>I *HATE* checklist auditors. This sounds like a WINTEL based checklist....
It does indeed sound like the "auditor" is applying Wintel security principles to a mainframe system. The right questions to ask re mainframe security are: (1) Are the users properly authenticated? (2) Is the data properly protected by security manager profiles? (3) Is the connection between user groups and data security profiles properly setup and managed? (4) Is there any way that the data security protection can be circumvented? This is where one aspect of "unauthorized programs" arises (e.g. APF authorization). (5) Is there proper management of the application production libraries including controls over who can modify these libraries? This is where a second aspect of "unauthorized programs" arises. If the "auditor" is thinking that some one-off COBOL program or REXX script sitting in a TSO user's own library is a danger, then he/she is not qualified. John ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
