On Tuesday, 11/03/2009 at 08:27 EST, "McKown, John" <john.mck...@healthmarkets.com> wrote: > This sort of thing comes up on the z/OS RACF forum with distressing regularity. > The "smart money" always responds that the auditor is not the maker of the > rules / policies. The auditor is supposed to get a list of the company rules / > policies and simply confirm that the department being audited either does or > does not pass the audit with documentation when it does not. Unfortunately, > auditors of today have become "activist judges" who are making laws from the > bench. And corporate management is letting them do it (likely because corporate > management doesn't know how to manage anymore).
So, the good news is that the auditor has discretion and can adapt to conditions on the ground. The bad news is that the auditor has discretion and can impose their will. It is a two-edged sword that no amount of complaining about will dull; it's inherent in the system. The Flaw. The Anomaly. Sometimes it's just politics. Whatever moron thought that user name "games" should be used by non-gaming packages or internal componentry should be taken out back and summarily Dealt With. This means Marcy has to explain that, no, there aren't really any games installed. (Go ahead, prove a negative.) Marcy's question wasn't unreasonable and neither is the policy to remove unnecessary account. But to implement the policy, *someone* has to be the arbiter of "necessary", and I don't think it should be the system that's being audited! I.e. Perhaps you should be able to tell rpm "don't install anything that references username games". I get similar requests for z/VM: Explain what all of these users are in USER DIRECT are and why they need the privilege they need. It doesn't matter that they've been there for 25 (or 40) years and that people "in the know" don't worry about it. The auditors aren't necessarily experts in all operating systems and aren't steeped in all lore. They're just good people trying to do their job to the best of their ability with insufficient resources. (Sound familiar?) So let's not rush to judgement and instead give Marcy the information she needs to *satisfy* the auditors (her goal). I can't imagine that taking on Wells Fargo IT security policy in the LINUX-390 listserver will help anyone, particularly Marcy. Most companies review their IT security policy (and auditor guidelines) on a regular basis. If you find that you are always having to get filed Deviations or Exceptions for your systems, or answer too many irrelevant questions, then it would be a Good Thing to insert yourself in to the review process. Trying to change The Rules outside of this mechanism usually wastes your time and annoys the pig. Alan Altmark z/VM Development IBM Endicott ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390