Been there, done that.

"Stigers, Greg [And]" wrote:

> X-no-Archive:yes
> I have a sincere question, albeit an ignorant one. What is the justification
> for the "audit issue" that no one is supposed to do both systems and
> development? I am looking for a cogent reason, not some standard party line
> that makes little sense.
>
> The justification I have been given is that this leaves no audit trial, and
> perhaps said person could be covering their tracks. I can think of a number
> of reasons why I do not find this persuasive. My main reasons are that a
> person knowledgeable enough to do both can work so as to leave an audit
> trial, that such a person could almost certainly cover their tracks
> regardless, that divorcing these areas seems to bread ignorance and
> misunderstanding of one area in members of the other, and that such a person
> is then prevented from getting work done while waiting on a member of the
> other. Of course, if they bring donuts to all the resulting meetings, at
> least it's not a total loss.
>
> I was discussing system security with a member of the security team, and
> mentioned that I am supposed to show them MPE security and our use of SEC /
> 3000, since that is supposed to be their job to admin, not mine, but it has
> been mine. The above issue then came up. We were SAS-70, and will be
> striving for ISO-9000, and I am told that both audits have this as a
> requirement.