For a SOX audit I'd almost agree with you, as you bring up some valid
points. This was a PCI audit. The key difference that we've found between
SOX and PCI is that for SOX you create policy statements to meet SOX
guidelines and are tested on how well you adhere to your own policies. For
PCI you are tested against the external PCI standards (as issued by the
Payment Card Industry Council). A hipersocket would have more than met the
standard of a private, dedicated connection, had anyone been willing to
listen. But instead the guy formulated a strong opinion and would not
alter his position.
-----Original Message-----
From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED]
Behalf Of Alan Altmark
Sent: Wednesday, January 16, 2008 12:15 PM
To: [email protected]
Subject: Re: Security Updates
<snip
C'mon, folks. Auditors don't set policy, they monitor/enforce it. If
your policy says "All traffic between two hosts that carries personally
identifiable information must be encrypted," then the policy is to blame,
not the auditor. <snip
