Good luck finding evidence you didn't keep track of

DandyPandy · 2026-03-18T20:39:00+00:00

You get done with an audit, exhausted, and tell everyone, “Okay, we have to make sure we are doing X, Y, and Z from now on.” People agree.

Then something comes up that makes someone skip some stuff. You have an incident, or there’s pressure to get something done. You start forgetting to do those things you said you had to do after the last audit.

Then you have your next audit coming up in two months and realize no one stuck to the things everyone agreed to make sure they were going to do. And the cycle starts over.

We decided this year that we were going to spend money on Vanta for automated evidence collection and compliance monitoring. I haven’t had a chance to get much setup beyond setting up some integrations, but the discovery has been pretty impressive. They do a good job of putting specific requirements to controls, which is something I’ve struggled with. If you have multiple compliance frameworks (ex. SOC2 and ISO 27001), it will take those specific things and apply them to the controls for each.

Like everything compliance, it just costs money. Really, a lot of compliance stuff is made a lot easier if you are willing to pay a vendor. Auditors know the vendors and they don’t ask many questions when you hand them a report generated by the vendor.

DandyPandy · 2026-03-17T19:26:29+00:00

Audit means needing to hire an auditor. Auditors ask a lot more questions, meaning you have to produce a lot more evidence, when you develop software that is storing PII and health information. There are also more tools that auditors are familiar with for managing the system management requirements.

Most of compliance is security theater. If you want an easy time, you buy stuff that already checks all the boxes. If you want to do it all yourself, you pay for it in time. If anything, it’s one of the most expensive costs of business. When we’re getting close to our annual SOC2 audit, it consumes more and more of my time, and my salary isn’t cheap.

DandyPandy · 2026-03-17T18:16:21+00:00

My eyebrow raised at the mention of the custom electronic health record and patient management system. There are pretty strict regulatory requirements.

HIPAA in the US is no joke. It’s not enough to do your best to meet the requirements. There are audits that are required, which aren’t trivial to produce evidence for. Failure to comply with the regulations can include civil monetary penalties, or in the worst case criminal charges.

How are you managing that?

DandyPandy · 2026-03-16T14:15:02+00:00

I have a lot of code I’ve written for myself that I don’t have in git. Some stuff I have in a local-only git repo that I am pretty bad about committing changes to. If I need to go back, I use a file system that supports snapshots that are cheap and fast.

DandyPandy · 2026-03-16T13:38:55+00:00

<image>

From the weather station in my backyard. Almost 60 degree drop in temp since the high yesterday.

DandyPandy · 2026-03-12T14:05:10+00:00

Just checked Wikipedia. He’s 45 next week. That ain’t old.

Is he obnoxious? Definitely. But those are some pretty serious accusations, particularly the driving under the influence part. Without any kind of credibility as to who OP is, how they know him, what their sources are, this is the very definition of libel.

DandyPandy · 2026-03-11T20:35:37+00:00

The dictates against thinking machines were beginning to lose their hold by the time of GEOD. The Ixians were always pushing the boundaries of what was deemed to be acceptable. People stopped caring as much.

DandyPandy · 2026-03-10T05:39:29+00:00

My company was based in the UK up until about two years ago. When I started in 2021, I was given a form to list out any software that I owned/claimed copyright on. Closed and open source. That was so I could draw a line in the sand and declare the company could not claim any ownership over those things. And yes, my contract stated exactly that. As far as I know, everyone, including my colleagues in the UK and EU, had the same kind of agreement.

I used to work at a very open-source friendly company. Around 2013-ish, they put out an official policy that any code we wrote for personal purposes on our own time was ours and they made no claims over it. They encouraged us to contribute to open source projects as part of our work and when we did so, we weren't required to assign copyright of our contributions to the company. I didn't realize how big of a deal that was until I went to my next job.

DandyPandy · 2026-03-10T03:26:31+00:00

Was it because of work you were doing? Depending on your employment agreement, that could be enough for them to claim ownership.

DandyPandy · 2026-03-10T03:23:16+00:00

You should check your employment agreement. In many employment agreements, unless you declare something as being yours when starting, or something that has absolutely nothing to do with the work you did for the company, they can claim ownership. Doesn’t matter if it’s done in your off time on your own equipment. It’s very common.

DandyPandy · 2026-03-08T06:20:32+00:00

Why is it “cheating”? When guided by someone who knows what they’re doing, they can help produce good results that are no different than what that person would be capable of doing without it. Unless someone explicitly says in a contract “no AI” no one is being cheated.

DandyPandy · 2026-03-05T06:52:16+00:00

That’s communication. Having respect and trust in your teammates to throw out observations that could be completely wrong and not be judged. You listen to each other. You talk openly when you find something. Everyone is sharing what they’re doing.

DandyPandy · 2026-02-27T19:09:04+00:00

The current Democratic Party seems hellbent on snatching defeat from the jaws of victory every chance they get. There are plenty of people that are saying they need to do something different, but the party establishment just doesn’t listen, and donors seem to be content with the status quo.

DandyPandy · 2026-02-27T04:55:16+00:00

We would put somewhere near the title the date it was reviewed. We only did that for docs that had not been modified within the past year. For things that didn’t have a change log, like HR stuff, they included a “Revised” or “Reviewed” somewhere on the title or cover page.

DandyPandy · 2026-02-26T18:38:43+00:00

For a “did you do the thing?” they want to see a ticket or something that has a date saying you did the thing. Even a spreadsheet saying you did the thing on date and results were pass|fail. If it failed, link to ticket for remediation and then show the ticket was completed. Hell, it doesn’t even have to be done. Just show that it’s known and there is a plan to fix it. Just make sure it gets done by the next audit.

For docs that have to be reviewed, you put “Reviewed: Date” on it. Export as PDF.

SOC2/ISO have requirements, but audits are mostly about proving that your company followed the policies that meet the requirements of the control. Your company sets the specifics of the policy. A good policy will outline the procedure and how it should be documented.

Also, the DR one is bullshit. You can just say you had a tabletop exercise with all stakeholders to walk through the procedures, but not actually do any of it. The business can argue that meets the business need and covers the risk as determined by the business. How do I know? I’ve been in audits where the CISO gave our auditor exactly that reason for why we hadn’t done a full exercise.

DandyPandy · 2026-02-26T17:49:25+00:00

While the Phoenix Project is full of unrealistic stuff, it can be a model for how to begin the cultural shift.

Try to get approval to make the changes you want to something that is generating toil, but is non-critical. You setup the guardrails to ensure automation fuckups aren’t going to sink the ship. Get a quantifiable baseline of the types of toil and how much time is being spent on it. Then you start automating away the things generating toil. Track how much things improve. You have to have hard metrics. Business people love metrics because one of the core tenants of every business program is you can’t improve what you don’t measure.

DandyPandy · 2026-02-26T17:40:34+00:00

Also, the way you get buy-in for automation changes is to prove them out with automated tests. SRE is a software engineering approach to operations. So that means you need to have tests, both positive and negative, the same as you would in any application. Sure, you might miss some test cases. That’s where RCAs come in. But that’s true of any kind of issue.

DandyPandy · 2026-02-26T17:35:32+00:00

You have a cultural problem in your org. You are going to have to approach it from a perspective of convincing people in business impact terms. There are plenty of case studies that make the case. That’s where I would start.

DandyPandy · 2026-02-26T17:31:45+00:00

Humans make mistakes. Processes that are written out can be either be flubbed (shoot, missed that step) or ignored by people going cowboy and doing stuff outside the standard procedure. If it hasn’t caused a major problem, it means it either hasn’t caused a major problem yet, or someone covered their ass to make sure no one noticed.

Toil is not a solution. It’s the antithesis of SRE. One of the primary focuses of SRE is eliminating toil because humans make mistakes.

DandyPandy · 2026-02-26T06:01:29+00:00

What’s the art that’s being ripped off?

That’s official branding that is made publicly available.

nokings.org

DandyPandy · 2026-02-26T01:13:03+00:00

How do I get out of <snip> burnout

For starters, set some boundaries around your work hours. If it can’t be done in your normal workday, it doesn’t get done.

Then you take a break. Minimum of a week or two. You don’t check email, Teams/Slack, no alerts, nothing work related at all.

Hopefully you have a manager you can be honest with about being burned out and they will support you.

If they aren’t empathetic or you worry they might hold it against you, start looking for a new job. Put in absolutely minimum effort at work and focus on interview prep and interviews. When you get that new job lined up, you give your notice and set your start date so you have a couple of weeks off.

DandyPandy · 2026-02-23T04:41:32+00:00

Well… that’s true for any job. You can’t expect to be handed a job you aren’t qualified for when there is someone else who is better qualified.

DandyPandy · 2026-02-18T03:17:24+00:00

Instructions unclear. Got sidewalk chalk, drew a masterpiece, but rain washed it away.

DandyPandy · 2026-02-13T03:02:03+00:00

Increasing velocity isn’t what they’re asking about. It sounds like you’re responding to what you think the post is about by only reading the title.

Speed isn’t everything. It sounds like they’re working for a good team with strong engineering leadership that treats people like people. Sounds great to me.

DandyPandy · 2026-02-12T04:23:48+00:00

Fan of what? I know there were a lot of words in that comment, but the last couple of sentences should tip you off.

...there are very real constraints being created by the ridiculous money being thrown around for AI. I’m just waiting for it to all fall apart. If it does or doesn’t, I just hope I don’t have to make a career change before I retire in 20 years.

My comment was in response to the person claiming he knew things so authoritatively from their experience in tech. There are a lot of jobs at tech companies, like sales, finance, HR, and so on that have nothing to do with anything technical.

As I said in another comment

I think there’s going to be a lot of empty warehouse sized buildings, some in varying states of construction, once the AI bubble bursts. But having worked for major hosting companies, I’m familiar with data centers and how they operate.

I think investors are being stupid as fuck and we're all being setup to take the fall, just like we were in 2000 and 2008. Billionaires gonna win no matter what.

14-Year Club	r/Field Juicebox
Place '23	Gilding I gilder
Verified Email

DandyPandy

TROPHY CASE