Bruce Black wrote:
Focusing on mainframe shops I've got to admit, very often there is no
position even for auditor, so "auditor role" is maintained by
...security administrator.
I can't quote the Latin (I took French) but the famous Latin quote
translates to something like "who shall guard those selfsame guardians",
i.e., who is watching the security administrator? That's like asking a
programmer to do a review of his/her own code.
I am no fan of typical auditors, but a good, educated and intelligent
auditor can be a great benefit to a company.
Gentlemen,
Did I say it is good solution ?
I just described the reality. Boss tells you "you are responsible for
RACF, we don't have any other specialist". He doesn't care about
"details". Those administrators (it is *not* the only case!!!) sometimes
try to convince management to have separate or just external auditor,
usually with poor effects.
BTW: I know another funny case: huge public company have special "audit
department". However nobody in the department is IT specialist.
Especially they know absolutely *nothing* about mainframes. Nothing.
Never logged on. No user account. The decision was they should provide
audits for central system which is mainframe based. One of them took
RACF Administration course. He had absolutely no idea what I was talking
about (I was the teacher). In fact he even didn't try.
--
Radoslaw Skorupka
Lodz, Poland
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
