| ▲ | esseph 9 hours ago | |
But they also say "Here, this is Sarah your auditor. Answer these questions and resolve the findings." - every year It's all CyberSecurity insurance compliance that in many cases deviates from security best practices. | ||
| ▲ | cogman10 9 hours ago | parent | next [-] | |
This is where the problems come from. Auditors are definitely what ultimately causes IT departments to make dumb decisions. For example, we got dinged on an audit because instead of using RSA4096, we used ed25519. I kid you not, their main complaint was there wasn't enough bits which meant it wasn't secure. Auditors are snake oil salesman. | ||
| ▲ | RankingMember 9 hours ago | parent | prev [-] | |
This is 100% it- the auditor is confirming the system is configured to a set of requirements, and those requirements are rarely in lockstep with actual best practices. | ||