undefined | Better HN

0 pointsoneplane8y ago0 comments

HIPPA, PCI, etc. compliancy doesn't actually mean you are secure, it just means you are compliant. Take ransomware attacks for example, most of the bigger companies that get hit and have no working plan to continue their business are compliant to all sorts of things, hell complete governments are in that category...

Compliancy only tells a story about management and how many MBA's you have, it doesn't actually mean you have good security. Only being compliant isn't going to help you not get data leaks or data loss!

0 comments

falcolas8y ago

You're correct - it doesn't mean you're secure. It does, however, point out that you're putting some thought and effort into security. PCI requires remediation plans or justifications to pass, as does HIPPA.

And, for better or worse, you need your service providers, including chat, to be compliant. If your company were to leak PII via Slack, your company would be in pretty hot water for putting PII on a non-certified service provider.

At least if it were certified, you could say "we've done our due diligence to protect people's PII". Perhaps only important to leadership and lawyers, but still important.

oneplaneOP8y ago

In this case, however, Slack is certified.

j / k navigate · click thread line to collapse