nanog mailing list archives

Dealing with auditors (was Re: We hit half-million: The Cidr Report)

From: Larry Sheldon <LarrySheldon () cox net>
Date: Wed, 30 Apr 2014 16:23:17 -0500

On 4/30/2014 11:30 AM, Valdis.Kletnieks () vt edu wrote:

On Wed, 30 Apr 2014 15:40:43 -0000, Jamie Bowden said:

You're not funny.  And if you're not joking, you're wrong.  We just went over
this on this very list two weeks ago.


And in that discussion, we ascertained that what the PCI standard actually
says, and what you need to do in order to get unclued boneheaded auditors to
sign the piece of paper, are two very different things.

Yes, the PCI standard gives a list of 4 options and then continues on to
say that other creative solutions are acceptable as well.  But if you
discover mid-engagement that your auditor *thinks* it says "Thou shalt NAT",
you have a problem.

Anybody got recommendations on how to make sure the company you engage
for the audit ends up sending you critters that actually have a clue? (Not
necessarily PCI, but in general)

I am no longer active on the battlefield but as of the last time I was,it can't be did.

For years I managed various aspect of a UNIVAC 1100 operation and theaudits thereof. EVERY TIME, we were dinged badly because we didn't looklike an IBM shop (some may be surprised to learn that different hardwareand different operating systems require very different operatingprocedures (and it appeared to us that some of the things they wanted usto do would weaken us badly, others just simply didn't make any sense,and we got dinged for things we DID do, because they were strange.

Later years I was in a small 1100-many HP9000 shop--same thing onlydifferent. (That was also the environment with a medical school andhospital with Internet-accessible heart monitors on Windows 95.)

I think there has been some drift away from IBMishness as The GoldStandard, but it still looks like there is no allowance for the realworld in computing and networking.

--
Requiescas in pace o email           Two identifying characteristics
                                        of System Administrators:
Ex turpi causa non oritur actio      Infallibility, and the ability to
                                        learn from their mistakes.
                                          (Adapted from Stephen Pinker)

Current thread:

Re: We hit half-million: The Cidr Report, (continued)
- - - Re: We hit half-million: The Cidr Report Owen DeLong (Apr 29)
    - Re: We hit half-million: The Cidr Report Jeff Kell (Apr 29)
    - Re: We hit half-million: The Cidr Report TheIpv6guy . (Apr 29)
    - Re: We hit half-million: The Cidr Report Jeff Kell (Apr 29)
    - Re: We hit half-million: The Cidr Report Blake Dunlap (Apr 30)
    - Re: We hit half-million: The Cidr Report Sholes, Joshua (Apr 30)
    - RE: We hit half-million: The Cidr Report Jamie Bowden (Apr 30)
    - Re: We hit half-million: The Cidr Report Valdis . Kletnieks (Apr 30)
    - Re: We hit half-million: The Cidr Report joel jaeggli (Apr 30)
    - Re: We hit half-million: The Cidr Report Sholes, Joshua (Apr 30)
    - Message not available
    - Dealing with auditors (was Re: We hit half-million: The Cidr Report) Larry Sheldon (Apr 30)
    - Re: Dealing with auditors (was Re: We hit half-million: The Cidr Report) William Herrin (Apr 30)
    - Re: We hit half-million: The Cidr Report Owen DeLong (Apr 29)
    - Re: We hit half-million: The Cidr Report Rick Astley (Apr 30)
  - Re: The Cidr Report Hank Nussbacher (Apr 26)
    - Re: The Cidr Report Seth Mos (Apr 26)
    - RE: The Cidr Report Deepak Jain (Apr 26)
    - Re: The Cidr Report Geoff Huston (Apr 27)
    - Re: The Cidr Report Fred Baker (fred) (Apr 30)