|
|
|
|
|
|
by Vendan
1639 days ago
|
|
|
I've been through SOC2 (sat in with auditors and walked them through pretty much all of our stuff around source code and testing and building things). SOC2 is very much a "do you have policies for x, y and z" and "are you actually implementing those policies", with a VERY HEAVY emphasis on "are you doing what you say you'll do". There's nothing that says "You must monitor any place your source code could exist", but there's plenty that says "You must have a policy for change management" and stuff like. And you'll get dinged hard if you have a policy that says "We monitor every device that has our source code on it" and then turn around and have contractors you don't monitor. That said, it's also completely trivial (on the auditor side) for them to say "Oh, we're changing this policy to 'We monitor devices with production access'". Good luck pushing for that to happen as a contractor, though... |
|
|