Well... maybe there is a way for the auditors to stay less than savvy. I sat in on a presentation for http://www.vatsecurity.com/ which, other than scarin the %^&* out of me, give an excellent way to look at the system from an integrity standpoint. I end up spending a lot of time on just working thru the controls that are in the security products, making sure that there are trails to follow about who did what when... looking out for inadvisable utilities, looking at the system when it first comes up to see what new "stuff" is there. But this is a different approach... one that just got added to my "list of thing" I need to look at.
Rob Schramm On Wed, Apr 27, 2011 at 9:51 PM, Clark Morris <cfmpub...@ns.sympatico.ca>wrote: > On 26 Apr 2011 06:43:16 -0700, in bit.listserv.ibm-main you wrote: > > While at a company which no longer is in the business it was when I > was there, headquarters IT auditors came to audit one of our systems. > They were informed that it was virtually non-existent and that we > would be very happy with any documentation they could add. They in > fact found the documentation situation as stated and were allowed by > their management to really check out the system and leave behind > documentation of what they found. Working with them was a pleasure > because they new what they were doing and we got some useful > documentation out of it. Since we didn't try to hide the > documentation situation, we apparently didn't get anything nasty from > headquarters. > > Later the division was sold to another company. Things had progressed > in the field so now we had TSO and other online access. This was > before RACF or equivalent was mandatory. The internal auditor came > through and I expressed my concern about the lack of security. My > boss was standing near me and rephrased the concerns in management > speak with the same message. In his report the major concern of the > auditor was that we were running JES3 on a single CPU (global only) > rather than JES2. In our conversation with him before the report, he > seemed to think lack of security was rather common. > > Clark Morris > >Perhaps this is a bit off topic, but I have yet to encounter an IT auditor > I > >could trust. > > > >At my very first job I was in a small shop running DOS on a 360/40. The > >company was scheduled for its annual outside audit. The IT auditors > typically > >wanted to completely take over the machine for the days of the IT audit. > It > >happened that our payroll process occurred during the period of the audit. > Our > >operations manager informed the auditors that payroll processing would > take > >priority over the audit if they came on those days, on any other days they > >could have the machine. Guess which days they came. We were written up > >because we did not give then dedicated use of the machine. It was noted in > >the audit report that the "uncooperative" data center manager had since > been > >demoted. Not true. He had decided to return to graduate school and was now > >only able to work third shift, so he became an operator. This was his > decision, > >and certainly not a demotion in the sense that the auditors implied. > > > >I think that when I was later in an MVS shop, our auditors used that same > >playbook, but I also think that they read slowly, as they seemed to find > one > >new thing in the book each year. > > > >---------------------------------------------------------------------- > >For IBM-MAIN subscribe / signoff / archive access instructions, > >send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > >Search the archives at http://bama.ua.edu/archives/ibm-main.html > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > -- Rob Schramm Senior Systems Engineer w: 513.305.6224 ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
