----------------------<snip>---------------------
It's not the auditors.
It's a compliance issue; the auditor does/should not determine what to track.
Rather, they require reporting on what is required to monitor compliance.
It's a true separation of duty (generic terminology):
1. Standards Officer -- determines what are "best practices".
2. Auditor -- reports on which standards are(n't) being met.
3. Compliance Officer -- enforces standards.
Too many people are 'afraid' of auditors, but in a 'proper environment', they
have no enforcement capabilities.
If there is no true separation of duty, then there is a potential for conflicts
of interest!
---------------------<unsnip>-----------------------
In an ideal world, that's how it might work.
I spent 4 weeks on unpaid leave because an auditor knew of a single
"hole" in our security. He used a newly-discovered hole in a CA SVC to
basically "run pampant" though my system, then told senior management
that "anyone" could do it. When I challenged him, in front of my senior
management, I got "suspended without pay". It took me 4 weeks of
conversations with CA Tech Support to build a concrete case, which was
argued before the Board of Governors, just me vs. the auditor. The net
upshot was that CA fixed the hole, I got reinstated in my position, the
pay that was withheld from me was duly paid over and my senior
management got a reprimand for treating me so shabbily. Needless to
say, I've got very strong feelings about most DP auditors in general,
and stronger feelings about the so-called "Security Auditor".
When in doubt.
PANIC!!
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
