[primedteam]

HITRUST certification is the most demoralizing thing I've done in my life. You need a policy, a procedure and evidence of things like this:

Shared system resources (e.g., registers, main memory, secondary storage) are released back to the system, protected from disclosure to other systems/applications/users, and users cannot intentionally or unintentionally access information remnants.

[tristor]

I understand exactly what you mean, but having done HITRUST CSF certification for a system, I will say that it is not as bad as some others, because at least HITRUST is /very/ clear in its requirements, so there's not as much vagaries and back and forth with auditors after the fact, or rushed changes. It's truly a nightmare to meet, but once done you can be assured you will pass the audit fairly.

[seanp2k2]

Yep, try doing that in an electron context and you quickly learn why a lot of this software still runs on mainframes with UX from the 80s, hard T1 lines (if they’re lucky enough to be off ISDNs), faxing things all around since that’s considered “secure”, etc etc. A lot of startups can’t touch this stuff due to regulatory hurdles. When the first step is “go change the law”, it’s a non-starter.

[bawolff]

I mean, if it was really a very high security system, ensuring that confidential info in memory cannot be written unencrypted to a swap file, does seem like a reasonable requirement.