> -----Original Message-----
> From: IBM Mainframe Discussion List On Behalf Of Rick Fochtman
>
> ----------------------<snip>---------------------
>
> >It's not the auditors.
> >It's a compliance issue; the auditor does/should not determine what
to track.
> >Rather, they require reporting on what is required to monitor
compliance.
> >
> >It's a true separation of duty (generic terminology):
> >
> >1. Standards Officer -- determines what are "best practices".
> >2. Auditor -- reports on which standards are(n't) being met.
> >3. Compliance Officer -- enforces standards.
> >
> >Too many people are 'afraid' of auditors, but in a 'proper
> environment', they have no enforcement capabilities.
> >
> >If there is no true separation of duty, then there is a
> potential for conflicts of interest!
> >
> >
> ---------------------<unsnip>-----------------------
> In an ideal world, that's how it might work.
>
> I spent 4 weeks on unpaid leave because an auditor knew of a
> single "hole" in our security. He used a newly-discovered
> hole in a CA SVC to basically "run pampant" though my system,
> then told senior management that "anyone" could do it. When I
> challenged him, in front of my senior management, I got
> "suspended without pay". It took me 4 weeks of conversations
> with CA Tech Support to build a concrete case, which was
> argued before the Board of Governors, just me vs. the
> auditor. The net upshot was that CA fixed the hole, I got
> reinstated in my position, the pay that was withheld from me
> was duly paid over and my senior management got a reprimand
> for treating me so shabbily. Needless to say, I've got very
> strong feelings about most DP auditors in general, and
> stronger feelings about the so-called "Security Auditor".
IMO, for *anybody* (let alone an auditor) to have deliberately
"demonstrated" a newly-discovered "hole" in that manner on a system such
as yours should have resulted in a criminal indictment of that person.
People daily go to jail for far less.
-jc-
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
