HIPPA honestly falls into the data protection pillar of zetotrust to me, and my experence in that space was people just got overwhelmed by it. Like old school ip/port security people can wrapped their heads around, but try to introduce the concept that data should accessed just in time of use by authorized people that need to use it and otherwise it should made technically infeasable (i.e. encryption), and bamm they lost all concept.
Like its hard, for sure, but even a little closer to the goal is better then nothing people!
from an org too the incentives are just wack, they almost want enough effort to appear they are doing something to accredited or pass audit but the consequences for the people affected are just way higher then any org has to deal with.
I got to listen to a major university talk about getting theit super compute enviroment CMMCed. They sounded like a war vet and still not sure they even got it handlef fully unfortunatly. Though compliance and compSci lab is a hostile mix to handle.
Honestly following CISA, and DISA STIGs seems easier but those are for more descrete systems versus whole IT networks.
Are their anythings like the ComplianceAsCode project for SOX or is it more orginizational compliance?
Do we have lemmy community for IT compliance? Id actually kind of enjoy that.
What kinds do you deal with? CISA, HIPPA, PCI DSS, etc?
ISO27001 gang
HIPPA is so strange in how much and how little it matters at the same time. Often in the same email.
HIPPA honestly falls into the data protection pillar of zetotrust to me, and my experence in that space was people just got overwhelmed by it. Like old school ip/port security people can wrapped their heads around, but try to introduce the concept that data should accessed just in time of use by authorized people that need to use it and otherwise it should made technically infeasable (i.e. encryption), and bamm they lost all concept.
Like its hard, for sure, but even a little closer to the goal is better then nothing people!
from an org too the incentives are just wack, they almost want enough effort to appear they are doing something to accredited or pass audit but the consequences for the people affected are just way higher then any org has to deal with.
And there’s so much low hanging fruit from end users or whole departments that have their IT managed separately by a 3rd party(occasionally doctors)
Right now I suffer through SOX. I would like to be doing stuff with CMMC and NIST SP 800-171.
Yup, the eye glazing has begun while reading this thread. The world needs people like you so people like me don’t have to cock it all up
I got to listen to a major university talk about getting theit super compute enviroment CMMCed. They sounded like a war vet and still not sure they even got it handlef fully unfortunatly. Though compliance and compSci lab is a hostile mix to handle.
Honestly following CISA, and DISA STIGs seems easier but those are for more descrete systems versus whole IT networks.
Are their anythings like the ComplianceAsCode project for SOX or is it more orginizational compliance?