symmetry's recent activity

  1. Comment on Data security help - SOC2ish in ~tech

    symmetry
    Link Parent
    Sure, they probably might recommend a system or a policy for a control. But at the end of the day, it comes down to you (the company) who has to implement it. This is also where having a good...

    Sure, they probably might recommend a system or a policy for a control. But at the end of the day, it comes down to you (the company) who has to implement it. This is also where having a good rapport with the auditors really help. At the end of the day, they are the ones that will review and accept your evidence.

  2. Comment on Data security help - SOC2ish in ~tech

    symmetry
    (edited )
    Link Parent
    I’ve been lucky in that I’ve worked with auditors that have been reasonable, especially when I had to take a company from zero to SOC 2 within a year. But I’ve heard horror stories of auditors...

    I’ve been lucky in that I’ve worked with auditors that have been reasonable, especially when I had to take a company from zero to SOC 2 within a year. But I’ve heard horror stories of auditors that might have previously worked with Fortune 500 and somewhat expected the same resources and maturity for a small SaaS company looking to get their first SOC 2 under their belt. Try not to find an adversarial auditor!

    I know you haven’t started yet, but I want to highlight that SOC 2 isn’t just systems, it also organization (that’s the O!) as well. To give an example, a common SOC 2 control is conducting background checks for all new employees. The easy thing is to set up Checkr, the hard thing is to make sure no one falls through the gap. Say that two summer interns start, and the background check process wasn’t followed because HR thought it wasn’t necessary. Come audit time, those two interns are gonna show up as observations because you can’t provide a background check record for them.

    One easy way to get guidance on what to do is simply look at other companies (especially if they are a similar size) SOC 2 reports. Bigger companies likely have more controls, but do anticipate around 60-80 controls (can vary depending on what criteria are you are going for) first time around. You’ll begin to notice there is a lot of overlapping controls with very similar wordings.

    I can go on and on about this. I just want to highlight that beyond the marketing (SOC 2 in 5 easy steps!), the actual process can be a real grind especially if you aren’t prepared ahead of time.

    One more thing, I’m a firm believer that SOC 2 (and ISO) is genuinely a good way for a company to get serious about security, and not a compliance burden. So, treat it as an opportunity for improvement!

  3. Comment on Data security help - SOC2ish in ~tech

    symmetry
    Link
    Finding the right (namely reasonable) auditor is the most important part IMO. Because they are the ones you are dealing with for the audit and the ones that actually issue the report. Some of them...

    Finding the right (namely reasonable) auditor is the most important part IMO. Because they are the ones you are dealing with for the audit and the ones that actually issue the report. Some of them even offer gap assessment services that makes it easy to transition to the Type 1 audit.

    All these consultancy services and vanta/drata tools do is just drops you in a cookie cutter dashboard or spreadsheet. They may have fancy bells and whistles with alerts, but odds are, poorly designed controls fail regardless of how alerts you get.

    I can go more into this, but just a heads up, SOC 2 isn’t just the cost of tools or the audit. If the company doesn’t have a decent IT infra, no history of doing a pentest, or lack of HRIS, it’s gonna be rough trying to tackle SOC 2 without investments in those areas.

    5 votes

  4. Comment on Star Trek live-action comedy series in development in ~tv

    symmetry
    Link Parent
    Sadness just now in learning that Lower Decks is gonna end this season. Can't believe it debut during the start of the pandemic and it's been coming up to five years already (something something 5...

    Sadness just now in learning that Lower Decks is gonna end this season. Can't believe it debut during the start of the pandemic and it's been coming up to five years already (something something 5 year mission). The crossover episode with Strange New Worlds was especially nice. I really liked how the series explored the meta of Star Trek in ways that other series didn't. They should make a movie series :)

    10 votes

  5. Comment on Why does "Everything Everywhere All at Once" repulse me so much? in ~movies

    symmetry
    Link
    Maybe a hot take, but EEAAO and Get Out felt similar to me. The more nuanced representation was neat (along with the language/cultural bonus), but it still felt like a Hollywood film and still...

    Maybe a hot take, but EEAAO and Get Out felt similar to me. The more nuanced representation was neat (along with the language/cultural bonus), but it still felt like a Hollywood film and still leans on some tired tropes (not to the level of stereotypes though).

