Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> we answered all questions from auditors and RFPs using the most favorable interpretation towards us of the question.

I am currently living this life. The problem is that the system is setup as a race to the bottom with opposed incentives.

If I answer with the strictest interpretation with my paranoid blue-team attitude, we appear worse than our competitors and are immediately in a worse business position - regardless of our relative or absolute security posture. This is why the Department of Defense is moving away from self-attestation in 800-171 to outside assessment in CMMC.

Why not standardize on ISO and SOC2? I dont know very much about it, but I suspect those big-boy standards arent suitable for small-business America/sub-subcontractors



> Why not standardize on ISO and SOC2? I dont know very much about it, but I suspect those big-boy standards arent suitable for small-business America/sub-subcontractors

Also, how is that any different? I've been through SOC2 and it was just the same "here's a bunch of questions that the auditors want us to answer and provide evidence for". Maybe a little better, but still something that you could bias by providing answers that were ... technically true...


To add to this, SOC1/SOC2 is only as useful as the security policies and standards and that assumes they were written around everything the company actually does. Auditors are only validating to some degree that you are doing what you say you are doing, but what you say you are doing may not be all-inclusive and respective of what you actually do.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: