Super Secret (aka Security Through Obscurity) is always a bad idea. Security and integrity are difficult enough when balanced against allowing progress to occur. Adding in ridiculously risky back doors into your system is a recipe for disaster.
An auditor that doesn't know enough to ask the right questions is not much of an auditor.... If the goal is to achieve rubber stamps that grant some sort of empty approval... then by all means hire the auditors that are ignorant and are just following scripts without regard to how your system works. Rob Schramm On Fri, Apr 22, 2011 at 3:11 PM, Rick Fochtman <[email protected]> wrote: > ---------------------------------------<snip>-------------------------------- > > > I hope that this SVC has been removed. These "super-secret" SVC's are >> nothing more than MASSIVE integrity exposures, that can be relatively easily >> spoofed, and should be banned from any and all z/OS sites. >> > > ------------------------------------<unsnip>-------------------------------- > I disagree. Checking a RACF FACILITY profile isn't that hard, nor is it all > that difficult to define another resource class that can be checked by > today's equivalent of FRACHECK. > > Rick > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