    I definitely wouldn't say I dislike both movies, rather they are pretty meh.

  6. Comment on AI: The decade ahead in ~tech

    symmetry
    Link
    What disgusts me about AI isn't really the tech itself. It's just the people who talk about it ALL THE TIME. All the fucked up "predictions" they make. Their belief about how it's going to change...

    What disgusts me about AI isn't really the tech itself. It's just the people who talk about it ALL THE TIME. All the fucked up "predictions" they make. Their belief about how it's going to change the future of society (with the implied threat that they are the ones holding the keys to it all).

    Sometimes I wish they would just do away with all the pretenses. Take the money spend on AI research and just build a bunch of nukes instead.

    14 votes

  7. Comment on Because European sunscreens can draw on more ingredients, they can protect better against skin cancer in ~health

    symmetry
    Link
    On a more practical note, does anyone know which European sunscreens are good?

    On a more practical note, does anyone know which European sunscreens are good?

    5 votes

  8. Comment on The tech baron seeking to “ethnically cleanse” San Francisco in ~society

    symmetry
    Link
    In Ancient Greece, there is process called ostracism, where a citizen is banished (after a vote) from the city for ten years because they were considered a threat/tyrant. We should bring it back...

    In Ancient Greece, there is process called ostracism, where a citizen is banished (after a vote) from the city for ten years because they were considered a threat/tyrant. We should bring it back for people like him.

    11 votes

  9. Comment on In US lawsuit, ex-Amazon AI exec claims she was asked to ignore IP law in ~tech

    symmetry
    Link
    I would caution that this isn't some "aMaZoN Is bReAkInG LaWs tO GeT An eDgE In AI TeCh" story as the headline might indicate rather this is a case of workplace discrimination. All the outlandish...

    I would caution that this isn't some "aMaZoN Is bReAkInG LaWs tO GeT An eDgE In AI TeCh" story as the headline might indicate rather this is a case of workplace discrimination. All the outlandish things is just what seems like 2-3 hostile managers trying to force her out of the company. Kinda glad she is fighting the workplace discrimination in the court, if the allegation are true, I'm sure the individual defendants aren't gonna stick around at Amazon much longer and hopefully the publicity around this means they can't easily jump to another company.

    15 votes

  10. Comment on In US lawsuit, ex-Amazon AI exec claims she was asked to ignore IP law in ~tech

    symmetry
    Link Parent
    It's an impossible task common to "performance improvement plans."

    It's an impossible task common to "performance improvement plans."

    10 votes

  11. Comment on San Francisco sues Oakland over proposed airport name change in ~transport

    symmetry
    Link
    I understand the outrage, but respect the hustle. In the past 5-10 years, a number of things have left Oakland. I still remember when Oakland International was a legit international airport. I was...

    I understand the outrage, but respect the hustle.

    In the past 5-10 years, a number of things have left Oakland. I still remember when Oakland International was a legit international airport. I was able to catch direct flights from places like London and Stockholm. Nowadays, Oakland is only “international” to a handful of places in North America.

    I’m for a name change if this means bringing back some transpacific or transatlantic routes. I hope it makes sense why it’s important to have more options, so we don’t slip increasingly to the SFO and SJC duopoly.

    7 votes

  12. Comment on Hong Kong lawmakers unanimously approve another law giving government more power to curb dissent in ~society

    symmetry
    Link
    I'm personally sadden, but have been in the acceptance phase ever since the first national security law was passed. I have many memories of HK, my birthplace. Summers spent there. Visited again in...

    So this is how liberty dies, with thunderous applause.

    I'm personally sadden, but have been in the acceptance phase ever since the first national security law was passed. I have many memories of HK, my birthplace. Summers spent there. Visited again in 2019 (shortly after the protests) and just recently. It's a shadow of its former self.

    18 votes

  14. Comment on The limits of the lunchbox moment in ~food

    symmetry
    Link
    I would echo that I constantly struggle to relate to any “typical” Asian American moments. I recall coming to the US at a young age where I picked up English in a short period of time, my family...

    I would echo that I constantly struggle to relate to any “typical” Asian American moments. I recall coming to the US at a young age where I picked up English in a short period of time, my family lived in the suburbs away from chinatowns or urban areas, and practically no bullies at any of the schools I attended. It really becomes an awkward moment for me (thankfully rare) when I’m asked about the struggles of growing up Asian American. Heck, the term Asian American never felt like a label I identify with. I am American. I also strongly identify with the Asian country I was born in. But there is nothing Asian American I felt about my upbringing.

