1.  Home
  2. MIDRANGE-L
  3. November 2008

RE: Audit

I've worked with auditors at several companies, mostly accounting but some IT. Some are better than others (which goes without saying). One of the best was decades ago while on a S/3. He would take the time to explain (a) what he wanted, and (b) why. Learned a lot from that guy. Heck, he even listened to us! And helped us set up the kind of policy that John's talking about.

At another company I interviewed DP auditors. Most were accountants and didn't even know anything about a S/34. I wound up hiring a professor at New Mexico State. Boy, did he ding me - but it was worth the fee and time.

The ones here simply have an addendum to the accounting audit which, as Paul said, is just a script. (Him: "What security level are you running at?" Me: "40. Why do you ask?" Him: (blank stare)) I just know they're going to ding us next year for installing the LAN console ("You mean you can access the console from ANYWHERE?! No, no. The console's gotta be accessible only within the computer room.")

Jerry C. Adams
IBM System i Programmer/Analyst
B&W Wholesale
office: 615-995-7024
email: jerry@xxxxxxxxxxxxxxx


-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of John Earl
Sent: Wednesday, November 26, 2008 10:00 AM
To: Midrange Systems Technical Discussion
Subject: RE: Audit

Rob,

You're note underscores the need for an OS/400 based security policy.
As others have noted in this thread, many times the auditors don't
understand the technology, and it is virtually guaranteed that your
auditor does not understand how your business runs. The value of a
written security policy then is that it is the contract that you (the
sysadmin, I assume) have with your enterprise on how you will secure the
system. If you think QLMTDEVSSN should be set to '1', and the auditor
doesn't, the fact that you have it written (and signed by management) in
your policy this way and have exception language why it should be set to
a '1', obviates the need to go over it with your auditor. It's already
been decided, it's ion the policy, and you are securing the system
according to the policy.

Using this approach, it doesn't matter what standard you're having to
comply with, your own policy describes to the organization how you will
secure the system. If someone doesn't like the way you have something
set, they can go argue with the (already approved and signed off)
policy, but they can't argue that you are not doing your job.

An audit doesn't have to be a traumatic event. You just have to tell
the auditors what you game plan is and demonstrate that you are
following the plan.

jte

--
John Earl
The PowerTech Group, Inc.
Direct: 253-479-1408
Mobile: 206-669-3336

www.powertech.com


-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of rob@xxxxxxxxx
Sent: Tuesday, November 25, 2008 10:35 AM
To: Midrange Systems Technical Discussion
Subject: Audit

Boss is asking me to gather data for an IT audit. You know,
I would be hard pressed to find a worse waste of time. As
usual, they want the list of system values. I am sure that
is so they can consider it a ding if we allow a user to have
more than one session. Doesn't matter if they can go to 30
PC's and fire up browsers and look at the data but two 5250
sessions is a concern.
Then they have the usual commands they want to be secured:
STRSEU, UPDDTA that sort of rot. Of course WRKQRY, RUNQRY
QRYFILE..., STRSQL, EDTF are not in the list. And no mention
of WDSC, etc.
And, why be concerned about the special authority of *ALLOBJ
when they don't check one file at all to see if you are using
resource security?
Does it matter if no one has *ALLOBJ yet *public has *all
authority to the list of social security numbers and everyone
has iSeries Access (or ftp, or ...)?
Gee, why don't we tell them that there is no twinax that
leaves the locked door? Based on the above wouldn't that
then constitute a secured system?

Rob Berendt
--
Group Dekko Services, LLC
Dept 01.073
Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com

--
This is the Midrange Systems Technical Discussion
(MIDRANGE-L) mailing list To post a message email:
MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change
list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting,
please take a moment to review the archives at
http://archive.midrange.com/midrange-l.




As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.