Comment by orochimaaru
2 months ago
There is a legal liability that comes with the bow checking. Nobody cares about box checking. Everyone cares about legal liability.
2 months ago
There is a legal liability that comes with the bow checking. Nobody cares about box checking. Everyone cares about legal liability.
Nah. I’m gonna name some names.
I had a client in the compliance space - they handle detailed product information for Apple, Boeing, BAE systems, Philips, Siemens - you know, nothing important, just literally classified material and incredibly sensitive corporate material.
Anyway. We did ISO27001. We did it well, audited by Lloyds register, reputable stuff all the way down. Built actual meaningful processes.
Anyway, a massive PE entity bought them in a hostile takeover, fired everybody, binned the ISMS, moved to some “compliance” goons.
I saw the box ticking chicanery as it happened - as after firing everyone they of course didn’t follow the off boarding process, so I retained full access to their JIRA. I only lost access a year later when atlassian terminated the account for non-payment.
Nobody actually gives a shit, about anything.
> I’m gonna name some names.
*Doesn’t name any names.*
Not that I want you to, I feel it would open you up to libel exposure. But can we both acknowledge that you didn’t name the entity that coasted through their audit?
I did, and then I thought twice. Let’s say it’s a synonym for a piece of non-reflective geology.
6 replies →
He didn't say when he was gonna name some names.
He technically did name many names: > Apple, Boeing, BAE systems, Philips, Siemens
Until someone rich and powerful gets ripped off -- then, suddenly, lots of people care a lot.
>Nobody actually gives a shit, about anything.
That's the case until there is the threat of discovery. The real issue is if the PE firm bought the company for the value of the IP and any damages awarded was included in the 'cost of business', which is why liability needs to be extended to those persons who make that decision, not just the corporate entity.
Yeah - probably. Didn’t Microsoft have Chinese engineers work classified government stuff?
I guess if you have the muscle to brush off legal action from the govt you’re ok. If you’re an unsuspecting startup - that could be a problem.
In practice the only liability you might wind up with is whether you technically met the conditions for checking the box (instead of just checking falsely). But the liability for the overall consequences of not doing the actual job the checklist sets out to do tends to stay where it is.
These days, nobody cares about legal liability, which is the likelihood of losing a lawsuit if there's a lawsuit, either. They only care about actual lawsuits against their company. They have noticed they're pretty rare and if the company's going to go under it's going to go under anyway, so might as well take the extra profits from not worrying about it
If someone checked one box, and the company goes under because of a lawsuit linked to not doing what this box said, then the individual who checked that box becomes personally liable of the damages done to the shareholders asset (the value of the company).
You don't want to be in this position, really. And that's the whole point of compliance.
Maybe. If their boss told them to do it and their boss is the CEO, probably not. It's on the prosecutor to prove the individual employee committed a crime worthy of piercing the corporate veil.
1 reply →
That’s a separate excercise in most cases. Obtaining the cert is it’s in excercise and not sticky a security excercise
Small businesses very much like to gamble with the box checking.