>
> All,
>
> We recently completed an audit for a financial institution. After we turned
> in our report we received word that the V.P. who commissioned the audit
> would like us to "tone down" the report. He apparently thinks that the audit
> was too harsh. I obviously have an opinion on this, but I would like to hear
> your thoughts on the subject.
> BTW, we found some very serious problems. Such as a UNIX machine accessible
> from the Internet...NO FIREWALL or anything to stop an intrusion. Yes, it
> was running a version of sendmail with known problems!
What were you hired to do? If you were hired to perform a security
audit and that included looking for problems, documenting them, and
recommending corrective action, then that is what you should have
done.
As long as you did not include personal attacks and you provided the
client with the appropriate information, do not tone it down.
I had a client take my report and tell his staff to prepare a response
to it before he would send it up the chain. That was a clear case of
CYA since he would be called on the carpet for the problems I identified.
This sounds similar but your client is taking it a step farther.
just my opinion,
Eric
--
---------------------------------------------------------------------
Eric Maiwald, CISSP emaiwald @
fred .
net
Director Security Services 301-977-6966
Fortrex Technologies, Inc. North Potomac, MD
---------------------------------------------------------------------
References:
|
|
