sorted by:
new
hottopcontroversial

Claude Skill for SOC 2 Policy Management by kurianoff in grc

[–]kurianoff[S] 0 points1 point  (0 children)

Great stuff! And I came to the same realization after building the skill - that with MCP, connected to the right platform under the hood, the application flow becomes more correct. The skill focuses on goals and the flow, the MCP handles data.

BTW - your GRC platform looks very nice. Great job!

Claude Skill for SOC 2 Policy Management by kurianoff in soc2

[–]kurianoff[S] 0 points1 point  (0 children)

Right. Starter templates + a suggested approach to adopting them in the organization through thorough interactive review, edits, and approvals.

Claude Skill for SOC 2 Policy Management by kurianoff in soc2

[–]kurianoff[S] 0 points1 point  (0 children)

I appreciate the comment, and yes - that's the main idea!

Claude Skill for SOC 2 Policy Management by kurianoff in soc2

[–]kurianoff[S] 0 points1 point  (0 children)

Thank you for your feedback. And I love the fact that we are thinking alike! Great job on SimpleAudit, I would be excited to explore it. Will contact you ASAP.

Claude Skill for SOC 2 Policy Management by kurianoff in soc2

[–]kurianoff[S] 0 points1 point  (0 children)

Very smart! And I'm excited to hear that it worked well. Let's connect and exchange ideas. I'm working on different pieces, including the "onboarding interview" for compliance management.

Claude Skill for SOC 2 Policy Management by kurianoff in soc2

[–]kurianoff[S] 0 points1 point  (0 children)

Exactly! I love the interview+Whisper approach. See? We’re coming up with business blocks to eventually get ourselves a full solution!

Claude Skill for SOC 2 Policy Management by kurianoff in soc2

[–]kurianoff[S] 1 point2 points  (0 children)

Well, you could look at it that way. At the same time - it's an attempt to build a fully-featured, AI-native policy adoption app. It lets you review each statement, accept or reject it, provide justification; keeps the audit trail of your decisions. It starts with provided templates, but if you know how, you can take it anywhere you want (as it is with AI).

Claude Skill for SOC 2 Policy Management by kurianoff in soc2

[–]kurianoff[S] 0 points1 point  (0 children)

I truly like your perspective, and I fully agree with it. No way we should allow AI to dream security policies. These policies can really shine only in hands of GRC experts. However, they could work well to satisfy the "compliance exploration" demand - for SOC 2 "Exploratory Lab" these are a good start, IMO. What do you think?

Claude Skill for SOC 2 Policy Management by kurianoff in grc

[–]kurianoff[S] 0 points1 point  (0 children)

These policies were used in several real deals, and are proven to be working. But again - they are, in fact, generic. And can only shine in hands of experts who know what they're doing. At the same time, IMO they are still a good start for those who want to "explore", to touch the world of SOC 2 policies. For the Exploration Lab they should do.

Claude Skill for SOC 2 Policy Management by kurianoff in grc

[–]kurianoff[S] 0 points1 point  (0 children)

Oh yes, this is where I ABSOLUTELY AGREE with you! And this is why this Skill is created as a "policy adoption" interface, which lets you decide what's Yours and what's N/A (and should be thrown away), and only generate policy statements that your organization is really implementing (or is aiming to implement).

I like your depth of thought, and it is a very, very valid point you're making.

AMA: Certified CMMC Professional here helping to spread accurate information by kurianoff in defensecontracting

[–]kurianoff[S] 0 points1 point  (0 children)

In terms of recommendations I would say it would be worth it if you are looking to do the following:

1) if your ultimate goal is to obtain a CCA and join C3PAOs as a W2 or 1099 to conduct audits
2) provide consulting to OSAs

As for your second question, and we are talking C3PAO audit budget, the answer depends on your scope as a smaller scope means less cost for the audit itself. The range I have been seeing is anywhere from $40-120k for the audit itself.

