undefined | Better HN

0 pointsethbr11y ago0 comments

In practice, most commercial attestations/certifications contain enough weasel language that the certifier isn't responsible for anything missed (i.e. reasonable effort only).

But yes, there are many standards for this (e.g. SOC Type 2 reports).

In defense of their utility, the good ones tend to focus on (a) whether a control/policy for a sensitive operation exists at all in the product/company & (b) whether those controls implemented are effectively adhered to during an audited period.

0 comments

AmericanChopper1y ago

That’s not really how they work. The auditor attests that they were provided with evidence that the systems/business units audited were compliant at the time of auditing. That doesn’t mean that the business didn’t intentionally fake the evidence, or that the business is compliant at any time subsequent to the assessment.

An auditor would certainly have some consequences if they were exposed for auditing negligently.

This is how the PCI SSC manages to claim that no compliant merchant/service provider has ever been breached, because they assume being breached means that the breached party was non-compliant at the time of the breach. Which is probably a technically true statement, but is a bit misleading about what they’re actually claiming that means.

r00fus1y ago

We're talking about getting a judgement in the court of public opinion not a court of law, and no one is exempt from the former.

ipaddr1y ago

Many live in a special labelled class that cannot be criticized

deepsun1y ago

Yes, certifiers are not responsible in legal sense, but nothing stops us from posting crap about them on internets.

j / k navigate · click thread line to collapse