top | item 44653607

(no title)

itisit | 7 months ago

Do any SOC2 Type II auditors truly audit the businesses they’re making an attestation for? Like do they go onsite, physically and virtually, to probe and determine what’s true? Typically the client of an assessor provides compliance evidence in the form of screenshots of configuration details. Clearly this kind of evidence can be fabricated or adulterated.

discuss

kemotep|7 months ago

Audits are a checkbox exercise. But like before every flight, pilots complete a checklist, checking boxes just like an audit.

It takes a culture of following through with what you say you do and SOC2 is at least a 2-part audit that has you show your policies in the first part and then a year later they validate your evidence that you do what you say. So that puts it well above any self-assessment like NIST (which still has excellent guidance for how to approach security).

A SOC2 doesn’t prove they don’t share your data with the government for example just that they follow what their privacy policy says (which could include clauses about sharing data with the government).

pyuser583|7 months ago

It’s really about business capacity, right? They want to make sure the organization functions in an intentional manner.

Able to make policies and follow them.

bigfatkitten|7 months ago

Sometimes. I’ve been on calls to explain and show the auditor various things via screen share.

icedchai|7 months ago

Even if they go on site, it can still be faked.