On Mon, 22 May 2006 00:00:00 GMT, Ted MacNEIL <[EMAIL PROTECTED]> wrote:
>>This is only a wish. > >In North America, it's more than a wish. >It's a requirement. > > >>Focusing on mainframe shops I've got to admit, very >>often there is no position even for auditor, so "auditor role" >>is maintained by ...security administrator. > >This is relevant to all organisations, not just mainframe shops. > > >>Separate auditor, even external, hired just for few days is only >>a wish. BTDT. > >It's only a wish that I don't embezzle money from my company? Ok, Ted, I'll bite again. As a matter of fact, some people DO embezzle. You made the blanket statement that, "Auditors neither make rules, nor enforce them." No one has disagreed with you that it *should* be as you describe, but your insistance that it *is* reveals your naivete. Some of us have experiences with auditors who DO make the rules and who DO enforce them. The fact that the auditors findings can be challenged is of little value in a corporation where management is too spineless to challenge the auditors. At my provious job, the corporate fear of the auditors extended at least three levels of management above me. It is difficult for a technician to effectively challenge the findings of an auditor in such an environment. > > >>Sometimes this "admin/auditor" is also responsible for many other >>things. > >As long as creation/reporting/enforcement are not all done by the >same people, other things are allowed. > >>Creating standards by auditor sounds obvious in such scenario. > >Not if you follow the principles of "separation of duty", which >has many reasons for existance! >Do you allow the guy who wrote the programmme promote it to >production? >Or, do you separate the duties? > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
