Dealing with auditors (was Re: We hit half-million: The Cidr Report)

Larry Sheldon LarrySheldon at
Wed Apr 30 21:23:17 UTC 2014

On 4/30/2014 11:30 AM, Valdis.Kletnieks at wrote:
> On Wed, 30 Apr 2014 15:40:43 -0000, Jamie Bowden said:
>> You're not funny.  And if you're not joking, you're wrong.  We just went over
>> this on this very list two weeks ago.
> And in that discussion, we ascertained that what the PCI standard actually
> says, and what you need to do in order to get unclued boneheaded auditors to
> sign the piece of paper, are two very different things.
> Yes, the PCI standard gives a list of 4 options and then continues on to
> say that other creative solutions are acceptable as well.  But if you
> discover mid-engagement that your auditor *thinks* it says "Thou shalt NAT",
> you have a problem.
> Anybody got recommendations on how to make sure the company you engage
> for the audit ends up sending you critters that actually have a clue? (Not
> necessarily PCI, but in general)

I am no longer active on the battlefield but as of the last time I was, 
it can't be did.

For years I managed various aspect of a UNIVAC 1100 operation and the 
audits thereof.  EVERY TIME, we were dinged badly because we didn't look 
like an IBM shop (some may be surprised to learn that different hardware 
and different operating systems require very different operating 
procedures (and it appeared to us that some of the things they wanted us 
to do would weaken us badly, others just simply didn't make any sense, 
and we got dinged for things we DID do, because they were strange.

Later years I was in a small 1100-many HP9000 shop--same thing only 
different.  (That was also the environment with a medical school and 
hospital with Internet-accessible heart monitors on Windows 95.)

I think there has been some drift away from IBMishness as The Gold 
Standard, but it still looks like there is no allowance for the real 
world in computing and networking.
Requiescas in pace o email           Two identifying characteristics
                                         of System Administrators:
Ex turpi causa non oritur actio      Infallibility, and the ability to
                                         learn from their mistakes.
                                           (Adapted from Stephen Pinker)

More information about the NANOG mailing list