On Wed, 16 Feb 2000 08:28:35 -0500, Joseph Rosenblatt
<[log in to unmask]> wrote:

>
>
>Without going into a rant, let me ask one question, when are auditors,
>managers and users going to understand that the IS staff will have access to
>sensitive materials?

They understand it. But the justifiably want to make sure that the
people who DO have access are NOT taking advantage of it. It's the
same reason they have the cash-handling controls on the tellers at the
front window.

>The fact that I have the ability to do something
>doesn't mean I will do it. Rules can be made regarding modification of
>files. If an operator or anyone else breaks these rules, they pay the price.

Ah but the request seems to be to provide a way to determine who, if
anyone, broke those rules, not the actual creation or enforcement of
such rules.

>"Idiot Proofing" the system is a lot of work for little return. A Policies
>and Procedures Manual goes a long way toward fixing the problem.

That's like saying since we have extensive legislation, we shouldn't
need a lot of police or investigators.

I think it's reasonable for a financial institution to be interested
in the kinds of things. I hope that all the institutions at which I
have deposited funds take a similar approach.

Ultimately, though, once you've satisfied the legal requirements, it's
a business decision. Does the cost of the extra security and
traceability come in less than the benefits of doing so? I would think
being able to thwart, or at least being able to fully investigate in
the aftermath of, any kind of financial electronic crime would be
pretty beneficial.