windows printscreen - a bitmap. >Did I forgot to mention it's plain stupid? > You mentioned that the volume requested was plain stupid. A possible justification for a bitmap beyond the requestor's ignorance is that your setup involves an elaborate macro for an emulator not supporting capture as text. And the emulator authors' justification for not supporting text capture is that resources are better spent supporting that macro language given that the OS supports graphic capture. But we were using Hummingbird Exceed which has text capture. Simply, most users didn't care to learn the technique. My bias was x3270 with Xming, Cygwin, or Hummingbird as X11 server. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Are these auditors competent? was Re: Anyway to save ISRDDN output?
W dniu 21.02.2021 o 00:02, Paul Gilmartin pisze: On Sat, 20 Feb 2021 23:21:11 +0100, Radoslaw Skorupka wrote: ... In this case it had to be Windows printscreen, full screen, so it can be x3270, Tom Brennan Vista, PCOMM, Notepad, Paint, whatever. The result is always a bitmap. x3270 can save as text or HTML. The HTML is an excellent full-color representation of the screen and searchable, not a bitmap. When the only tool you've mastered is printscreen, everything looks like a bitmap. That was the requirement: to make Windows printscreen - a bitmap. Did I forgot to mention it's plain stupid? -- Radoslaw Skorupka (looking for new job) Lodz, Poland -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Are these auditors competent? was Re: Anyway to save ISRDDN output?
On Sat, 20 Feb 2021 23:21:11 +0100, Radoslaw Skorupka wrote: >... >In this case it had to be Windows printscreen, full screen, so it can be >x3270, Tom Brennan Vista, PCOMM, Notepad, Paint, whatever. The result is >always a bitmap. > x3270 can save as text or HTML. The HTML is an excellent full-color representation of the screen and searchable, not a bitmap. When the only tool you've mastered is printscreen, everything looks like a bitmap. >For the log I mentioned it would be over 100k pictures, over 80GB disk >space. Obviously I refused to do screenshots for that log. > Viewed at 30 FPS, that's a 56 minute movie! On Sat, 20 Feb 2021 19:43:36 +, Gibney, Dave wrote: > >The HMC has a browser interface, not TN3270 > In my worst nightmare, that HMC would scrape its own screen and make a .PNG available to the browser. Saving the page might just capture an anchor to a volatile image. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Are these auditors competent? was Re: Anyway to save ISRDDN output?
W dniu 20.02.2021 o 20:32, Paul Gilmartin pisze: On Sat, 20 Feb 2021 10:42:37 -0800, Tom Brennan wrote: It's irritating that some users report problems and supply graphic screenshots as documentation. For mainframe issues at the terminal, sure. But in other cases I might want an image, such as last week with a new z15 that wouldn't IPL and I asked to see the HMC screen. Turns out the solution was pretty easy once I saw the error - nobody had connected any FICON cables yet. That'll do it :) May I in infer, then, that: o The HMC (they never let me touch one) has only graphic screenshot capability, not text? o The HMC is inaccessible via emulator? Good security; hindrance to darkened/remote computer room operations. Otherwise I can't envision a graphic screen image as superior to text. As Dave noted HMC is accessible directly or remotely, but in both cases it is browser. IMHO remote access is better, because it's easier to make screenshots and manage them. And this is HTML, so you can prepare set of pictures and/or the messages as text. I created several instructions and used both. Sometimes it's better to show the picture and sometimes it is better to provide only the message. Of course in this case the goal was to make some procedure easier for the reader, not an audit. I was also a movie star during some CPC upgrade I performed, but due to some co-worker who disturbed me... parental advisory... yes, the language was coarse... (is it late Friday?) -- Radoslaw Skorupka (looking for new job) Lodz, Poland -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Are these auditors competent? was Re: Anyway to save ISRDDN output?
W dniu 20.02.2021 o 19:03, Paul Gilmartin pisze: On Sat, 20 Feb 2021 16:42:01 +0100, Radoslaw Skorupka wrote: ... b) screenshot series is completely useless for browsing or searching some string. Depends. x3270 can capture screen content as either text or impressively realistic HTML; both quite browsable/searchable. (But does that violate a strict definition of "screenshot"?) Not sure about all other emulators. It's irritating that some users report problems and supply graphic screenshots as documentation. In this case it had to be Windows printscreen, full screen, so it can be x3270, Tom Brennan Vista, PCOMM, Notepad, Paint, whatever. The result is always a bitmap. For the log I mentioned it would be over 100k pictures, over 80GB disk space. Obviously I refused to do screenshots for that log. -- Radoslaw Skorupka (looking for new job) Lodz, Poland -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Are these auditors competent? was Re: Anyway to save ISRDDN output?
For 30+ years I perform security assessments, status audits, readiness reviews, pentest (call it as you like). I've NEVER (!) interviewed a person, or asked him for a screenshot. give me a standard user (for phase one) and one with ROAUDIT (for phase two). The system knows better how it is configed. As lizette says, if you have not already done that (now, my suffix) by an audit product. There are some in the market, and let them collect the information themselves. ITschak *| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux and IBM I **| * *|* *Email**: i_mugz...@securiteam.co.il **|* *Mob**: +972 522 986404 **|* *Skype**: ItschakMugzach **|* *Web**: www.Securiteam.co.il **|* On Sat, Feb 20, 2021 at 5:42 PM Radoslaw Skorupka wrote: > W dniu 19.02.2021 o 00:12, Frank Swarbrick pisze: > > Who audits the auditors? > > :-) > > I think this is really important and it will take place in the future. > Or just some feedback process to report formal objections about the > auditor and his incompetence. > I met a lot of auditors and unfortunately I observe they are younger and > younger folks with less and less knowledge. And the audit is processed > to avoid any cost possible. > Funny story: auditor demanded some report "as long as possible". It was > really long - over 600 MB of text. However another demand was to provide > everything as screenshot or set of screenshots. > Side notes: > a) screenshot can contain fake information as text file - it is enough > to place false text file to the host and browse it. > b) screenshot series is completely useless for browsing or searching > some string. > c) auditor did not understand the output at all. That's why he further > asked for information already delivered on another screenshot. He just > read some checklist and relay questions with no analysis about it's > content. > > Of course there are exceptions. I remember two guys, who audited me for > two weeks. Knowledgable. If something was not clear, he asked for help - > what command is proper to provide him such and such information. Note: > he didn't want the output, he wanted a command to issue. And every > "finding" was discussed - what, why, etc. The best audit I had. > > And the most funny: an auditor sent by very big and very known company. > He was really embarassed and ashamed, because it was his first week in > this job. And it was hist *first job ever*. > > BTW: I also conducted some audits, being hired as independent > consultant. Mostly RACF, but also more general, including data center > and some operational procedures. However my role was not to collect the > outputs. > > Regards > -- > Radoslaw Skorupka > (looking for new job) > Lodz, Poland > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Are these auditors competent? was Re: Anyway to save ISRDDN output?
The HMC has a browser interface, not TN3270 > -Original Message- > From: IBM Mainframe Discussion List On > Behalf Of Paul Gilmartin > Sent: Saturday, February 20, 2021 11:32 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: Are these auditors competent? was Re: Anyway to save ISRDDN > output? > > On Sat, 20 Feb 2021 10:42:37 -0800, Tom Brennan wrote: > >> > >> It's irritating that some users report problems and supply graphic > >> screenshots as documentation. > > > >For mainframe issues at the terminal, sure. But in other cases I might > >want an image, such as last week with a new z15 that wouldn't IPL and I > >asked to see the HMC screen. Turns out the solution was pretty easy > >once I saw the error - nobody had connected any FICON cables yet. > >That'll do it :) > > > May I in infer, then, that: > o The HMC (they never let me touch one) has only graphic screenshot > capability, not text? > o The HMC is inaccessible via emulator? Good security; hindrance to > darkened/remote computer room operations. > > Otherwise I can't envision a graphic screen image as superior to text. > > Thanks, > gil > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Are these auditors competent? was Re: Anyway to save ISRDDN output?
On Sat, 20 Feb 2021 10:42:37 -0800, Tom Brennan wrote: >> >> It's irritating that some users report problems and supply graphic >> screenshots as documentation. > >For mainframe issues at the terminal, sure. But in other cases I might >want an image, such as last week with a new z15 that wouldn't IPL and I >asked to see the HMC screen. Turns out the solution was pretty easy >once I saw the error - nobody had connected any FICON cables yet. >That'll do it :) > May I in infer, then, that: o The HMC (they never let me touch one) has only graphic screenshot capability, not text? o The HMC is inaccessible via emulator? Good security; hindrance to darkened/remote computer room operations. Otherwise I can't envision a graphic screen image as superior to text. Thanks, gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Are these auditors competent? was Re: Anyway to save ISRDDN output?
