|
|
|
|
|
|
by __jf__
1953 days ago
|
|
|
Most of the compliance paperwork I’ve seen does leave room for custom risk assessments, threat modeling or other wordings that invite a business team to do more. However in their rush to go live or otherwise get it over with this security work is done after all other things. It isn’t integrated, in an SDLC for example. So minimum standards become maximum standards. It’s hard work convincing teams to do better, but at least the compliance docs give permission to develop your own, often better, understanding if the data classification is high enough. It doesn’t happen often but I havent abandoned all hope yet. |
|
|