>try to convince management to have separate or just external auditor, usually
>with poor effects.
In North America, that would be classified as a:
"Regulatory Deficiency".
-
-teD
300,000 Kilometres per Second
Not only is it a good idea!
It's the LAW!!!
--
Bruce Black wrote:
Focusing on mainframe shops I've got to admit, very often there is no
position even for auditor, so "auditor role" is maintained by
...security administrator.
I can't quote the Latin (I took French) but the famous Latin quote
translates to something like "who shall guard t
>I can't quote the Latin (I took French) but the famous Latin quote
>translates to something like "who shall guard those selfsame guardians",
>i.e., who is watching the security administrator?
quis custodiet ipsos custodes
Cheers,
Jantje.
-
On Mon, 22 May 2006 00:00:00 GMT, Ted MacNEIL
<[EMAIL PROTECTED]> wrote:
>>You made the blanket statement that, "Auditors neither make rules,
>>nor enforce them." No one has disagreed with you that it *should* be
>>as you describe, but your insistance that it *is* reveals your naivete.
>
>It's n
>You made the blanket statement that, "Auditors neither make rules, nor enforce
>them." No one has disagreed with you that it *should* be
as you describe, but your insistance that it *is* reveals your naivete.
It's not naïveté.
It has given me the cajones to tell the auditors to find somebody wh
> -Original Message-
> From: IBM Mainframe Discussion List On Behalf Of Bruce Black
>
> > Focusing on mainframe shops I've got to admit, very often
> there is no
> > position even for auditor, so "auditor role" is maintained by
> > ...security administrator.
> I can't quote the Latin (I
On Mon, 22 May 2006 00:00:00 GMT, Ted MacNEIL
<[EMAIL PROTECTED]> wrote:
>>This is only a wish.
>
>In North America, it's more than a wish.
>It's a requirement.
>
>
>>Focusing on mainframe shops I've got to admit, very
>>often there is no position even for auditor, so "auditor role"
>>is maintain
The Latin tag Bruce was looking for is
Quis custodiet ipsos custodes?
John Gilmore
Ashland, MA 01721-1817
USA
_
On the road to retirement? Check out MSN Life Events for advice on how to
get there! http://lifeevents.msn.com/categor
Focusing on mainframe shops I've got to admit, very often there is no
position even for auditor, so "auditor role" is maintained by
...security administrator.
I can't quote the Latin (I took French) but the famous Latin quote
translates to something like "who shall guard those selfsame guardian
>This is only a wish.
In North America, it's more than a wish.
It's a requirement.
>Focusing on mainframe shops I've got to admit, very
often there is no position even for auditor, so "auditor role" is maintained by
...security administrator.
This is relevant to all organisations, not just ma
Ted MacNEIL wrote:
Auditors neither make rules, nor enforce them.
I wish. They come armed with checklists that have no connection to actual
requirements.
Yes. But.
In theory, they should not be creating those lists.
Nor should they be enforcing them.
All they can do is document where
>Arthur Anderson?
>I though they were cleared of wrongdoing by the Justice Depatrment?
Yes, but why did they get in trouble?
Simplistically put, because they didn't have a clear separation of duties.
And, I don't think their reputation ever recovered.
-
-teD
300,000 Kilometres per Second
Not
to
IBM Mainframe Discussion List
To
IBM-MAIN@BAMA.UA.EDU
cc
Subject
Re: Password Complexity
Yes. But.
[...snip...]
Whatever happened to Arthur Anderson?
Prime example!
-
-teD
--
For IBM-MAIN subscribe / signoff / a
>>Auditors neither make rules, nor enforce them.
>I wish. They come armed with checklists that have no connection to actual
>requirements.
Yes. But.
In theory, they should not be creating those lists.
Nor should they be enforcing them.
All they can do is document where you are not following
In <[EMAIL PROTECTED]>,
on 05/16/2006
at 12:00 AM, Ted MacNEIL <[EMAIL PROTECTED]> said:
>Auditors neither make rules, nor enforce them.
I wish. They come armed with checklists that have no connection to
actual requirements.
--
Shmuel (Seymour J.) Metz, SysProg and JOAT
ISO posit
TECTED] On
Behalf Of Paul Gilmartin
Sent: Tuesday, May 16, 2006 9:25 AM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Password Complexity
I read somewhere that the motivation for support of mixed case passwords
in z/OS v1r7 is an external requirement that the password space have
cardinality at least 10^13.
Chase, John wrote:
-Original Message-
From: IBM Mainframe Discussion List On Behalf Of R.S.
[ snip ]
BTW: One of the biggest polish computer (PC) assemblers had
ISO. The quality of their PCs was horrible, but the (poor)
quality was predictable and repeatable.
And the process was
> -Original Message-
> From: IBM Mainframe Discussion List On Behalf Of R.S.
>
> [ snip ]
>
> BTW: One of the biggest polish computer (PC) assemblers had
> ISO. The quality of their PCs was horrible, but the (poor)
> quality was predictable and repeatable.
And the process was precisel
Hal Merritt wrote:
Bingo. And now we are back to the question: 'Who audits the auditors?'
