Sean Edwards seanedwards

The big TL;DR: SOC-2 is an "report" not a "certification". They don't tell you what you must do, they examine what you say you do, and then compare records to your policies to attest that you're a company who follows your own rules.

Design your controls the way that makes sense for your business, keep records, and then during the audit, make a case for why you are living up to your own standards. SOC-2 will ask questions that will make you think "oh we should do that" but it is perfectly acceptable to say that you don't do it, if it doesn't matter to your business or if you have other "controls" that meet the same standard.

Example:

SOC-2: Do you force rotate passwords every 90 days?
Us: No, based on NIST and Microsoft Research recommendations that say forced password rotations encourage users to choose simple variants on easy to remember passwords, we instead require 2 factor authentication and complex passwords which may be set indefinitely.

Doing some risk analysis can be a huge benefit, to help you

This guide describes how to grant IAM permissions in an Amazon account, but only through CloudFormation.

First, create a role called cloudformation which has permission to do everything an engineer might need to do.
Give that role a trust policy which will allow only AWS CloudFormation to actually use it:

{
  "Version": "2012-10-17",
  "Statement": [

IRC and Slack channels can be a great resource for debugging confusing problems, and people are often very willing to jump in and work through it with you, however there are some things you should provide upfront when asking a question. Filling out this template will help you get an answer faster, and will make it easier for someone to jump in and help.

Goal

Describe what you expect to happen when the problem is solved.

Problem

Describe the specific problem you're seeing. Start with the thing that made you notice there was a problem and follow your investigation forward from there.

	#include <esphome.h>
	#include <sstream>

	class BarcodeReader : public Component, public UARTDevice, public CustomAPIDevice {
	public:
	BarcodeReader(UARTComponent *port) : UARTDevice(port) {}

	std::stringstream buffer;
	unsigned long millisendstr=0;

	<!DOCTYPE html>
	<!-- saved from url=(0028)data:text/html,chromewebdata -->
	<html i18n-values="dir:textdirection;lang:language" dir="ltr" lang="en" i18n-processed=""><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

	<meta name="viewport" content="width=device-width, initial-scale=1.0,
	maximum-scale=1.0, user-scalable=no">
	<title i18n-content="title">tirefi.re</title>
	<style>

	a {

	### Keybase proof

	I hereby claim:

	* I am seanedwards on github.
	* I am tilmonedwards (https://keybase.io/tilmonedwards) on keybase.
	* I have a public key whose fingerprint is 35BF A615 12A0 00E9 CE87 2502 B693 6F39 572C FA6B

	To claim this, I am signing this object:

	.HeartAnimation {
	display: none;
	}

	.HeartAnimationContainer {
	background: url('//ton.twitter.com/i/ton/data/dm/714844886189649923/714844886210576384/XxVE7tuL.png') no-repeat;
	background-size: contain;
	}

	require 'sinatra'
	require 'slackbotsy'

	set :bind, '0.0.0.0'

	config = {
	'channel' => '#default',
	'name' => 'botsy',
	'incoming_webhook' => 'https://hooks.slack.com/services/XXXXXXXXX/XXXXXXXXX/XXXXXXXXXXXXXXXXXXXXXXXX',
	'outgoing_token' => 'XXXXXXXXXXXXXXXXXXXXXXXX'

	package com.ides_lang.test.syntax

	import com.ides_lang.syntax._
	import com.ides_lang.test.IdesSpec
	import org.scalatest._

	/**
	* Created by sedwards on 8/31/14.
	*/
	class SyntaxSpec extends IdesSpec {

	#!/usr/bin/env ruby

	require 'trello'
	require 'date'

	Trello.configure do \|config\|
	config.developer_public_key = "*****"
	config.member_token = "*****"
	end