|
|
|
|
|
|
by tptacek
775 days ago
|
|
|
We have a "SOC2 review" regime, for a security-sensitive subset of our code. The very most important thing to remember about SOC2 is that your auditors are attesting that you meet a standard that you yourself set. If you set a standard for yourself that every single change anywhere is going to be reviewed in triplicate, that's what auditors are going to check you on. So the key is to be extremely deliberate about the standard you're setting in your initial Type I. Every auditor is going to want to see some kind of change review, but the purpose of that change review is something you determine, not them. For us, the SOC2-auditable change review process is about ensuring that people merging PRs aren't 3 raccoons in a trenchcoat; it's not a vulnerability management process. The trap people fall into is that SOC2 is often the point at which they start paying attention to security process as a whole, and they led SOC2 lead security process for them. No! Death! Be thinking about security from day 1, and have clarity about what subset of your security process you want SOC2 to measure and track. |
|
|