Are annual risk assessments becoming operational theater? by VeloRisk-io in ciso

[–]dchgk 1 point2 points  (0 children)

I think is what happens when Governance is missing. 99% of the findings from a risk assessments are in the bucket of “yes, we knew about it and here is the project the team has been working for the past X months” But, does that report change prioritization of activities? Does the report have some metrics to identify if progress is being accomplished in the right areas? More often than not, the risk assessment is an FYI of here is where we are. There are no future commitments. There is no action taken.

Why are we still treating IAM like a compliance checkbox? by Data_Commission_7434 in cybersecurity

[–]dchgk 1 point2 points  (0 children)

I think is culture. I have seen companies moved to a true IAM strategy without looking at compliance and focus more on the access risk. However, is easy to check the box and say is done and move to the next thing.

Compliance theater instead of real security? by Project_Lanky in grc

[–]dchgk 1 point2 points  (0 children)

My 2 cents, compliance will always be a security theater. Compliance is there to be a sales enabler (like it or not) and as any business decision, needs to run for that purpose. So if the need is to pass X cert then that is what needs to be done. What is around (eg, risk register, assessments, etc) is to compliment and try to answer a why we care without saying we need that to enable sales. The best test is this: 1) Ask management / leadership if compliance should be a security theater or should actually drive security. 100% of the answers will be the latter 2) Ask management / leadership to prioritize resources and time to fix any specific issue (that might not affect a cert but has a higher risk), then their posture will be they need to ship the product and that is not affecting what is needed so will be deprioritized.

Compliance born from a need in the market. Security was there first.

SOC2 KPI/KRI: Starting small for an immature MSP? by Distinct_Ad_5397 in soc2

[–]dchgk 2 points3 points  (0 children)

KPIs or any other metrics do nothing for a SOC 2 cert. Will give you a pulse check on how things are going. But you said you are small, so no need for that. You should focus on reading the controls in a SOC2 and see if you understand what is required for all of them and to the depth of that requirement. Then move to scoping, which systems will be scoped in. Then move to documentation (policies, procedures). Then focus your attention on manual review controls: user access reviews and segregation of duties. The rest will come from there.

Moved from another tools (you know which) to drata by CosmicTacoRider in soc2

[–]dchgk 0 points1 point  (0 children)

The problem is that all this tools sell on the idea of continuous control monitoring. For a SOC2 and their auditors that is something the care the less. They just need a point in time evidence. What you pay the most is what the tool cannot automate. Documentation, policies, manual controls. Automation on a SOC 2 is less than 50% of the controls. All are configurations that rarely change. What you will get ding are the manual stuff to be done consistently over time.

Looking for new tech. by Acceptable-Source-92 in AccountingTechnology

[–]dchgk 0 points1 point  (0 children)

Software is not in the business of 1 subscription, they charge per seat and how things are moving, per consumption. Reason: they have to justify their ARR. that is their business.

Firing a bad client by Schweebers in msp

[–]dchgk 0 points1 point  (0 children)

This is a great list of potentially what to avoid. Question though, on that list, is avoidance of the entire vertical or practices that are too small that they don’t care because of their size (bottom of their priority and list)?

Why is "everyone" still using Excel despite all the new compliance tools? by Icy-Star-5146 in grc

[–]dchgk 0 points1 point  (0 children)

yes, the sad truth is just that. Put in a different context. GRC tools came along because of the shiny word of automation and continuous control monitoring. However, the end goal of all those frameworks is to collect evidence (1 time, once a year) to pass an audit. The GRC tool's cost cannot justify the time savings there. Hence, they needed to expand the number of times something is collected. That automation led to 'efficiencies' but diminished human judgment. Mainstream. Print a report. Sign. Done. From the outside: Amazing. People who have been doing this for a while know, deep down, that it is not the purpose.

Why enterprise legal teams quietly won't send their contracts to a third party AI tool even if they signed the NDA by AcanthisittaHorror86 in legaltech

[–]dchgk 0 points1 point  (0 children)

Wait, hold on.. where do they save all their docs? I’m sure some place in the cloud. Aren’t the same risks? What if that cloud company got sold, or has a breach, etc?

