On Wednesday, 01/16/2008 at 01:48 EST, "McBride, Catherine" <[EMAIL PROTECTED]> wrote: > For a SOX audit I'd almost agree with you, as you bring up some valid points. > This was a PCI audit. The key difference that we've found between SOX and PCI > is that for SOX you create policy statements to meet SOX guidelines and are > tested on how well you adhere to your own policies. For PCI you are tested > against the external PCI standards (as issued by the Payment Card Industry > Council). A hipersocket would have more than met the standard of a private, > dedicated connection, had anyone been willing to listen. But instead the guy > formulated a strong opinion and would not alter his position.
I doesn't really matter if it is SOX or PCI. The only difference is who establishes the policy. If you can establish an audit point that can be used to demonstrate that you have a "private dedicated" connection, then your auditor is wrong. Of course, the second you attach a 3rd LPAR (or another guest) to the HiperSocket, you no longer meet the criteria since you cannot establish access controls on a HiperSocket that allow LPARs 2 and 3 to talk only with LPAR 1, not with each other. It might be "private," but it sure is hard to call it "dedicated". Alan Altmark z/VM Development IBM Endicott