On 2/20/2021 10:03 AM, Paul Gilmartin wrote: It's irritating that some users report problems and supply graphic screenshots as documentation. For mainframe issues at the terminal, sure. But in other cases I might want an image, such as last week with a new z15 that wouldn't IPL and I asked to see the HMC screen. Turns out the solution was pretty easy once I saw the error - nobody had connected any FICON cables yet. That'll do it :) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Are these auditors competent? was Re: Anyway to save ISRDDN output?
On Sat, 20 Feb 2021 16:42:01 +0100, Radoslaw Skorupka wrote: >... >b) screenshot series is completely useless for browsing or searching >some string. > Depends. x3270 can capture screen content as either text or impressively realistic HTML; both quite browsable/searchable. (But does that violate a strict definition of "screenshot"?) Not sure about all other emulators. It's irritating that some users report problems and supply graphic screenshots as documentation. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Are these auditors competent? was Re: Anyway to save ISRDDN output?
W dniu 19.02.2021 o 00:12, Frank Swarbrick pisze: Who audits the auditors? :-) I think this is really important and it will take place in the future. Or just some feedback process to report formal objections about the auditor and his incompetence. I met a lot of auditors and unfortunately I observe they are younger and younger folks with less and less knowledge. And the audit is processed to avoid any cost possible. Funny story: auditor demanded some report "as long as possible". It was really long - over 600 MB of text. However another demand was to provide everything as screenshot or set of screenshots. Side notes: a) screenshot can contain fake information as text file - it is enough to place false text file to the host and browse it. b) screenshot series is completely useless for browsing or searching some string. c) auditor did not understand the output at all. That's why he further asked for information already delivered on another screenshot. He just read some checklist and relay questions with no analysis about it's content. Of course there are exceptions. I remember two guys, who audited me for two weeks. Knowledgable. If something was not clear, he asked for help - what command is proper to provide him such and such information. Note: he didn't want the output, he wanted a command to issue. And every "finding" was discussed - what, why, etc. The best audit I had. And the most funny: an auditor sent by very big and very known company. He was really embarassed and ashamed, because it was his first week in this job. And it was hist *first job ever*. BTW: I also conducted some audits, being hired as independent consultant. Mostly RACF, but also more general, including data center and some operational procedures. However my role was not to collect the outputs. Regards -- Radoslaw Skorupka (looking for new job) Lodz, Poland -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Are these auditors competent? was Re: Anyway to save ISRDDN output?
Agree, and just as an example, just this morning I have spend (wasted) 3 hours responding to and working on audit issues for HITRUST, I am the only sysprog working on z/OS and I'm loosing time trying to upgrade from 2.3 to 2.4, each day I think I'll get some time to concentrate on the USERMODS, EXITS, USS customization, EXITS, CATALOG issues and each day I am forced to go back 10 and punt :( Carmen Vitullo -Original Message- From: Seymour To: IBM-MAIN Date: Friday, 19 February 2021 8:51 AM CST Subject: Re: Are these auditors competent? was Re: Anyway to save ISRDDN output? Not just PARMLIB, but subsequent changes. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of Clark Morris [cfmt...@uniserve.com] Sent: Thursday, February 18, 2021 5:01 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Are these auditors competent? was Re: Anyway to save ISRDDN output? [Default] On 18 Feb 2021 05:12:25 -0800, in bit.listserv.ibm-main cvitu...@hughes.net (Carmen Vitullo) wrote: >I actually like the IBM health checker idea, I know I've been told over and >over it needs to be ISRDDN, but I really think it's because that's all they >know, they are lazy to say the least. As I suggested in a prior posting, I would investigate these auditors. If your postings reflect their knowledge and approach I would not have any confidence in their findings. As Peter Relson said D PROG,APF is more trustworthy than ISRDDN. However, they also should be interested in all PARMLIB members that can cause a library to be APF authorized as well as means of updating APF libraries. A competent auditor can help improve your system. An incompetent one can waste your and management's time and money and may even leave your system more vulnerable. Clark Morris >thanks > >Carmen Vitullo > > > >-Original Message- > >From: Peter >To: IBM-MAIN >Date: Thursday, 18 February 2021 6:50 AM CST >Subject: Re: Anyway to save ISRDDN output? > >If I were an auditor, I'd prefer an approach that is implemented by a >required base element of the operating system (where SDSF and, I think, >ISPF do not meet that criterion) > >That would cover: >-- hzsproc CHECK(IBMCSV,CSV_APF_EXISTS) >-- DISPLAY PROG,APF > >Or provide my own (if I trust myself) >-- a program I provided that issues CSVAPF REQUEST=LIST and surfaces the >output > >But that's just me. And I'm no auditor. > >Peter Relson >z/OS Core Technology Design > > >-- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > >-- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Are these auditors competent? was Re: Anyway to save ISRDDN output?
