What did the original scope of the project state. If the customer did not
want to know the truth, then why the security audit??
Audits results usually report something management realizes that there are
some problems but does not want to see it in a nicely written report.
Work with the VP and clearly state that the first step in admitting that
there are problems that a clear path in solving the problems can be clearly
defined and followed.
At 09:29 PM 2/19/98 -0500, Greg Collins wrote:
>We recently completed an audit for a financial institution. After we turned
>in our report we received word that the V.P. who commissioned the audit
>would like us to "tone down" the report. He apparently thinks that the audit
>was too harsh. I obviously have an opinion on this, but I would like to hear
>your thoughts on the subject.
>BTW, we found some very serious problems. Such as a UNIX machine accessible
>from the Internet...NO FIREWALL or anything to stop an intrusion. Yes, it
>was running a version of sendmail with known problems!
>Data Quest Information Systems
>"I have but one thing which cannot be taken from me, and that is my
>integrity. It I must give up of my own will."