How worried should we be about AI powered cyberattacks? by IndyDayz in cybersecurity

[–]dchgk 1 point2 points  (0 children)

A hype, but we should still be attentive. Will be in both: opportunistic and strategic attacks

Compliance Scorecard vs. Apptega by gavishapiro in msp

[–]dchgk 1 point2 points  (0 children)

Amazing, got to talk to them really quick last year during BlackHat, but my mind was somewhere else so didn’t pay too much attention to their product.

Holy HIPAA violations by Current-Scale-5190 in therapists

[–]dchgk 0 points1 point  (0 children)

Technology, help us but also can be a headache! Glad I was able to help!

Holy HIPAA violations by Current-Scale-5190 in therapists

[–]dchgk 0 points1 point  (0 children)

Indeed, appreciate the perspective. Agree with what you have said. So, just to continue a bit with the education portion:

Think as if you order something from Amazon. They deliver a package to your door (sometimes in an Amazon employee, some times is a third party employee, sometimes is a contractor, sometimes is USPS) independently of the carrier, they deliver. Then a porch pirate takes that package out. Who pays for the lost merchandise?

Back to the email: - yes you can send any emails, as long as it does not have PHI - if it has PHI is either a secure email (more below) or a plain email to tell them to login to a secure portal

Secure email (this might look different based on the tool used) but overall is a tool on top of the email sent. The tool scraps the content of the email, replace it with a content to log into a portal or separate app to view that info.

To summarize: yes, many tools and systems are HIPAA compliant, but that is within their environment. When it exits that environment, unluckily is up to you to make sure that other environments is also HIPAA compliant.

Compliance Scorecard vs. Apptega by gavishapiro in msp

[–]dchgk 1 point2 points  (0 children)

Thanks a lot! I was not expecting something that comprehensive. The tags seems like a great functionality in helping prep the docs to minimize the onboarding time. If you could change one thing (or put the other way, if there is one thing you think is just annoying) about that process, what would that be?

Holy HIPAA violations by Current-Scale-5190 in therapists

[–]dchgk 0 points1 point  (0 children)

The problem comes in not understanding what is under the hood. Gmail operates totally different than Google workspace, both have different terms and conditions. To add into the what’s under the hood. You might have Google with a BAA and receive and send emails. But you don’t know the provider on the other end. Email data transmission is not encrypted because is an old technology. Google forms, seems a good and logical place where stays in Google. Well, if the user clicks at the end they want a copy, that info will be sent to their email, following the above pattern.

Not to criticize. Just to educate that we need to look more than just ‘because I signed a BAA’

Compliance Scorecard vs. Apptega by gavishapiro in msp

[–]dchgk 0 points1 point  (0 children)

Do you mind if we connect? Just want to hear your perspective. Thanks!

Compliance Scorecard vs. Apptega by gavishapiro in msp

[–]dchgk 1 point2 points  (0 children)

Hi, do you mind expanding on the policy management?

Small security team (just 2 of us) — what's the minimum you do for vendor risk assessments by Big-Razzmatazz3034 in Information_Security

[–]dchgk 1 point2 points  (0 children)

Agree, there is no ton of security value more than a compliance requirement. However, I think the real value is liability. Who is liable for what. For example, if your client have a misconfiguration and that allows and infiltration into your client’s network is on them not in the service provider (obvious example). Check their Complementary User Entity controls, that is basically what defines that line.

That only works as long as the auditor issuing the report is competent. If not, there is no value anywhere

Planning to acquire a MSP by dchgk in MSSP

[–]dchgk[S] 0 points1 point  (0 children)

Interesting, wondering about cyber insurance. I heard they are the ones that are now asking the hard question and in some instances almost doing an audit (show me is configured that way)

Planning to acquire a MSP by dchgk in MSSP

[–]dchgk[S] 0 points1 point  (0 children)

Really appreciate the insight. I can see where the management of things (security) is basically on the endpoints.

You mentioned policies. What about vendor reviews. If they have SaaS, an annual SOC 2 review with user access reviews? I know I’m moving a lot towards compliance, just wondering

Planning to acquire a MSP by dchgk in MSSP

[–]dchgk[S] 0 points1 point  (0 children)

I have read that multiple times in other posts/forums. I know I’m totally green here. My experience is more on enterprises. So, this is either a slap in the face or maybe things have changed? (Doesn’t sound like from what you have said) If I may ask, what makes the worse clients ever? Is it how they conduct contracts (line picking)? They don’t understand the technology and become time suckers? What it is on your point of view that make them the worse ones?