Subject: | |
From: | |
Reply To: | |
Date: | Thu, 17 Dec 1998 12:42:50 -0800 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Hi Greg :)
I used to do both at my former job and there the only requirement was
that I provide a complete audit trail. Also, my boss acted as my "check
and balance" person to confirm that I wasn't doing anything untoward.
Art "but the boss didn't really know what I was doing either hehehe" Bahrs
X-no-Archive:yes
I have a sincere question, albeit an ignorant one. What is the
justification
for the "audit issue" that no one is supposed to do both systems and
development? I am looking for a cogent reason, not some standard party line
that makes little sense.
The justification I have been given is that this leaves no audit trial, and
perhaps said person could be covering their tracks. I can think of a number
of reasons why I do not find this persuasive. My main reasons are that a
person knowledgeable enough to do both can work so as to leave an audit
trial, that such a person could almost certainly cover their tracks
regardless, that divorcing these areas seems to bread ignorance and
misunderstanding of one area in members of the other, and that such a
person
is then prevented from getting work done while waiting on a member of the
other. Of course, if they bring donuts to all the resulting meetings, at
least it's not a total loss.
I was discussing system security with a member of the security team, and
mentioned that I am supposed to show them MPE security and our use of SEC /
3000, since that is supposed to be their job to admin, not mine, but it has
been mine. The above issue then came up. We were SAS-70, and will be
striving for ISO-9000, and I am told that both audits have this as a
requirement.
|
|
|