Not just PARMLIB, but subsequent changes. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of Clark Morris [cfmt...@uniserve.com] Sent: Thursday, February 18, 2021 5:01 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Are these auditors competent? was Re: Anyway to save ISRDDN output? [Default] On 18 Feb 2021 05:12:25 -0800, in bit.listserv.ibm-main cvitu...@hughes.net (Carmen Vitullo) wrote: >I actually like the IBM health checker idea, I know I've been told over and >over it needs to be ISRDDN, but I really think it's because that's all they >know, they are lazy to say the least. As I suggested in a prior posting, I would investigate these auditors. If your postings reflect their knowledge and approach I would not have any confidence in their findings. As Peter Relson said D PROG,APF is more trustworthy than ISRDDN. However, they also should be interested in all PARMLIB members that can cause a library to be APF authorized as well as means of updating APF libraries. A competent auditor can help improve your system. An incompetent one can waste your and management's time and money and may even leave your system more vulnerable. Clark Morris >thanks > >Carmen Vitullo > > > >-Original Message- > >From: Peter >To: IBM-MAIN >Date: Thursday, 18 February 2021 6:50 AM CST >Subject: Re: Anyway to save ISRDDN output? > >If I were an auditor, I'd prefer an approach that is implemented by a >required base element of the operating system (where SDSF and, I think, >ISPF do not meet that criterion) > >That would cover: >-- hzsproc CHECK(IBMCSV,CSV_APF_EXISTS) >-- DISPLAY PROG,APF > >Or provide my own (if I trust myself) >-- a program I provided that issues CSVAPF REQUEST=LIST and surfaces the >output > >But that's just me. And I'm no auditor. > >Peter Relson >z/OS Core Technology Design > > >-- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > >-- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Are these auditors competent? was Re: Anyway to save ISRDDN output?
Indeed Frank, like the Skype message I have for work, "who's watching the Watchers ?" :) Carmen Vitullo -Original Message- From: Frank To: IBM-MAIN Date: Thursday, 18 February 2021 5:12 PM CST Subject: Re: Are these auditors competent? was Re: Anyway to save ISRDDN output? Who audits the auditors? :-) From: IBM Mainframe Discussion List on behalf of Clark Morris Sent: Thursday, February 18, 2021 3:01 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Are these auditors competent? was Re: Anyway to save ISRDDN output? [Default] On 18 Feb 2021 05:12:25 -0800, in bit.listserv.ibm-main cvitu...@hughes.net (Carmen Vitullo) wrote: >I actually like the IBM health checker idea, I know I've been told over and >over it needs to be ISRDDN, but I really think it's because that's all they >know, they are lazy to say the least. As I suggested in a prior posting, I would investigate these auditors. If your postings reflect their knowledge and approach I would not have any confidence in their findings. As Peter Relson said D PROG,APF is more trustworthy than ISRDDN. However, they also should be interested in all PARMLIB members that can cause a library to be APF authorized as well as means of updating APF libraries. A competent auditor can help improve your system. An incompetent one can waste your and management's time and money and may even leave your system more vulnerable. Clark Morris >thanks > >Carmen Vitullo > > > >-Original Message- > >From: Peter >To: IBM-MAIN >Date: Thursday, 18 February 2021 6:50 AM CST >Subject: Re: Anyway to save ISRDDN output? > >If I were an auditor, I'd prefer an approach that is implemented by a >required base element of the operating system (where SDSF and, I think, >ISPF do not meet that criterion) > >That would cover: >-- hzsproc CHECK(IBMCSV,CSV_APF_EXISTS) >-- DISPLAY PROG,APF > >Or provide my own (if I trust myself) >-- a program I provided that issues CSVAPF REQUEST=LIST and surfaces the >output > >But that's just me. And I'm no auditor. > >Peter Relson >z/OS Core Technology Design > > >-- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > >-- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Are these auditors competent? was Re: Anyway to save ISRDDN output?
Who audits the auditors? :-) From: IBM Mainframe Discussion List on behalf of Clark Morris Sent: Thursday, February 18, 2021 3:01 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Are these auditors competent? was Re: Anyway to save ISRDDN output? [Default] On 18 Feb 2021 05:12:25 -0800, in bit.listserv.ibm-main cvitu...@hughes.net (Carmen Vitullo) wrote: >I actually like the IBM health checker idea, I know I've been told over and >over it needs to be ISRDDN, but I really think it's because that's all they >know, they are lazy to say the least. As I suggested in a prior posting, I would investigate these auditors. If your postings reflect their knowledge and approach I would not have any confidence in their findings. As Peter Relson said D PROG,APF is more trustworthy than ISRDDN. However, they also should be interested in all PARMLIB members that can cause a library to be APF authorized as well as means of updating APF libraries. A competent auditor can help improve your system. An incompetent one can waste your and management's time and money and may even leave your system more vulnerable. Clark Morris >thanks > >Carmen Vitullo > > > >-Original Message- > >From: Peter >To: IBM-MAIN >Date: Thursday, 18 February 2021 6:50 AM CST >Subject: Re: Anyway to save ISRDDN output? > >If I were an auditor, I'd prefer an approach that is implemented by a >required base element of the operating system (where SDSF and, I think, >ISPF do not meet that criterion) > >That would cover: >-- hzsproc CHECK(IBMCSV,CSV_APF_EXISTS) >-- DISPLAY PROG,APF > >Or provide my own (if I trust myself) >-- a program I provided that issues CSVAPF REQUEST=LIST and surfaces the >output > >But that's just me. And I'm no auditor. > >Peter Relson >z/OS Core Technology Design > > >-- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > >-- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Are these auditors competent? was Re: Anyway to save ISRDDN output?
Also note unless you're protecting the CSVAPF.** resource, whatever method you're using to obtain the list of APF authorized datasets, it's just a snapshot in time, and can change unknowingly. Mark Jacobs Sent from ProtonMail, Swiss-based encrypted email. GPG Public Key - https://api.protonmail.ch/pks/lookup?op=get&search=markjac...@protonmail.com ‐‐‐ Original Message ‐‐‐ On Thursday, February 18th, 2021 at 5:01 PM, Clark Morris wrote: > [Default] On 18 Feb 2021 05:12:25 -0800, in bit.listserv.ibm-main > > cvitu...@hughes.net (Carmen Vitullo) wrote: > > > I actually like the IBM health checker idea, I know I've been told over and > > over it needs to be ISRDDN, but I really think it's because that's all they > > know, they are lazy to say the least. > > As I suggested in a prior posting, I would investigate these auditors. > > If your postings reflect their knowledge and approach I would not have > > any confidence in their findings. As Peter Relson said D PROG,APF is > > more trustworthy than ISRDDN. However, they also should be interested > > in all PARMLIB members that can cause a library to be APF authorized > > as well as means of updating APF libraries. A competent auditor can > > help improve your system. An incompetent one can waste your and > > management's time and money and may even leave your system more > > vulnerable. > > Clark Morris > > > thanks > > > > > > > > Carmen Vitullo > > > > -Original Message- > > > > From: Peter rel...@us.ibm.com > > > > To: IBM-MAIN IBM-MAIN@LISTSERV.UA.EDU > > > > Date: Thursday, 18 February 2021 6:50 AM CST > > > > Subject: Re: Anyway to save ISRDDN output? > > > > If I were an auditor, I'd prefer an approach that is implemented by a > > > > required base element of the operating system (where SDSF and, I think, > > > > ISPF do not meet that criterion) > > > > That would cover: > > > > -- hzsproc CHECK(IBMCSV,CSV_APF_EXISTS) > > > > -- DISPLAY PROG,APF > > > > Or provide my own (if I trust myself) > > > > -- a program I provided that issues CSVAPF REQUEST=LIST and surfaces the > > > > output > > > > But that's just me. And I'm no auditor. > > > > Peter Relson > > > > z/OS Core Technology Design > > > > For IBM-MAIN subscribe / signoff / archive access instructions, > > > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > For IBM-MAIN subscribe / signoff / archive access instructions, > > > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAINAl -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN