On 1 Nov 2005 09:57:53 -0800, in bit.listserv.ibm-main
(Message-ID:<[EMAIL PROTECTED]>)
[EMAIL PROTECTED] (McKown, John) wrote:
Reminds me of an actual request from an auditor many years ago:
<quote>
List all possible exits in every piece of software
installed on your MVS
system. Futher detail everything that could be done by
using those
exits.
</quote>
On 1 Nov 2005 09:53:16 -0800, in bit.listserv.ibm-main
(Message-ID:<[EMAIL PROTECTED]>)
[EMAIL PROTECTED] (Farley, Peter x23353) wrote:
Shouldn't any competent auditor who is asking about a
vendor's programs know
that they have to ask the vendor, not the user? Shouldn't
your only
response have to be "Ask IBM"?
On 2 Nov 2005 13:30:51 -0800, in bit.listserv.ibm-main
(Message-ID:<[EMAIL PROTECTED]>)
[EMAIL PROTECTED] (Mark Yuhas) wrote:
I do not have the luxury of saying 'Because, IBM did it
that way'. I
have to explain or we get another mark against us in the
audit report.
And I once had an auditor ask me, "What is RACF?".
A good auditor (whether internal or external) helps
us by finding potential security flaws that we missed. The
auditors we're discussing here merely justify their
existence by giving black marks. Unfortunately, some
management and some clients look only at the auditor
reports, but not at what they really mean.
Is there an organization that rates security
auditors? If not, is it time to create one?
We can tell management that the auditors are asking
silly questions and that the reports they're creating are
basically bogus [1], but it does no good; the report came
from an auditor so it must mean something (Garbage In,
Gospel Out). If there were a rating org for auditors, we
could report this silliness to them, and, eventually, show
that audit reports from company X are not reliable. It
should lead to better auditing (and therefore better
security), in the long run.
===
[1] "bogus" as used in USA and hackerdom (see the Jargon
File). I know that in England the word means something
different.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
