On Wed, 2 Nov 2005 11:08:26 -0500, Shmuel Metz (Seymour J.) <shmuel+ibm- [EMAIL PROTECTED]> wrote:
>>... >>I suppose an auditor might be trained to ask "Does the vendor say >>these modules have to be in an authorized library?" and pass the >>question to the vendor only if the answer is "Yes". > >That's reasonable if the auditor is incompetent. If the auditor is >good then I'd want him to ensure that the vendor doesn't have any >trojan horses in the software that my users are calling. >... Unless I misunderstand what you said, I think we're saying about the same thing. If the product was installed in an authorized library when the vendor did not require it, there's no sense aproaching the vendor; there's a local security issue. But if the vendor *does* require an authorized library then the auditor might want to approach the vendor. Might. Pat O'Keefe ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
