Comment by notTooFarGone
1 day ago
Yes, it's this rolling on your back and preemptively trying to cover all eventualities that does stuff like this.
It seems like none wants to actually justify their decisions to auditors as its more time critical when the audit happens.
If only everyone involved with security compliance could learn the lesson that John learned in The Phoenix Project, developers and ops folks would experience a lot less pressure to treat the pantry like Fort Knox. There is not only evidence that goes against the expectations of many auditors, but there's also no requirement that compliance of everything be implemented through costly software and network changes, because physical security and process can be used for compliance as well.