Comment by GorbachevyChase
16 hours ago
Policy and practice might not be the same thing. The company and the entire management staff should be on somebody’s blacklist for future procurement.
16 hours ago
Policy and practice might not be the same thing. The company and the entire management staff should be on somebody’s blacklist for future procurement.
The tighter your security is, the more inconvenient it is for legitimate users, and the more you have to do audits because it's easy to justify going around security in the name of efficiency.
It's not just information security, either. I've seen vault doors propped open because the people working inside didn't want to do all the sign-in/sign-out paperwork to take a leak.
The whole point of stuff like SOC2 and audit to verify that policy is actually implemented. Seems like nobody actually checked.
SOC2 requires an audit. But one of the weaknesses of SOC2 is that the audit mostly checks to determine that you are following whatever your policy is. It doesn't verify that your policy is rigorous.