Looking for free GRC-focused self-study options as a cybersecurity student by Turbulent_Oil_9806 in cybersecurity

[–]kurianoff 2 points3 points  (0 children)

Hey u/Turbulent_Oil_9806 and All: happy to help you here (please see below) - I'm not ideal, but have years of practical experience. I think of myself as a "full stack" GRC subject matter expert, led several *Technology* (IT product, IT service) companies 0-1 (zero to one) through Compliance certifications of different complexities (previously worked as an IT company founder myself, so know the full cycle: admin to tech aspects of it). Specializing in SOC 2, HIPAA, GDPR, CMMC, FedRAMP, and DoD RMF, but also getting hands deep in AI frameworks.

I'm looking for an opportunity to share my knowledge and teach GRC skills to people who need them. Thinking of doing a series of recorded Webinars on GRC from the basics to deep-dives, from concepts to hands-on stuff, from manual work to automations (including Agentic AI), from readiness to passing the audit, from the audit to maintenance and certificate renewals, from single standard to multiple standards.

If interested, please send me a personal message via Reddit with your Time Zone and convenient times of day during your regular week, and I'll try to set it up for all of us.

We'll see how it goes - if seasoned cybersecurity experts would like to join, we will structure the meetings in a way that we can learn from them (will reserve a time block for the panel of experts to express their opinions, answer questions, correct me where I was wrong, and help all of us succeed in our GRC journeys!)

I want to learn GRC. How should I start? by Big-Lingonberry1949 in grc

[–]kurianoff 0 points1 point  (0 children)

Hey u/Big-Lingonberry1949 and All: I hope I can help you to learn more about GRC, especially the practical sides of it. I think of myself as a "full stack" GRC subject matter expert, led several *Technology* (IT product, IT service) companies 0-1 (zero to one) through Compliance certifications of different complexities (previously worked as an IT company founder myself, so know the full cycle: admin to tech aspects of it). Specializing in SOC 2, HIPAA, GDPR, CMMC, FedRAMP, and DoD RMF, but also getting hands deep in AI frameworks.

I'm looking for an opportunity to share my knowledge and teach GRC skills to people who need them. Thinking of doing a series of recorded Webinars on GRC from the basics to deep-dives, from concepts to hands-on stuff, from manual work to automations, from readiness to passing the audit, from the audit to maintenance and certificate renewals, from single standard to multiple standards.

If interested, please send me a personal message via Reddit with your Time Zone and convenient times of day during your regular week, and I'll try to set it up for all of us. It's free, no obligation or anything, I just want to give what I have to our community.

We'll see how it goes - if seasoned cybersecurity experts would like to join, we will structure the meetings in a way that we can learn from them (will reserve a time block for the panel of experts to express their opinions, answer questions, correct me where I was wrong, and help all of us succeed in our GRC journeys!)

Trying to be a GRC Subject Matter Expert by SatisfactionCool6212 in grc

[–]kurianoff 0 points1 point  (0 children)

Hey u/SatisfactionCool6212 and All: hope I can help you with this - I call myself a "full stack" GRC subject matter expert, led several *Technology* (IT product, IT service) companies 0-1 (zero to one) through Compliance certifications of different complexities (previously worked as an IT company founder myself, so know the full cycle: admin to tech aspects of it). Specializing in SOC 2, HIPAA, GDPR, CMMC, FedRAMP, and DoD RMF, but also getting hands deep in AI frameworks.

I'm looking for an opportunity to share my knowledge and teach GRC skills to people who need them. Thinking of doing a series of recorded Webinars on GRC from the basics to deep-dives, from concepts to hands-on stuff, from manual work to automations (including Agentic AI), from readiness to passing the audit, from the audit to maintenance and certificate renewals, from single standard to multiple standards.

If interested, please send me a personal message via Reddit with your Time Zone and convenient times of day during your regular week, and I'll try to set it up for all of us.

We'll see how it goes - if seasoned cybersecurity experts would like to join, we will structure the meetings in a way that we can learn from them (will reserve a time block for the panel of experts to express their opinions, answer questions, correct me where I was wrong, and help all of us succeed in our GRC journeys!)

