>This is only a wish. In North America, it's more than a wish. It's a requirement.
>Focusing on mainframe shops I've got to admit, very often there is no position even for auditor, so "auditor role" is maintained by ...security administrator. This is relevant to all organisations, not just mainframe shops. >Separate auditor, even external, hired just for few days is only a wish. BTDT. It's only a wish that I don't embezzle money from my company? >Sometimes this "admin/auditor" is also responsible for many other things. As long as creation/reporting/enforcement are not all done by the same people, other things are allowed. >Creating standards by auditor sounds obvious in such scenario. Not if you follow the principles of "separation of duty", which has many reasons for existance! Do you allow the guy who wrote the programmme promote it to production? Or, do you separate the duties? - -teD 300,000 Kilometres per Second Not only is it a good idea! It's the LAW!!! ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html