undefined | Better HN

0 pointslmkg4y ago0 comments

I worked at a small consultancy. We started without password rotation requirements, because it's more secure. We had to add them, because our clients' legal teams started requiring that their contracts with vendors mandate industry-standard security practices. Your employer was probably in a similar situation: certain practices are mandated by customer contracts, not actual security assessments.

It takes a long time for industry-standard to catch up to actual practice.

0 comments

ozim4y ago

Second that, we get some corporate checklist from the customer and they want it green.

Explaining that it is not industry standard anymore takes time and if they want to take time of their employees using our system to deal with that, I am not wasting our company time to make them right.

igetspam4y ago

I've had customers ask and question me about it. I write the policies and reference the relevant NIST guidelines. It's a good way to end those conversations quickly. Even fed compliance generally won't argue.

sdoering4y ago

I know. TiSAX (automotive industry requirements standard) forces much of this onto us (just to name one example).

And if I am not mistaken even ISO27001 requires this to be compliant/certified.

illiac7864y ago

Nope: https://github.com/dwyl/ISO-27001-2013-information-technolog...

j / k navigate · click thread line to collapse