On Mon, 2 Nov 2009, Jack Woehr wrote:
Which is why I reflexively snarl I hear about fools
masquerading as computer security personnel handing down
such guidelines.
But they are NOT 'masquerading as computer security personnel'
-- From Marcy's sending email domain, I suspect that she is
dealing with an 'assessor' under the CISP/PCI auditing
guidelines for credit card data security. Often, the assessor
has a checklist from his or her superiors, with an item like
this item to tick off ('remove unecessary of unused
accounts'). I have an old source material farm for a course
in this space I taught at:
http://www.owlriver.com/issa/
They are doing a job without any discretion to vary the rules;
it MAY be possible to get such a variance, but it is not free,
and at the end of the day, probably not something the
'C-level' people to whom her working group reports are
interested int doing. To 'reflexively snarl' is not
productive and simply reflects badly on a person trying to
demonstrate profesionalism to justify such a variance is
proper (in their exercise of sound judgment).
I spent a couple of weeks with the author of the CISP 2.0
revisions (who worked for a 'name' international accounting
firm) leading an entity I was contracting for through such,
and found him completely reasonable, and ameanable to logic.
But at the end of the day, he needed to follow the equivalent
of an 'audit plan' and would be down-ticked for not doing so.
In no fashion was he 'masquerading', and he had a firm grasp
of the issues in play. But he was not to substitute his
discretion for clear rules.
And frankly as a matter of loss prevention, I would just as
soon that a random and undocumented exception NOT expose my
personal details to some skript kiddie trawling for cleartext
goodies.
-- Russ herrold
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390