Stop claiming that SOC is an information security certification. Stop treating SOC2 Type II as an indicator of anything other than achieving SOC2 Type II, a standard created and audited by accountants.

@fuzztech I wonder if the name collision with Security Operations Center was intentional...

@fuzztech To be frank, it seems unlikely that IT experts could do any better than accountants.

@fuzztech The difference is that the IT field doesn't know what its doing.

Computer scientists don't give a flying f_ck anymore about advancing the field with respect to the systems used for everyday business; if computer security is a dumpster fire the response is always to make the dumpster smaller and faster.

@fuzztech @Viss
My favorite part of soc2 is the company gets to make up their own rules, and the auditor just checks to see if you can pretend you're following those rules. Want to see the company's rules? No, that's secret.

@FritzAdalis @fuzztech thats how sox works too!

@fuzztech @FritzAdalis companies who pass either soc2 or sox or both

@FritzAdalis @fuzztech @Viss it’s easy to provide evidence I’m following the rules I made up.

@Viss @fuzztech @FritzAdalis

Any accountability or change management system shortcut;

1. Start with the basics: document new, change/update, archive, delete process into documents
2. Record that as part of process you do not record processes (insert any reason) following above process documentation
3. You are compliant, in accordance with *most* auditing processes

@Aprazeth @fuzztech @FritzAdalis it sounds like you are assuming most companies do compliance because they want to do the right thing or be secure or whatever, and are not just doing:
- the bare minimum legally required, often times way less
- some set of hoops/hurdles that some huge customer, or the government or some industry is demanding of them before they are allowed to 'play in that pool' for work

@Aprazeth @Viss @fuzztech @FritzAdalis I mean I get what you all are saying, but when I had a role in the past during which they involve me creating the rules... Those weren't just made up rules for rules sake. Oh no.. I made enemies with those rules!

@sassdawe @Aprazeth @fuzztech @FritzAdalis i have discovered that its a way bigger set of fakery and bullshit in the US than it is outside of the US. there are still folks in europe who play by american rules, but the ratios are different. more people 'care' outside of the us.

@Drat @fuzztech @Viss
You would think that, wouldn't you.

@FritzAdalis @Drat @fuzztech i have stories here. absolutely fucking wild ones

SOC is not an ideal security certification but it does have some use and can be a starting point leading to better options.

It's true that you can make up your own rules (aka controls) but you have to follow them for the audit year and any changes will be for the following year. The auditors know the rules and the report that you send to your customers will have them as well. Any failures and remediations will be in the report so they can determine how well you actually performed these rules.

My work does hosting for state agencies in Azure Government. This means often means a lot of contractual language that sometimes goes beyond our typical standards. We'd be crazy not to create controls that exceed our normal security/compliance standards to make sure we cover all of our customers' requests.

The biggest value to me is that every time one of our state agency customers gets audited by the state, the RSA, Social Security Administration, creating an SSP, etc. and try to dump it on us as a vendor, we can just provide a SOC 2 report to show that we've audited for these things in our control and passed.

It would be a full-time job if I had to chase down compliance for everything in their contracts instead of giving them the report. It would be like being audited over and over all the time. Trust me, I've been invited to several customers' audit meetings to try to get me to answer their questions for them. I've had several others try to get me to fill out their NIST 800-53 framework for them as well. Being able to push back on that is worth having a SOC 2 report around.

All that said, we're moving on to GovRAMP for our security compliance. It's highly requested and will soon be mandatory for some customers. We couldn't have jumped straight to it so SOC 2 was a good stepping stone to get it moving.

CC: @fuzztech@infosec.exchange @Viss@mastodon.social

@fuzztech it is better than the HITRUST extortion racket

@fuzztech oh, you can get a cheap $5k soc2 and that would be fine

- said the CEO of the security "compliance" startup who rejected me