I had an audit interview with Deloitte and Touche regarding
our security on our HP3000 in 1993.  We were using Security/3000
and they were happy with our implementation.  They wanted some
additional procedures in place so we stated that we' also
buy VEAudit/3000 before the next years audit.  (So that
sandbagged them for another year.)  I left before the next
audit but then I also left 3 months before they went belly up.

I learned after the audit that D&T wanted to recruit me, and
I turned them down.

Tracy Johnson
MSI Schaevitz Sensors


>-----Original Message-----
>From: Raymond Familar [mailto:[log in to unmask]]
>Sent: Thursday, September 13, 2001 5:26 PM
>To: [log in to unmask]
>Subject: Re: Help!! Auditors
>
>
>I have had similar problems with our internal auditors.  They
>don't seem to
>understand that there are platforms other than NT and UNIX.  Before I
>showed up to set up the systems, HP Security Monitor had been
>purchased.
>Audit had a number of issues with the product.  One issue was that the
>security group had set up SecMon to log the use of NEWUSER and ALTUSER.
>That seems reasonable, but that also means that the password
>is recorded in
>the log in plain text.  Yes, the user should change their password once
>they use that initial login, but there is no way to ensure
>that happens.
>HP wasn't much help with the SecMon.  When we called to open
>an SR on that
>issue, the techs had no real knowledge of the product.  I was told that
>they are using security/3000.  Now we are moving to security/3000 after
>going PROD.  Yes, lots of fun.  My recommendation is to go with
>security/3000 and save yourself some headaches.
>
>* To join/leave the list, search archives, change list settings, *
>* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
>

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *