Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> There are things you should start doing early that lay the groundwork for attestations, but you should be doing them anyways, even if you never plan to get a SOC2 (and if a big-ticket customer never demands it, you shouldn't SOC2). That's stuff like setting up single sign-on and having protected git branches; simple best practices.

This is in many ways the spirit of SOC2, no? There are a lot of startup founders, far more than I'd like, who would purposefully eschew such "simple best practices" unless they had an axe like a SOC2 audit swinging over them.

I think you're both right, for what it's worth, and my take is that you are more aligned with TFA than you perceive.



How are we both right? I think you literally should wait until the last minute to start a SOC2 process.


GP's point is that having SSO and protected git branches _is_ starting the SOC2 process.


I'm pretty sure that's not what the author meant. Again: those are things you should do regardless of whether you're ever going to get SOC2 (and a lot of startups shouldn't).


That and having a ticket system (e.g., Jira) to track why you touched prod and you can answer just about every question.


We don't have that, and didn't need it for SOC2.

(We have other ways of tracking prod changes, but our auditors don't know anything about them.)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: