Do any SOC2 Type II auditors truly audit the businesses they’re making an attestation for? Like do they go onsite, physically and virtually, to probe and determine what’s true? Typically the client of an assessor provides compliance evidence in the form of screenshots of configuration details. Clearly this kind of evidence can be fabricated or adulterated.
bigfatkitten•6mo ago
Sometimes. I’ve been on calls to explain and show the auditor various things via screen share.
icedchai•6mo ago
Even if they go on site, it can still be faked.
kemotep•6mo ago
Audits are a checkbox exercise. But like before every flight, pilots complete a checklist, checking boxes just like an audit.
It takes a culture of following through with what you say you do and SOC2 is at least a 2-part audit that has you show your policies in the first part and then a year later they validate your evidence that you do what you say. So that puts it well above any self-assessment like NIST (which still has excellent guidance for how to approach security).
A SOC2 doesn’t prove they don’t share your data with the government for example just that they follow what their privacy policy says (which could include clauses about sharing data with the government).
pyuser583•6mo ago
It’s really about business capacity, right? They want to make sure the organization functions in an intentional manner.
Able to make policies and follow them.
general1726•6mo ago
Proton is in a great business position with current push for sovereignty within Europe
itisit•6mo ago
bigfatkitten•6mo ago
icedchai•6mo ago
kemotep•6mo ago
It takes a culture of following through with what you say you do and SOC2 is at least a 2-part audit that has you show your policies in the first part and then a year later they validate your evidence that you do what you say. So that puts it well above any self-assessment like NIST (which still has excellent guidance for how to approach security).
A SOC2 doesn’t prove they don’t share your data with the government for example just that they follow what their privacy policy says (which could include clauses about sharing data with the government).
pyuser583•6mo ago
Able to make policies and follow them.