    I think people should be more realistic about the effects of globalization and how immigration has changed in the last century. Nowadays, plenty of people can basically move to the US, watch the same shows as before, eat the same food as before, have a social group that communicates in their mother tongue (or video chat everyday), and no one bats an eye at this.

    8 votes

  15. Comment on Your security program is shit in ~comp

    symmetry
    Link
    A tad too edgy for me. I think there is a distinction to be made between what is business and what is security. The execs come with the ask to get ISO/SOC/whatever, that’s business. As in, we need...

    A tad too edgy for me.

    I think there is a distinction to be made between what is business and what is security.

    The execs come with the ask to get ISO/SOC/whatever, that’s business. As in, we need this to sign a deal, complete some legal requirements, or they need it in order to be at “parity” with competitors.
    That’s business. Hiring clueless consultants to do the audits. That’s business too. A good security professional should know better to find a good (or at the very least, reasonable) auditor instead and use this opportunity to push through actual security changes that otherwise might not have happened.

    SSO? Security keys? 3rd party pentests? Actually doing backups? Put these as your controls and point to them to say we need to this to get X cert, because tons of companies are gonna cut corners if they can. That’s business. A good security program needs to understand that it’s part of a business and act accordingly. To quote Futurama, “When you do things right, people won't be sure you've done anything at all.”

    10 votes

  16. Comment on My thoughts: Maple Leaf train between New York City and Toronto in ~travel

    symmetry
    Link Parent
    I have taken the Adirondack (pre-pandemic I will note), and I don't recall it being too much of a hassle. Canadian police did a sweep of the train before we got to the border. After passing the...

    I have taken the Adirondack (pre-pandemic I will note), and I don't recall it being too much of a hassle. Canadian police did a sweep of the train before we got to the border. After passing the border, the train stops at Rouses Point and CBP came on board to check the passport/custom forms. Maybe 30 mins later, we were moving again? It was an ~11-ish hour ride, but I knew that going in and it was kinda nice to travel along a historical part of upstate New York.

    I've also traveled on the Amtrak Cascades from Seattle to Vancouver as well. That one felt even easier, as Vancouver was the very next stop after passing the border, so all the customs was done at the end at Pacific Central Station.

    1 vote

  17. Comment on Henry Kissinger, American diplomat and Nobel winner, dead at 100 in ~news

    symmetry
    Link
    Bye, Felicia.

    Bye, Felicia.

    6 votes

  18. Comment on Caroline Polachek: Tiny Desk Concert (2023) in ~music

    symmetry
    Link Parent
    I would shout out the Japanese version of “I Belong in Your Arms” I really enjoyed Chairlift and one of my favorite show was seeing them live right before they disbanded. Looking back, that really...

    I would shout out the Japanese version of “I Belong in Your Arms”

    I really enjoyed Chairlift and one of my favorite show was seeing them live right before they disbanded. Looking back, that really did feel like the finals days of the “indie” music from the early aughts.

    4 votes

  19. Comment on Tourist destinations that are more than just a nice view? in ~travel

    symmetry
    Link Parent
    I truly don't know how it is currently since it's been 4-5 years since I've been. My take is that Istanbul get so much international tourists that it's fairly accepting. I wouldn't expect that...

    I truly don't know how it is currently since it's been 4-5 years since I've been. My take is that Istanbul get so much international tourists that it's fairly accepting. I wouldn't expect that outside of Istanbul though.

  20. Comment on Tourist destinations that are more than just a nice view? in ~travel

    symmetry
    Link Parent
    I would also like to add that Hamburg is home to the world's largest model railway/miniatures museum. Miniatur Wunderland. Truly an amazing place. There is the usual German food fare, but my...

    I would also like to add that Hamburg is home to the world's largest model railway/miniatures museum. Miniatur Wunderland. Truly an amazing place.

    There is the usual German food fare, but my personal fav in Hamburg is their fish sandwich "Fischbrötchen"

    Hamburg is sorta between Berlin and Copenhagen (to an extent, Amsterdam), so there are good options for a nearby "next" place to visit too.

    4 votes