- My Forums
- Tiger Rant
- LSU Recruiting
- SEC Rant
- Saints Talk
- Pelicans Talk
- More Sports Board
- Fantasy Sports
- Golf Board
- Soccer Board
- O-T Lounge
- Tech Board
- Home/Garden Board
- Outdoor Board
- Health/Fitness Board
- Movie/TV Board
- Book Board
- Music Board
- Political Talk
- Money Talk
- Fark Board
- Gaming Board
- Travel Board
- Food/Drink Board
- Ticket Exchange
- TD Help Board
Customize My Forums- View All Forums
- Show Left Links
- Topic Sort Options
- Trending Topics
- Recent Topics
- Active Topics
Started By
Message
Any Cybersecurity geeks on here?
Posted on 4/14/26 at 9:19 am
Posted on 4/14/26 at 9:19 am
Our company recently became a registered vendor for a multi-national company who has semi-strict cybersecurity requirements for final registration such as EUP, Access Management policy, logging and Audit policy etc.
This is easily accomplished with much larger firms who have a dedicated IT staff of which we do not.
Anyone here an expert on the subject that I could pick your brain? Thanks in advance if so
This is easily accomplished with much larger firms who have a dedicated IT staff of which we do not.
Anyone here an expert on the subject that I could pick your brain? Thanks in advance if so
2
Posted on 4/14/26 at 12:45 pm to idlewatcher
Fire away. I've gotten many, many entities up to speed with ISO2700x, SOC2, PCI DSS, etc.
ISO27001 is probably your easiest bar to hit to check the requirements boxes. It gives you a lot of leeway in implementation. ETA: the catch is that you can't download it without paying for it. But there are techniques...
Do NOT write security policies that are aspirational (you can't execute due to system or process limitations.) I'd rather a C+ process that is executed nearly 100% of the time, than an A+ process that is executed 60% of the time.
Use a lot of "should" language, not definitive "must" and "will" language.
All accounts will be secured with multi-factor authentication. <-bad
User accounts should be secured with multi-factor authentication where available <-good
(I scoped the control to user, and not system accounts in the second example, too.)
ISO27001 is probably your easiest bar to hit to check the requirements boxes. It gives you a lot of leeway in implementation. ETA: the catch is that you can't download it without paying for it. But there are techniques...
Do NOT write security policies that are aspirational (you can't execute due to system or process limitations.) I'd rather a C+ process that is executed nearly 100% of the time, than an A+ process that is executed 60% of the time.
Use a lot of "should" language, not definitive "must" and "will" language.
All accounts will be secured with multi-factor authentication. <-bad
User accounts should be secured with multi-factor authentication where available <-good
(I scoped the control to user, and not system accounts in the second example, too.)
This post was edited on 4/14/26 at 12:46 pm
Posted on 4/14/26 at 7:06 pm to idlewatcher
quote:
This is easily accomplished with much larger firms who have a dedicated IT staff of which we do not.
Depending on who/how your current setup is run (cloud, etc) you might be better off not having an in house SecOps team..
feel free to @gmail me and you can be a little more specific in what you guys are being asked to do
Posted on 4/14/26 at 10:31 pm to LemmyLives
Suggesting accounts "should" be using MFA instead of "must" is laughable in todays threat actor environment.
Posted on 4/14/26 at 11:04 pm to Roy Curado
quote:
Suggesting accounts "should" be using MFA instead of "must" is laughable in todays threat actor environment.
You're coming at this from a different perspective, Mr. No As A Service. InfoSec glory vs. what can be executed, and not mis-represented. It's in my intro slide of "How not to fail an IT audit" deck. OP is in an immature environment, and needs to get better, fine. Writing aspirational bullshite they cannot achieve is blood in the water for any decent CISA.
ISO is loose and gives you options. An auditor doesn't necessarily need to ding you if there are accounts that don't have MFA enabled, given my control examples, if they aren't involved in high risk ops like money movement, chemical QC, etc. But, if you write a policy that "the standard is all accounts have MFA," and I find you have system accounts that don't, or there are exceptions without decent justifications and compensating controls, you are cooked. You wrote the policy to appear all NIST 800-53 (high) like a real boss, when you didn't need to, and couldn't actually execute it. ISMS failure.
Once I know your policies are written for contract fulfillment, but you can't actually execute them in a lot of your environment, I will absolutely sink you. If you're realistic, I will add notes to an assessment report that the company needs to mature quickly in certain areas, etc. You need only look at the Azure FedRAMP notes from the FedGov reviewers to see this happening on billion dollar contracts.
Chances OP will get some white glove audit treatment from the vendor? Not likely, initial contract value probably isn't floating them to the top of the risk pile. Yet. But every year you don't end up in the vendor review process is another year for OP's org to solidify shitty practices.
Posted on 4/15/26 at 6:52 am to LemmyLives
quote:
LemmyLives
Bro, let's chat by email and subsequently phone if that's cool. You're exactly who I need to talk to.
You have a throwaway email? Please post if so.
Posted on 4/15/26 at 6:54 am to GrammarKnotsi
quote:
GrammarKnotsi
Thank you buddy, much appreciated
We're just a small company (50 people) in the energy industry and won't need an army of IT people - just need to get this implemented for a one time deal to finalize registration. Thankfully I have a good resource but she is hit or miss with calling me back
Posted on 4/15/26 at 1:19 pm to idlewatcher
wooing-cloak-hut -at- duck -dot- com
Page 1 of 1
Popular
Back to top
Follow TigerDroppings for LSU Football News