Sujet : Re: Upcoming time boundary events
De : arne (at) *nospam* vajhoej.dk (Arne Vajhøj)
Groupes : comp.os.vmsDate : 02. Jun 2025, 14:13:58
Autres entêtes
Organisation : A noiseless patient Spider
Message-ID : <101k82m$39d9e$2@dont-email.me>
References : 1 2 3 4 5 6 7 8 9
User-Agent : Mozilla Thunderbird
On 6/2/2025 8:58 AM, Simon Clubley wrote:
On 2025-05-31, Arne Vajhøj <arne@vajhoej.dk> wrote:
On 5/31/2025 6:23 AM, Marc Van Dyck wrote:
Other advantage is that most OPenVMS installations today are used in
environments that must be certified, and external audit people usually
know nothing about DECnet. They are mostly just interested in which IP
ports are opened. Since for DECnet you just need a few, it's easily
justified. They couldn't be possibly bothered about what DECnet object
is enabled. They will complain about rlogin or telnet, but see nothing
wrong with set host. FTP ? God forbid. But FAL ? just fine... You can't
imagine how easy it was for me to get OpenVMS systems pass audits with
flying colors, while my open systems colleagues suffered...
>
:-)
That's not something which is funny Arne.
I got an age where I prefer to smile instead of cry.
The auditors should know enough to be able to properly audit these
systems especially in the high-critical environment I get the impression
that Marc works in.
When I was involved in audits of VMS systems then the auditors did have
VMS checklists and checked stuff like DECnet default access.
>
And for as long as an organisation has such systems, then the auditors
should know how to audit them. If they don't, then they are not doing the
job they were paid to do (and which they may even have legal liability
for not doing it properly).
If an audit company accept payment to audit some VMS systems, then
they should obviously be able to audit VMS systems.
If you bring your car to the mechanic and ask them to check the brakes,
then you expect that they know how to check the brakes.
That said then the bar set by such audits are usually pretty low. Some
people that don't know the system come in and spend a few
hours checking some stuff using a check list. Even with a reasonable
good uptodate check list and some bright auditors it is still
rather superficial.
Passing such an audit should indicate that the security is
not catastrophic bad. But if you need good security, then
you need engineers and time.
Arne
Upcoming time boundary events
Re: Upcoming time boundary events