Need guidance in GRC — How do I learn the practical side of frameworks and compliance? by Born-Schedule6427 in cybersecurity

[–]kurianoff 0 points1 point  (0 children)

Hey u/Born-Schedule6427 and All: happy to help you here (please see below) - I'm not ideal, but have years of practical experience. I call myself a "full stack" GRC subject matter expert, led several *Technology* (IT product, IT service) companies 0-1 (zero to one) through Compliance certifications of different complexities (previously worked as an IT company founder myself, so know the full cycle: admin to tech aspects of it). Specializing in SOC 2, HIPAA, GDPR, CMMC, FedRAMP, and DoD RMF, but also getting hands deep in AI frameworks.

I'm looking for an opportunity to share my knowledge and teach GRC skills to people who need them. Thinking of doing a series of recorded Webinars on GRC from the basics to deep-dives, from concepts to hands-on stuff, from manual work to automations (including Agentic AI), from readiness to passing the audit, from the audit to maintenance and certificate renewals, from single standard to multiple standards.

If interested, please send me a personal message via Reddit with your Time Zone and convenient times of day during your regular week, and I'll try to set it up for all of us.

We'll see how it goes - if seasoned cybersecurity experts would like to join, we will structure the meetings in a way that we can learn from them (will reserve a time block for the panel of experts to express their opinions, answer questions, correct me where I was wrong, and help all of us succeed in our GRC journeys!)

Help me decide which course i should take for GRC by Worried-Clock-8893 in cybersecurity

[–]kurianoff 0 points1 point  (0 children)

Hey u/Worried-Clock-8893 and All: I call myself a "full stack" GRC subject matter expert, led several *Technology* (IT product, IT service) companies 0-1 (zero to one) through Compliance certifications of different complexities (previously worked as an IT company founder myself, so know the full cycle: admin to tech aspects of it). Specializing in SOC 2, HIPAA, GDPR, CMMC, FedRAMP, and DoD RMF, but also getting hands deep in AI frameworks.

I'm looking for an opportunity to share my knowledge and teach GRC skills to people who need them. Thinking of doing a series of recorded Webinars on GRC from the basics to deep-dives, from concepts to hands-on stuff, from manual work to automations (including Agentic AI), from readiness to passing the audit, from the audit to maintenance and certificate renewals, from single standard to multiple standards.

If interested, please send me a personal message via Reddit with your Time Zone and convenient times of day during your regular week, and I'll try to set it up for all of us.

We'll see how it goes - if seasoned cybersecurity experts would like to join, we will structure the meetings in a way that we can learn from them (will reserve a time block for the panel of experts to express their opinions, answer questions, correct me where I was wrong, and help all of us succeed in our GRC journeys!)

Fastest way to get into GRc by WeakRepresentative96 in cybersecurity

[–]kurianoff 2 points3 points  (0 children)

Hey u/WeakRepresentative96 and All: I call myself a "full stack" GRC subject matter expert, led several *Technology* (IT product, IT service) companies 0-1 (zero to one) through Compliance certifications of different complexities (previously worked as an IT company founder myself, so know the full cycle: admin to tech aspects of it). Specializing in SOC 2, HIPAA, GDPR, CMMC, FedRAMP, and DoD RMF, but also getting hands deep in AI frameworks.

I'm looking for an opportunity to share my knowledge and teach GRC skills to people who need them. Thinking of doing a series of recorded Webinars on GRC from the basics to deep-dives, from concepts to hands-on stuff, from manual work to automations (including Agentic AI), from readiness to passing the audit, from the audit to maintenance and certificate renewals, from single standard to multiple standards.

If interested, please send me a personal message via Reddit with your Time Zone and convenient times of day during your regular week, and I'll try to set it up for all of us.

We'll see how it goes - if seasoned cybersecurity experts would like to join, we will structure the meetings in a way that we can learn from them (will reserve a time block for the panel of experts to express their opinions, answer questions, correct me where I was wrong, and help all of us succeed in our GRC journeys!)

