> -----Original Message----- > From: IBM Mainframe Discussion List On Behalf Of Rick Fochtman > > ----------------------<snip>--------------------- > > >It's not the auditors. > >It's a compliance issue; the auditor does/should not determine what to track. > >Rather, they require reporting on what is required to monitor compliance. > > > >It's a true separation of duty (generic terminology): > > > >1. Standards Officer -- determines what are "best practices". > >2. Auditor -- reports on which standards are(n't) being met. > >3. Compliance Officer -- enforces standards. > > > >Too many people are 'afraid' of auditors, but in a 'proper > environment', they have no enforcement capabilities. > > > >If there is no true separation of duty, then there is a > potential for conflicts of interest! > > > > > ---------------------<unsnip>----------------------- > In an ideal world, that's how it might work. > > I spent 4 weeks on unpaid leave because an auditor knew of a > single "hole" in our security. He used a newly-discovered > hole in a CA SVC to basically "run pampant" though my system, > then told senior management that "anyone" could do it. When I > challenged him, in front of my senior management, I got > "suspended without pay". It took me 4 weeks of conversations > with CA Tech Support to build a concrete case, which was > argued before the Board of Governors, just me vs. the > auditor. The net upshot was that CA fixed the hole, I got > reinstated in my position, the pay that was withheld from me > was duly paid over and my senior management got a reprimand > for treating me so shabbily. Needless to say, I've got very > strong feelings about most DP auditors in general, and > stronger feelings about the so-called "Security Auditor".
IMO, for *anybody* (let alone an auditor) to have deliberately "demonstrated" a newly-discovered "hole" in that manner on a system such as yours should have resulted in a criminal indictment of that person. People daily go to jail for far less. -jc- ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html