Ľuboš Moščovič 
Nick Selby Stop claiming that SOC is an information security certification. Stop treating SOC2 Type II as an indicator of anything other than achieving SOC2 Type II, a standard created and audited by accountants.
buherator
wyngman
Timo J
Fritz Adalis
Viss@FritzAdalis @fuzztech thats how sox works too!
Brian
Strog (aka Dale Shrauger)SOC is not an ideal security certification but it does have some use and can be a starting point leading to better options.
It's true that you can make up your own rules (aka controls) but you have to follow them for the audit year and any changes will be for the following year. The auditors know the rules and the report that you send to your customers will have them as well. Any failures and remediations will be in the report so they can determine how well you actually performed these rules.
My work does hosting for state agencies in Azure Government. This means often means a lot of contractual language that sometimes goes beyond our typical standards. We'd be crazy not to create controls that exceed our normal security/compliance standards to make sure we cover all of our customers' requests.
The biggest value to me is that every time one of our state agency customers gets audited by the state, the RSA, Social Security Administration, creating an SSP, etc. and try to dump it on us as a vendor, we can just provide a SOC 2 report to show that we've audited for these things in our control and passed.
It would be a full-time job if I had to chase down compliance for everything in their contracts instead of giving them the report. It would be like being audited over and over all the time. Trust me, I've been invited to several customers' audit meetings to try to get me to answer their questions for them. I've had several others try to get me to fill out their NIST 800-53 framework for them as well. Being able to push back on that is worth having a SOC 2 report around.
All that said, we're moving on to GovRAMP for our security compliance. It's highly requested and will soon be mandatory for some customers. We couldn't have jumped straight to it so SOC 2 was a good stepping stone to get it moving.
CC: @[email protected] @[email protected]
It's true that you can make up your own rules (aka controls) but you have to follow them for the audit year and any changes will be for the following year. The auditors know the rules and the report that you send to your customers will have them as well. Any failures and remediations will be in the report so they can determine how well you actually performed these rules.
My work does hosting for state agencies in Azure Government. This means often means a lot of contractual language that sometimes goes beyond our typical standards. We'd be crazy not to create controls that exceed our normal security/compliance standards to make sure we cover all of our customers' requests.
The biggest value to me is that every time one of our state agency customers gets audited by the state, the RSA, Social Security Administration, creating an SSP, etc. and try to dump it on us as a vendor, we can just provide a SOC 2 report to show that we've audited for these things in our control and passed.
It would be a full-time job if I had to chase down compliance for everything in their contracts instead of giving them the report. It would be like being audited over and over all the time. Trust me, I've been invited to several customers' audit meetings to try to get me to answer their questions for them. I've had several others try to get me to fill out their NIST 800-53 framework for them as well. Being able to push back on that is worth having a SOC 2 report around.
All that said, we're moving on to GovRAMP for our security compliance. It's highly requested and will soon be mandatory for some customers. We couldn't have jumped straight to it so SOC 2 was a good stepping stone to get it moving.
CC: @[email protected] @[email protected]
Obrientg