Stop claiming that SOC is an information security certification. Stop treating SOC2 Type II as an indicator of anything other than achieving SOC2 Type II, a standard created and audited by accountants.

As I wrote in 2021, SOC2 provides a highly valuable set of data in an easy-to-consume form, but even its creators will tell you it was never intended to serve as the sole criterion for a risk-based decision - something that often happens.

@fuzztech I wonder if the name collision with Security Operations Center was intentional...

@fuzztech To be frank, it seems unlikely that IT experts could do any better than accountants.

@tasket Word. But if I were writing a spec I doubt I would start, for example, by making an accounting certification created and implemented by IT experts. Hey it could be a really numerate IT guy but he just isn’t an accountant.

@fuzztech The difference is that the IT field doesn't know what its doing.

Computer scientists don't give a flying f_ck anymore about advancing the field with respect to the systems used for everyday business; if computer security is a dumpster fire the response is always to make the dumpster smaller and faster.

@fuzztech @Viss
My favorite part of soc2 is the company gets to make up their own rules, and the auditor just checks to see if you can pretend you're following those rules. Want to see the company's rules? No, that's secret.

@FritzAdalis @fuzztech thats how sox works too!

@FritzAdalis @Viss Hahaha so I almost went there. Suffice it to say you’ve encapsulated it perfectly.

@fuzztech @FritzAdalis companies who pass either soc2 or sox or both

@FritzAdalis @fuzztech @Viss it’s easy to provide evidence I’m following the rules I made up.

@Viss @fuzztech @FritzAdalis

Any accountability or change management system shortcut;

1. Start with the basics: document new, change/update, archive, delete process into documents
2. Record that as part of process you do not record processes (insert any reason) following above process documentation
3. You are compliant, in accordance with *most* auditing processes

@Aprazeth @fuzztech @FritzAdalis it sounds like you are assuming most companies do compliance because they want to do the right thing or be secure or whatever, and are not just doing:
- the bare minimum legally required, often times way less
- some set of hoops/hurdles that some huge customer, or the government or some industry is demanding of them before they are allowed to 'play in that pool' for work

@Aprazeth @Viss @fuzztech @FritzAdalis I mean I get what you all are saying, but when I had a role in the past during which they involve me creating the rules... Those weren't just made up rules for rules sake. Oh no.. I made enemies with those rules!

@sassdawe @Aprazeth @fuzztech @FritzAdalis i have discovered that its a way bigger set of fakery and bullshit in the US than it is outside of the US. there are still folks in europe who play by american rules, but the ratios are different. more people 'care' outside of the us.

@Drat @fuzztech @Viss
You would think that, wouldn't you.

@FritzAdalis @Drat @fuzztech i have stories here. absolutely fucking wild ones

SOC is not an ideal security certification but it does have some use and can be a starting point leading to better options.

It's true that you can make up your own rules (aka controls) but you have to follow them for the audit year and any changes will be for the following year. The auditors know the rules and the report that you send to your customers will have them as well. Any failures and remediations will be in the report so they can determine how well you actually performed these rules.

My work does hosting for state agencies in Azure Government. This means often means a lot of contractual language that sometimes goes beyond our typical standards. We'd be crazy not to create controls that exceed our normal security/compliance standards to make sure we cover all of our customers' requests.

The biggest value to me is that every time one of our state agency customers gets audited by the state, the RSA, Social Security Administration, creating an SSP, etc. and try to dump it on us as a vendor, we can just provide a SOC 2 report to show that we've audited for these things in our control and passed.

It would be a full-time job if I had to chase down compliance for everything in their contracts instead of giving them the report. It would be like being audited over and over all the time. Trust me, I've been invited to several customers' audit meetings to try to get me to answer their questions for them. I've had several others try to get me to fill out their NIST 800-53 framework for them as well. Being able to push back on that is worth having a SOC 2 report around.

All that said, we're moving on to GovRAMP for our security compliance. It's highly requested and will soon be mandatory for some customers. We couldn't have jumped straight to it so SOC 2 was a good stepping stone to get it moving.

CC: @fuzztech@infosec.exchange @Viss@mastodon.social

@Strog @Viss Thanks, @strog! I happen to agree with most of what you're saying; I think you're expanding on what I said in my second toot of the original two-toot thread (you replied to toot 1):

"SOC2 provides a highly valuable set of data in an easy-to-consume form, but even its creators will tell you it was never intended to serve as the sole criterion for a risk-based decision - something that often happens.”

Where I quibble with you is, to paraphrase A.J. Jacobs, a SOC2 is a security certification in the same way that The Olive Garden is an Italian restaurant.

I'm not agreeing with the statement that SOC2 is not "an ideal security certification”; I contend that SOC2 is not a security certification at all, but rather a third-party attestation that the configurations of the components and policies within and governing the service provider's internal systems are consistent with the configuration requirements as outlined in their own policies.

I think the biggest issue is that, because security attestations and certifications are difficult to impossible to create, executives have tried to simplify the value proposition in a kind of binary state (much the same way that Target executives, baffled by losing hundreds of millions of credit cards, said aloud, ‘But we're PCI compliant!’): sure, they're "secure" they have a SOC2 Type II (which sounds, but is not, like a specific guarantee of the presence of specific "secure" conditions, which of course it is not). This is a marketing issue, and I guess I am upset that AICPA was just really good at marketing this as a “must have”.

Happy new year!

@fuzztech it is better than the HITRUST extortion racket

@obrientg “Modestly cheaper than a pure extortion racket.” That’s even more perfect.

@fuzztech oh, you can get a cheap $5k soc2 and that would be fine

- said the CEO of the security "compliance" startup who rejected me