Rick Fochtman wrote:
IMHO, any auditor should be ecstatic if he finds any limit under 11 set.
It's not up to him to "dictate" security policy, only to examine and
recommend (possible) improvements.
for a little topic drift, slightly related thread in another news group
http://www.garlic.com/~lynn/2007b.html#33 security engineering versus
information security
http://www.garlic.com/~lynn/2007b.html#35 security engineering versus
information security
mentioning my merged security taxonomy and glossary
http://www.garlic.com/~lynn/index.html#glosnote
doesn't have a definition for auditor ... but has several audit related
definitions ... including
audit
A family of security controls in the technical class dealing with ensuring activity involving access to and modification of sensitive or critical files is logged, monitored, and possible security violations investigated. [800-37]
A service that keeps a detailed record of events. [IATF]
An independent examination of a work product or set of work products to assess compliance with specifications, standards, contractual agreements, or other criteria. [IEEE610]
Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend necessary changes in controls, policies, or procedures. [CNSSI]
Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established security policies and procedures, and/or to recommend necessary changes in controls, policies, or procedures to meet security objectives. [CIAO]
Independent review and examination of records and activities to determine compliance with established usage policies and to detect possible inadequacies in product technical security policies of their enforcement. [AJP][FCv1]
The independent examination of records and activities to ensure compliance with established controls, policy, and operational procedures, and to recommend any indicated changes in controls, policy, or procedures. [NSAINT]
The independent examination of records to access their veracity and completeness. To record independently and examine documents or system activity (e.g. logins and logouts, file accesses, security violations). [AFSEC]
The official review, examination, and verification of system records and activities to ensure the adequacy of established IT security controls and procedures; to identify any nonfunctional controls or new vulnerabilities [NASA]
... snip ...
however, did have a definition of auditor that was part of the "6670" sayings
... random definitions (which also included all the ibm jargon entries) selected for
printing on 6670 separation sheet
[Business Maxims:] Signs, real and imagined, which belong on the walls of the
nation's offices:
1) Never Try to Teach a Pig to Sing; It Wastes Your Time and It Annoys the Pig.
2) Sometimes the Crowd IS Right.
3) Auditors Are the People Who Go in After the War Is Lost and Bayonet the
Wounded.
4) To Err Is Human -- To Forgive Is Not Company Policy.
... snip ...
one of the same 6670s were used to print the april 1st corporate directive on
passwords ... mentioned earlier in this thread (and led to putting all
corporate letterhead paper under
lock & key)
http://www.garlic.com/~lynn/2007b.html#6 Special characters in passwords was
Re: RACF - Password rules
past postings mentioning a security audit that included osearch of the facility
looking for unsecured classified material ... including searching the various
6670 printer areas. an auditor took took it as personal afront when one of the
6670 outputs had the definition
http://www.garlic.com/~lynn/99.html#52 Enter fonts (was Re: Unix
case-sensitivity: how did it originate?
http://www.garlic.com/~lynn/2001g.html#5 New IBM history book out
http://www.garlic.com/~lynn/2002o.html#24 IBM Selectric as printer
http://www.garlic.com/~lynn/2004l.html#61 Shipwrecks
http://www.garlic.com/~lynn/2005f.html#48 1403 printers
http://www.garlic.com/~lynn/2005f.html#51 1403 printers
http://www.garlic.com/~lynn/2005r.html#29 Job seperators
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
