- My Forums
- Tiger Rant
- LSU Recruiting
- SEC Rant
- Saints Talk
- Pelicans Talk
- More Sports Board
- Fantasy Sports
- Golf Board
- Soccer Board
- O-T Lounge
- Tech Board
- Home/Garden Board
- Outdoor Board
- Health/Fitness Board
- Movie/TV Board
- Book Board
- Music Board
- Political Talk
- Money Talk
- Fark Board
- Gaming Board
- Travel Board
- Food/Drink Board
- Ticket Exchange
- TD Help Board
Customize My Forums- View All Forums
- Show Left Links
- Topic Sort Options
- Trending Topics
- Recent Topics
- Active Topics
Started By
Message
Any Cybersecurity geeks on here?
Posted on 4/14/26 at 9:19 am
Posted on 4/14/26 at 9:19 am
Our company recently became a registered vendor for a multi-national company who has semi-strict cybersecurity requirements for final registration such as EUP, Access Management policy, logging and Audit policy etc.
This is easily accomplished with much larger firms who have a dedicated IT staff of which we do not.
Anyone here an expert on the subject that I could pick your brain? Thanks in advance if so
This is easily accomplished with much larger firms who have a dedicated IT staff of which we do not.
Anyone here an expert on the subject that I could pick your brain? Thanks in advance if so
2
Posted on 4/14/26 at 12:45 pm to idlewatcher
Fire away. I've gotten many, many entities up to speed with ISO2700x, SOC2, PCI DSS, etc.
ISO27001 is probably your easiest bar to hit to check the requirements boxes. It gives you a lot of leeway in implementation. ETA: the catch is that you can't download it without paying for it. But there are techniques...
Do NOT write security policies that are aspirational (you can't execute due to system or process limitations.) I'd rather a C+ process that is executed nearly 100% of the time, than an A+ process that is executed 60% of the time.
Use a lot of "should" language, not definitive "must" and "will" language.
All accounts will be secured with multi-factor authentication. <-bad
User accounts should be secured with multi-factor authentication where available <-good
(I scoped the control to user, and not system accounts in the second example, too.)
ISO27001 is probably your easiest bar to hit to check the requirements boxes. It gives you a lot of leeway in implementation. ETA: the catch is that you can't download it without paying for it. But there are techniques...
Do NOT write security policies that are aspirational (you can't execute due to system or process limitations.) I'd rather a C+ process that is executed nearly 100% of the time, than an A+ process that is executed 60% of the time.
Use a lot of "should" language, not definitive "must" and "will" language.
All accounts will be secured with multi-factor authentication. <-bad
User accounts should be secured with multi-factor authentication where available <-good
(I scoped the control to user, and not system accounts in the second example, too.)
This post was edited on 4/14/26 at 12:46 pm
Posted on 4/14/26 at 7:06 pm to idlewatcher
quote:
This is easily accomplished with much larger firms who have a dedicated IT staff of which we do not.
Depending on who/how your current setup is run (cloud, etc) you might be better off not having an in house SecOps team..
feel free to @gmail me and you can be a little more specific in what you guys are being asked to do
Posted on 4/14/26 at 10:31 pm to LemmyLives
Suggesting accounts "should" be using MFA instead of "must" is laughable in todays threat actor environment.
Posted on 4/14/26 at 11:04 pm to Roy Curado
quote:
Suggesting accounts "should" be using MFA instead of "must" is laughable in todays threat actor environment.
You're coming at this from a different perspective, Mr. No As A Service. InfoSec glory vs. what can be executed, and not mis-represented. It's in my intro slide of "How not to fail an IT audit" deck. OP is in an immature environment, and needs to get better, fine. Writing aspirational bullshite they cannot achieve is blood in the water for any decent CISA.
ISO is loose and gives you options. An auditor doesn't necessarily need to ding you if there are accounts that don't have MFA enabled, given my control examples, if they aren't involved in high risk ops like money movement, chemical QC, etc. But, if you write a policy that "the standard is all accounts have MFA," and I find you have system accounts that don't, or there are exceptions without decent justifications and compensating controls, you are cooked. You wrote the policy to appear all NIST 800-53 (high) like a real boss, when you didn't need to, and couldn't actually execute it. ISMS failure.
Once I know your policies are written for contract fulfillment, but you can't actually execute them in a lot of your environment, I will absolutely sink you. If you're realistic, I will add notes to an assessment report that the company needs to mature quickly in certain areas, etc. You need only look at the Azure FedRAMP notes from the FedGov reviewers to see this happening on billion dollar contracts.
Chances OP will get some white glove audit treatment from the vendor? Not likely, initial contract value probably isn't floating them to the top of the risk pile. Yet. But every year you don't end up in the vendor review process is another year for OP's org to solidify shitty practices.
Posted on 4/15/26 at 6:52 am to LemmyLives
quote:
LemmyLives
Bro, let's chat by email and subsequently phone if that's cool. You're exactly who I need to talk to.
You have a throwaway email? Please post if so.
Posted on 4/15/26 at 6:54 am to GrammarKnotsi
quote:
GrammarKnotsi
Thank you buddy, much appreciated
We're just a small company (50 people) in the energy industry and won't need an army of IT people - just need to get this implemented for a one time deal to finalize registration. Thankfully I have a good resource but she is hit or miss with calling me back
Posted on 4/15/26 at 1:19 pm to idlewatcher
wooing-cloak-hut -at- duck -dot- com
Posted on 4/15/26 at 6:01 pm to idlewatcher
This article today made me laugh and reminded me of this thread (NIS2 is a cybersecurity guideline in Europe):
quote:
Only 16% of Businesses are Fully Compliant with NIS2 Despite 2024 Compliance Deadline
IT Security Guru by Guru Writer / Apr 15, 2026 at 12:57 PM
New research from CyberSmart has revealed that, despite a compliance deadline that has now passed, only 16% of businesses required to comply with the EU’s Network and Information Security Directive 2 (NIS2) are confident that they are fully compliant. Worryingly, 11% of respondents were unsure what NIS2 is, despite falling within its scope.
The CyberSmart NIS2 Survey, reveals insights from 670 business leaders across the UK, Poland, the Netherlands, Ireland, France, Germany, Denmark and Belgium. The survey, completed in late 2025, was conducted by OnePoll.
Posted on 4/15/26 at 6:37 pm to LemmyLives
I could only imagine that it’s only 16%. Couple years ago a guy working for us got only his computer infected with hackerware or whatever it’s called where the padlock shows up on the desktop and all files are locked. For whatever reason, the virus was ceased on our network level so all other computers were clear
Hacker wanted about 10K in bitcoin to get the files back but we had made a redundant copy of this station the day before
Thanks for your email - will shoot you a note in the morning
Hacker wanted about 10K in bitcoin to get the files back but we had made a redundant copy of this station the day before
Thanks for your email - will shoot you a note in the morning
Page 1 of 1
Popular
Back to top
Follow TigerDroppings for LSU Football News