mathie25's comments

We have a SOC2 report type II, and security questionnaires/meetings are still there. Once we had a security questionnaire from a potential customer, took a glance at it, told the customer "hey you can find all of the answers in our SOC2 report and in our CAIQ (CSA)", they told us to still fill the questionnaire...

The objective of most companies is to make money (let us be honest), thus the objective of the information security team is to make sure that the organization can achieve its objectives.

Thus, a lot of times, to sign customers, you need to be secured, as an IT/Security department can easily shut down any SaaS project if it is not secure enough. Having a certification like ISO 27001 or a report like SOC2 can really be helpful, and is sometimes a necessity. So ask yourself "does our company needs a SOC2/ISO 27001 to sign customers? Is it a blocker for our business?". You never want to achieve compliance "just because", you need a business reason to do it.

We started building our security program (ISMS) based on ISO 27001 (which is a really good basis in my opinion), but decided to get a SOC2 report instead. We started with a SOC2 type I report, then a type II. I personally find that a SOC2 is much more flexible than an ISO 27001 certification.

We mainly deal with big European customers, and SOC2 and ISO 27001 are seen as equal; never had a problem there. Most customers don't even read the report to be honest; it's a check in a box.

Having a SOC2 report or ISO 27001 certification shows that you care about security, and it sets the tone from the start.

I find that Joe Rogan can be sometimes hit or miss, but for the most part, he has some interesting guests, the conversation with his guests are "natural" and does not seems forced, and I find that he knows how to ask good questions

Check https://www.simuldocs.com/ It's a version control SaaS for Word documents. They took a lot of inspiration from git

Will check this out, thanks! Was looking exactly for a Slack integration of Firefox Send, but never found anything.

Is it possible to use our own hosted Firefox send? Thanks!

We are using a hosted version of onetimesecret for internal usage.

We mainly used it on Slack. We made a slash command (/secret) to easily share passwords on Slack.

So the only thing you need to do is write /secret YourPassword.

After that, you need to be authenticated via Google SSO as we added a proxy. Yes, we know, the password goes through Slack.

Good ressources. I've been following Ryan Mcgeehan for a few years, and he's really dedicated to the development of simple risk management techniques. Risk management can be really difficult to grasp.

Additional interesting ressources: - Implementing Enterprise Risk Management by James Lam https://www.amazon.ca/Implementing-Enterprise-Risk-Managemen... - Protivi Guide to Enterprise Risk Management https://www.protiviti.com/sites/default/files/protivitierm_f...

Same, we use gsuite MDM for BYOD just to ensure that personnel's devices have basic security configurations (e.g. encryption, lock screen, etc.) Beyond that, this MDM is quite limited to what's possible to accomplish.

There are multiples reasons to not use a pie/donut chart as it does not (most of the time) help to better understand the information presented. Edward Tufte and Stephen Few (both experts in data visualization) have given multiple arguments against pie charts. See the link for a good summary on the subject

https://priceonomics.com/should-you-ever-use-a-pie-chart/

First item of a Design checklist: Don't use pie charts

very good explanation!

How would you compare your product to other similar solutions like Zapier?

French would be easier to understand as peanut butter is "beurre d'arachides" (butter from peanuts). The "de" (or d' in that example) is given you the "context"/what the butter is made of. Same for apple juice, it's "jus de pommes" and etc.

What we are doing at my company (we have a general onboarding process):

Before the onboarding: - we make sure all access has been give to every SaaS/software/etc needed for the employee to be able to work day one. We have defined a list of access needed for each job (engineering, finance, customer success, etc). - we make sure that we have all necessary hardware (e.g macbook, screens, keyboard etc.) and that all necessary software/update are already there.

Onboarding day: - First meeting is about presenting our company, what we do, our values, the market in which we work, etc. - Second meeting is finalizing the computer setup (e.g. password) - Third meeting is about security (my job). I'm presenting security, talking about our policies and etc. It's a pretty lightweight discussion. - Fourth meeting is the HR meeting (e.g. sign the NDA, talk about insurance, etc.) - Final meeting is a presentation of our application.

All along the day, we make it clear that they can ask any questions, anytime.

After the onboarding: 1 week after the onboarding day, we sent a survey about the onboarding day (what did you like, what could be improved, etc.). Only the Head of HR see this (for confidentiality).

To be even more precise, you can refer to Article 6, section f) about Legitimate interests.

If you conduct business with an individual, most of time, your legal basis will be the Legitimate interests of both parties, you should only rely on consent for non-necessary part/service (like subscribing to a newsletter, or sharing information for improving the service).

For a good summary of that, I would recommand this ICO document: https://ico.org.uk/media/about-the-ico/consultations/2013551...

Depends on the usage, but you could use Firefox Send https://send.firefox.com/

It's also open source

Could you link to some of those interpretations or give the article/recital where you think this could be possible ?

Yes, a macOS and Linux version should be released later on

Based on recital 27 "This Regulation does not apply to the personal data of deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons." Source: https://gdpr-info.eu/recitals/no-27/

So it would mean that companies would not be obliged to comply with GDPR.

"[...]Whereas the mere accessibility of the controller's, processor's or an intermediary's website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union."

Quote from GDPR, page 5, recital 23 (http://www.privacy-regulation.eu/en/recital-23-GDPR.htm). I'm no lawyer, but that's the way I'm understanding it.