Excalidraw+ Is Now SoC 2 Certified

(plus.excalidraw.com)

233 points gmays | 1 comments | 24 Jun 25 01:54 UTC | HN request time: 0.213s | source

Show context

quicklime ◴[24 Jun 25 03:11 UTC] No.44362564[source]▶

From the article:

> SOC 2 is a security and compliance framework created by the AICPA

How is it that a group of accountants (the American Institute of Certified Public Accountants) was able to create a security framework for software, and position themselves as the sole gatekeeper who decides which auditors are allowed to certify SaaS vendors?

I’m surprised that companies would look to accountants, rather than people from the tech industry, to tell them whether a vendor has good IT security practices.

Yet the whole tech industry seems to be on board with this, even Google, Microsoft, etc. How did this come to be?

replies(3): >>44362616 #>>44362924 #>>44363678 #

tptacek ◴[24 Jun 25 03:23 UTC] No.44362616[source]▶

>>44362564 #

It's an audit standard about security. It's not a security standard. It defines a small number of extremely broad goals, like "you do risk management" and "you have access control mechanisms", which might be IT tools or might be a tabletop RPG.

You're irritated that people keep describing it at a security standard, which is understandable, but it isn't. AICPA auditors run SOC2 audits because SOC2 is an audit; it's about reconciling paperwork and evidence, about digesting policies and then checking that you actually do anything in those policies.

If you want to know about a firm's actual security program, you'll need to ask deeper questions than SOC2 can answer.

replies(2): >>44362654 #>>44362786 #

1. er4hn ◴[24 Jun 25 04:08 UTC] No.44362786[source]▶

>>44362616 #

I've always viewed SOC-2 as a certification for business continuity, not security. Once you view it as making sure that the service can continue running, even with disaster or heavy turnover, it makes more sense.

↑