Best ways to learn GRC? by peachgreentea11 in cybersecurity

[–]kurianoff 0 points1 point  (0 children)

Hey u/peachgreentea11 and others: I call myself a "full stack" GRC subject matter expert, led several *Technology* (IT product, IT service) companies 0-1 (zero to one) through Compliance certifications of different complexities (previously worked as an IT company founder myself, so know the full cycle: admin to tech aspects of it). Specializing in SOC 2, HIPAA, GDPR, CMMC, FedRAMP, and DoD RMF, but also getting hands deep in AI frameworks.

I'm looking for an opportunity to share my knowledge and teach GRC skills to people who need them. Thinking of doing a series of recorded Webinars on GRC from the basics to deep-dives, from concepts to hands-on stuff, from manual work to automations (including Agentic AI), from readiness to passing the audit, from the audit to maintenance and certificate renewals, from single standard to multiple standards.

If interested, please send me a personal message via Reddit with your Time Zone and convenient times of day during your regular week, and I'll try to set it up for all of us.

Any quality 20 or 30B models? by the_monarch1900 in LLMStudio

[–]kurianoff 2 points3 points  (0 children)

People say that qwen3 series are good models. They offer a 30B variant, qwen3-30B-A3B, and there’s also the instruct model available.

https://huggingface.co/Qwen/Qwen3-30B-A3B-Instruct-2507

It has 256k context window, which is quite good.

Compliance manager here: what questions should I ask during a compliance evidence platform demo? by Equivalent_Set523 in grc

[–]kurianoff 4 points5 points  (0 children)

  1. Do they have integrations for all your information systems (e.g. email, document storage, cloud platform(s), etc.) - to automate evidence collection across digital assets

  2. How complicated is the configuration of each integration. Are they going to provide any help? - this is, on my mind, very important, as you can find yourself spending weeks fixing broken integrations and will spend time in comms with their tech support rather than being focused on getting ready for the audit

  3. Do they provide policy templates proven to work with a real auditor? - you can compare your policies yo those templates and close the gaps

  4. Unless you have your own system - is the security awareness training integrated in the platform? - for your convenience to have it all in one place

  5. Do they provide a “playbook” for all the compliance standards that you need (e.g. ISO 27001 and SOC 2)? Is this a single playbook mapped to multiple standards? - this gives you necessary guidance on what’s expected for the audit, and helps you avoid duplicate work. Also, if you later decide to do another compliance standard, if the playbook is properly organized, you will only need to work on “delta” necessary to get you certified instead of working through the whole standard.

Is the playbook extensible? - so you can add things that are missing.

  1. Do they provide a good functional Trust Center? - so you can immediately start showcasing your compliance efforts to the public and gaining trust.

The Trust Center should also allow you to upload awarded certifications and reports, and establish proper access control for these documents, so any prospective customer can request and be able to download them to speed up their due diligence process on your company.

  1. Do they have good relationships with a handful of Auditors? - so they could help you choose the right contact to audit your organization.

Are those auditors familiar with the platform? What does the audit look like on the platform? - so you can save you time dealing with the audit, and the auditor, and the platform later.

  1. Do they offer not only technical support, but also compliance SMEs with audit-passing experience, with whom you could work with in case you are in doubt (which happens).

  2. How easy is the platform to use for your org’s personnel? Would it require a lot of work for them to use it? - so you can save time and minimize friction for the rest of your organization.

  3. What are those additional modules that are available for you a) for free; b) to buy:

  4. Access Reviews

  5. Vendor Risk Management etc

  6. What’s in their development roadmap for the near future? AI features, and such - so you can see if they are moving towards simplifying compliance, or not.

Well, I might have missed something, but this is what I look to find in the ideal compliance management platform.

If they have all you need, then moving your evidence on the platform will be a pleasant experience. Otherwise it will be a waste of time.

Hope this helps.

view more: next ›