[et-al]

I know you're being facetious, but any SOC2 audit would overlook this because they're just going down a checklist making sure specific controls are in place and not actually probing for the various possibilities to bypass these controls.

[jamiesonbecker]

> any SOC2 audit would overlook this because they're just going down a checklist

From the GP, "They also stored (1) all the production database and server passwords in a plain text file accessible to half the company and (2) no audit trail of any kind on logins."

Any competent SOC-2 auditor would not overlook this. Large swaths of criteria are specifically geared to uncover both of these (unencrypted credentials and audit trails).

SOC-2 audit firms have a strongly vested interest in hiring competent auditors, because if a SOC-2 auditor did not ask questions covering these areas, then failure to complete the audit would be actionable malpractice and the auditor would be liable, unless the company lied (committed demonstrable fraud) in its written responses.

[raverbashing]

> Any competent SOC-2 auditor would not at all overlook this

I think this statement is tautological, in a way

[jamiesonbecker]

I see your point: if they were competent, they wouldn't overlook it. My point was more that because SOC-2 is more pedantic (than, say, HIPAA), it's harder for a SOC-2 auditor to mess this up.

[raverbashing]

No, I'm saying their audit process focus more in box checking than actually seeing "you left the key under the mat"

[jamiesonbecker]

The "boxes" to be checked are actually asking open-ended questions about that, and asking you to provide copious written documentation backing up what you are claiming. This process takes weeks or months and is quite expensive.

[freeone3000]

The relevant box here is "Are all accesses to production systems logged in an indelible manner?" and "Is the principal of least privilege followed when accessing production systems?"

These questions aren't perfect, since they don't actually prevent security issues and merely document them extensively, but answering no to them will fail the audit.

[JshWright]

Are you talking about HIPAA or SOC2?

[im3w1l]

As a counter example, a competent fire inspector might overlook it ;)

[DiabloD3]

Given the current political climate, such a SOC-2 auditor should be outed by name.

[jamiesonbecker]

> Given the current political climate,

Not sure what politics have to do with it.

> such a SOC-2 auditor should be outed by name.

That would be defamatory, and potentially extremely unfair, especially if someone lied or was just incorrect, in an anonymous internet forum.

If someone experienced a loss because they relied on untrue statements from an auditor, they would have grounds to bring a case, and the auditor would have a chance at due process to respond to that case.

It probably seems slow and unwieldy when we all want justice now, but this is how we can be assured that justice is, in fact, done, and not injustice.

[JshWright]

A HIPAA audit would certainly miss this, but I would be very surprised if a SOC2 auditor missed this (or that they would remain in business long with the damage that would do to their reputation).