On 11/2/2005 11:16 AM, Shmuel Metz , Seymour J. wrote:
In <[EMAIL PROTECTED]>, on 11/01/2005
at 02:29 PM, "Patrick O'Keefe" <[EMAIL PROTECTED]> said:
I suppose an auditor might be trained to ask "Does the vendor say
these modules have to be in an authorized library?" and pass the
question to the vendor only if the answer is "Yes".
That's reasonable if the auditor is incompetent. If the auditor is
good then I'd want him to ensure that the vendor doesn't have any
trojan horses in the software that my users are calling.
I'm not sure I understand how you would expect an auditor to be able to
verify that a vendor hadn't shipped a trojan horse. You really want all
the auditors visiting all the vendors and personally inspecting all the
code?
Walt
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
