Ted MacNEIL wrote:
Auditors neither make rules, nor enforce them.
I wish. They come armed with checklists that have no connection to actual
requirements.
Yes. But.
In theory, they should not be creating those lists.
Nor should they be enforcing them.
All they can do is document where you are not following them.
It's up to corporate compliance officers to enforce.
Also, you have the right to rebut(t).
Auditors are not that scary.
Creating, documenting, and enforcing standards are three duties that MUST be
separate duties.
Anything else is a conflict of interest.
This is only a wish. Focusing on mainframe shops I've got to admit, very
often there is no position even for auditor, so "auditor role" is
maintained by ...security administrator. Separate auditor, even
external, hired just for few days is only a wish. BTDT.
Sometimes this "admin/auditor" is also responsible for many other things.
Creating standards by auditor sounds obvious in such scenario.
--
Radoslaw Skorupka
Lodz, Poland
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
