I have had management sign off on the risk after I estimated the effort it would take to remediate an issue. Being a security geek myself, sometimes I disagree with the risk; other times I think they're being reasonable. But I'm not the one entrusted with that decision, after all.
But yeah, gotta admit that some management teams feel they have to fix everything the auditors point at. --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* Humour is the only test of gravity, and gravity of humour, for a subject which will not bear raillery is suspicious, and a jest which will not bear serious examination is false wit. -Aristotle */ -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Pommier, Rex Sent: Thursday, February 9, 2023 16:17 OK, most auditors don't shoot the survivors directly, but in many instances, the company's management simply takes the auditors at their words and shoot the survivors on behalf of the same auditors. In my career, I've been in both positions; that of having blind management and having management who asked my position before making decisions. -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Bob Bridges Sent: Thursday, February 9, 2023 3:03 PM Steve Thompson's reply about lawyers got to me to look at this bit about auditors. Do auditors ~ever~ shoot the survivors? In my experience, both internal and external auditors report to management; it is management who decide whether to fix the problem or sign off on the risk. I don't think I'm prejudiced in this. My degree is in Accounting, but I have never worked in anything but computer jockery of various kinds. Well, wait, on two occasions I worked a one-week IT audit, supplementing the audit team as a mainframe SME. (Auditors generally understand networks, but are helpless on mainframes.) But that's all. Those two occasions do match what you say about running years-old procedures, though. Although from what I can remember, the checklist on RACF security that they gave me to follow was fairly complete. --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* 'I Love Lucy' left here years ago and has gone past a few thousand stars. Only the nearby stars have seen 'The Simpsons.' The earth is brighter than the sun at television frequencies. -SETI astronomer Dan Werthimer */ --- On 2/9/2023 9:25 AM, Tom Longfellow wrote: > ....my opinion of Auditors is pretty low. They just come in. Rerun > procedures and checks developed in the 70's and published in a book. With > no regard for the real world functions of the systems. And then they go to > the battlefield and "Shoot the survivors" ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- The information contained in this message is confidential, protected from disclosure and may be legally privileged. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, distribution, copying, or any action taken or action omitted in reliance on it, is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
