Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
AppDefects
Community Champion
‎01-16-2020 07:55 PM
‎01-16-2020 07:55 PM

Security Compliance, or Not...

I saw this great post today that made me laugh myself to tears:

 

"AWS Security Hub now allows you to disable controls for compliance standards!"

 

Pesky security controls? Just click, click, the author said and they will be gone! No need to worry about them being in your audit scope. Believe it or not this is a "feature" they are selling to their customers 😞 

Labels
Reply
1 Reply
mgorman
Contributor II
‎01-20-2020 07:37 AM
‎01-20-2020 07:37 AM

If the controls shouldn't be in scope based on the risk analysis, then they should be able to be disabled.  Different systems require different controls.  Sometimes more, sometimes less, than the generally accepted best practices in whatever compliance standard you are measuring against.  If a control costs you more than the value of the asset it protects, get rid of it, period.  Only your business can make that determination, then, of course, you ave to prove it to the auditor.

Reply
0 Kudos