In a recent note, Robert A. Rosenberg said: > Date: Wed, 2 Nov 2005 00:38:45 -0500 > > At 09:02 -0800 on 11/01/2005, Mark Yuhas wrote about Module description: > > >We are going through a security audit and Sarbannes-Oxley compliance. I > >keep getting questions about obscure [IBM] modules and their functions. > > In my opinion, the Auditor has NO valid reason to be asking this > question about ANY IBM (or other Vendor) supplied module. It is > their job to KNOW this information or they are not qualified to be > doing the audit in the first place. The only modules they have any > justification to be asking this type of question about is your USER > WRITTEN Application code and exits from IBM and other Vendor Code. > What's a "Vendor"? Does a contractor producing a one-of-a-kind module count as a Vendor.
I suppose it's quite reasonable for the auditor to ask to see the source code of anything that runs in an authorized state, and the audit trail of producing the executable from that source code, and the source code of any language translators involved. I understand IBM will make source code available (other vendors may be less cooperative) under NDA and for a price. But who pays? I understand some government agencies run 'way down level OS and other software simply because it's too costly to vet the current versions. -- gil -- StorageTek INFORMATION made POWERFUL ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
