@donaldball @calamari This is far more about the companies...

This is far more about the companies doing the implementations than the compliance frameworks themselves. Companies will do the bare minimum to pass audit and then completely ignore the ongoing audits, assessments, and improvement cycles demanded by the compliance framework. With SOC2 you can get away with some of this, less so in FedRamp, and even less so in ISO but companies don't want to spend money to mitigate risks - all they want is tech magic they can ignore.

Like 19 July at 21:13 | Wall-to-wall | Open on tech.lgbt

2 comments

Daniel Farina

@gaysteve @donaldball @calamari this sounds like the most accurate description to me. I’ve been through the SOC process a few times, I can see how companies want to take some mostly reasonable norms on what they’re supposed to audit and try to abstract it to a software package.

I have always found the anti-malware norms both reasonable in principle and vexing in implementation myself. This is where invasive endpoint software shows up.

19 July at 23:05 | Open on mas.to

Dr. Mastodonocologist

@gaysteve @donaldball @calamari
Counterpoint: compliance auditors are usually more interested in ticked boxes than meaningful security measures, and we must give them what they want. Every organization has a limited amount of time, staff, and resources. After two SOC2 Type 2 audits we have spent more time adjusting our existing infrastructure to document compliance than doing the very real, time-consuming work of increasing our monitoring/logging capability, and eliminating "edge cases".

21 July at 13:03 | Open on mastodon.social