Folks from the EU please opine on the effectiveness of ISO 9000. I heard
that the EU embraced ISO 9000 to the point of being the law in many
countries.
It seems ISO 9000 fell out of favor here in the US
ago.
Or are we getting to far off topic?
-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Ted MacNEIL
Sent: Tuesday, May 16, 2006 7:00 PM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: Password Complexity
If they are creating rules, they are
That should have said "corporate compliance officers".
-
-teD
O-KAY! BLUE! JAYS!
Let's PLAY! BALL!
-Original Message-
From: Ted MacNEIL <[EMAIL PROTECTED]>
Date: Wed, 17 May 2006 00:00:00
To:IBM-MAIN@BAMA.UA.EDU
Subject: Re: Password Complexity
>>
>>
>>They can only cite rules; not make them.
>>
>How can you be so certain?
If they are creating rules, they are corporate compliance auditors.
If they are creating, enforcing, and reporting on rules, they have a conflict
of duty.
These three functions should be under what is known as "separat
f R.S.
Sent: Tuesday, May 16, 2006 4:00 PM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: Password Complexity
Ted MacNEIL wrote:
But seriously: I'm not sure about the above. Who should enforce the
rules ?
--
Radoslaw Skorupka
Lodz, Poland
NOTICE: This electronic mail message and any files tra
On Wed, 17 May 2006 07:12:04 -0500, Chase, John <[EMAIL PROTECTED]> wrote:
>> A lot of people ascribe too much power to an auditor.
>
>Same with police, whose primary "job" is to collect and preserve
>evidence after the crime has occurred.
>
Please don't go there.
Idealized generalizations have li
> -Original Message-
> From: IBM Mainframe Discussion List On Behalf Of R.S.
>
> Ted MacNEIL wrote:
>
> >>should occur to someone that auditors spelling out
> >
> > such 'requirements'
> >
> > Auditors neither make rules, nor enforce them.
> > All they can do is report.
> >
> > A lot o
> -Original Message-
> From: IBM Mainframe Discussion List On Behalf Of Ted MacNEIL
>
> >should occur to someone that auditors spelling out
> such 'requirements'
>
> Auditors neither make rules, nor enforce them.
Correct.
> All they can do is report.
They can also offer advice, for whi
On Wed, 17 May 2006 00:00:00 GMT, Ted MacNEIL
<[EMAIL PROTECTED]> wrote:
>>>Auditors neither make rules, nor enforce them.
>>>All they can do is report.
>
>>Oh, really?
>
>Yes. Really!
An interesting hypothesis, but inconsistant with my experience.
>
>They can only force you to answer questions.
>>Auditors neither make rules, nor enforce them.
>>All they can do is report.
>Oh, really?
Yes. Really!
They can only force you to answer questions.
They can overload you, but they cannot force you to follow the rules.
They can report you to your compliance officers for being uncooperative.
The
>Auditors neither make rules, nor enforce them.
>All they can do is report.
Oh, really?
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search
Ted MacNEIL wrote:
should occur to someone that auditors spelling out
such 'requirements'
Auditors neither make rules, nor enforce them.
All they can do is report.
A lot of people ascribe too much power to an auditor.
Perhaps, but auditors have indirect powers. I can request detail
records
A faucet dripping while you are trying to sleep does not make you get up
and turn it off. But if you cannot sleep, you are likely to do it.
Ditto auditors.
If you are a financial institution or one of their "business partners",
the size of the, uh, uh, flow is quite large and can dampen your f
>But seriously: I'm not sure about the above. Who should enforce the rules ?
Corporate compliance officers.
-
-teD
O-KAY! BLUE! JAYS!
Let's PLAY! BALL!
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send ema
Ted MacNEIL wrote:
should occur to someone that auditors spelling out
such 'requirements'
Auditors neither make rules, nor enforce them.
All they can do is report.
A lot of people ascribe too much power to an auditor.
Maybe I re-phrase it:
Auditors neither SHOULD make rules, nor SHOULD enf
>should occur to someone that auditors spelling out
such 'requirements'
Auditors neither make rules, nor enforce them.
All they can do is report.
A lot of people ascribe too much power to an auditor.
-
-teD
O-KAY! BLUE! JAYS!
Let's PLAY! BALL!
--
On 5/16/2006 10:24 AM, [EMAIL PROTECTED] wrote:
I read somewhere that the motivation for support of mixed
case passwords in z/OS v1r7 is an external requirement that
the password space have cardinality at least 10^13. Does
any reader of this list know the source of this requirement?
Sarbanes-Oxl
d that poorly thought out 'requirements' will work to open more
holes than are closed.
My $0.02.
-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Paul Gilmartin
Sent: Tuesday, May 16, 2006 9:25 AM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Password Co
I read somewhere that the motivation for support of mixed
case passwords in z/OS v1r7 is an external requirement that
the password space have cardinality at least 10^13. Does
any reader of this list know the source of this requirement?
Sarbanes-Oxley (chapter and verse)? Other (specify)?
While s
37 matches
Mail list logo
