Stop claiming that SOC is an information security certification. Stop treating SOC2 Type II as an indicator of anything other than achieving SOC2 Type II, a standard created and audited by accountants.

As I wrote in 2021, SOC2 provides a highly valuable set of data in an easy-to-consume form, but even its creators will tell you it was never intended to serve as the sole criterion for a risk-based decision - something that often happens.

@fuzztech WHAT?!?! Are you saying it's all security theater with a two drink minimum? *shocked I say, SHOCKED*

@fuzztech I wonder if the name collision with Security Operations Center was intentional...

@fuzztech To be frank, it seems unlikely that IT experts could do any better than accountants.

@tasket Word. But if I were writing a spec I doubt I would start, for example, by making an accounting certification created and implemented by IT experts. Hey it could be a really numerate IT guy but he just isn’t an accountant.

@fuzztech The difference is that the IT field doesn't know what its doing.

Computer scientists don't give a flying f_ck anymore about advancing the field with respect to the systems used for everyday business; if computer security is a dumpster fire the response is always to make the dumpster smaller and faster.

@fuzztech @Viss
My favorite part of soc2 is the company gets to make up their own rules, and the auditor just checks to see if you can pretend you're following those rules. Want to see the company's rules? No, that's secret.

@FritzAdalis @fuzztech thats how sox works too!

@FritzAdalis @Viss Hahaha so I almost went there. Suffice it to say you’ve encapsulated it perfectly.

@fuzztech @FritzAdalis companies who pass either soc2 or sox or both

@FritzAdalis @fuzztech @Viss it’s easy to provide evidence I’m following the rules I made up.

@Viss @fuzztech @FritzAdalis

Any accountability or change management system shortcut;

1. Start with the basics: document new, change/update, archive, delete process into documents
2. Record that as part of process you do not record processes (insert any reason) following above process documentation
3. You are compliant, in accordance with *most* auditing processes

@Aprazeth @fuzztech @FritzAdalis it sounds like you are assuming most companies do compliance because they want to do the right thing or be secure or whatever, and are not just doing:
- the bare minimum legally required, often times way less
- some set of hoops/hurdles that some huge customer, or the government or some industry is demanding of them before they are allowed to 'play in that pool' for work

@Aprazeth @Viss @fuzztech @FritzAdalis I mean I get what you all are saying, but when I had a role in the past during which they involve me creating the rules... Those weren't just made up rules for rules sake. Oh no.. I made enemies with those rules!

@sassdawe @Aprazeth @fuzztech @FritzAdalis i have discovered that its a way bigger set of fakery and bullshit in the US than it is outside of the US. there are still folks in europe who play by american rules, but the ratios are different. more people 'care' outside of the us.

@Drat @fuzztech @Viss
You would think that, wouldn't you.

@FritzAdalis @Drat @fuzztech i have stories here. absolutely fucking wild ones