u/SSJ4_Vegito

I dont know if anyone else has done this but one of our companies is perparing for there first ever SOC 2 audit, and all the changes we need to make get pushed back because "down time isn't acceptable right now". The biggest issue right now is our email filtering system (mimecast) blocking emails from certain companies because there failing DKIM and DMARC checks. I advise that its best to create exceptions for companies by request rather than allowing those emails to be quarantined because someone might open a fraudulent email but this is met with "annoyance". Im just one person as well trying to manage the security operations vs 150 employees. Theres so much work we need to do on the server as well, but the developer keeps saying managment keeps sending new requests in and he has to push back the upgrades i asked him to do (Which is critical since some OS services are operating on EOL)

I dont know where to go from here? Do i demand that we be allocated downtime to make the needed upgrades / changes?

for context, im in-house IT working with our MSP partner.
Currently were going for SOC 2 compliance, and were currently going to enforce DLP with purview.
This project is starting from the ground up. As in, none of the data in our sharepoint database has been tagged. We have some service accounts that also read data from there for quick summarization. There is some major problems were worried about:

-There is about 1.4 Million files on sharepoint currently, and we dont know how well purview will tag a file with a sensitivity label if it contains PII

-We have an additional software that sits over sharepoint (a DMS) that just basically sorts the files on sharepoint for easy organization and retrieval. Were worried the sensitvity labels might ruin access to the file

-my MSP partner warned me that he has seen sharepoint be unreliable at times, and said that right now sharepoint has been working pretty decently with the DMS till now. Any modification to the files might make sharepoint go haywire

-I wanted to also apply encryption but that again, might break the service account

Has anyone ever navigated this before? what would be the best solution here?

for context, im in-house IT working with our MSP partner.
Currently were going for SOC 2 compliance, and were currently going to enforce DLP with purview.
This project is starting from the ground up. As in, none of the data in our sharepoint database has been tagged. We have some service accounts that also read data from there for quick summarization. There is some major problems were worried about:

-There is about 1.4 Million files on sharepoint currently, and we dont know how well purview will tag a file with a sensitivity label if it contains PII

-We have an additional software that sits over sharepoint (a DMS) that just basically sorts the files on sharepoint for easy organization and retrieval. Were worried the sensitvity labels might ruin access to the file

-my MSP partner warned me that he has seen sharepoint be unreliable at times, and said that right now sharepoint has been working pretty decently with the DMS till now. Any modification to the files might make sharepoint go haywire

-I wanted to also apply encryption but that again, might break the service account

Has anyone ever navigated this before? what would be the best solution here?

A few months ago one of our major clients requested a soc 2 report, but we had never had done anything like that. Me and the operations mamager was tasked with getting it done. We found a auditing company and did a gap analysis. Ive worked extensively with them. I gained a tremendous amount of experience with them, I conducted the companies first risk assessment, creates the companies risk register, drafted all types of policies for the different divisions, I mean alot. I liked doing this work so much that I took the cissp exam and passed. However, the operations manager left and now im tasked with handling the IT management for this 125 employee based company, and continuing the soc 2 efforts. Im also stuck between 2 managers, one who cares about it and another who doesn't. The one that doesn't care has been making my life a living hell, I still have to handle the deployment of computers, ms licenses, account on boarding and off boarding, and basic help desk requests for his department. I seriosuly have had barely anytime to do the soc 2 work. At this point im thinking about jumping to another position with a different company fully related to soc 2 work and/or iso 27001 work. Ive asked my company to at least hire a help desk worker and they said no. Would it be bad if left​​ at this time of the project? Everything ive set in place is pretty much on its way to be at a better standing (developed sdlc policy, new mfa requirements across the board, and upgrading the servers to be on actively supported services and deploying EDR agents to all work stations, more work as well) so if I leave I think the teams have a good idea of what to do.

--

I love this side of grc work and really want to continue focusing on this role. Is this enough experience to get a directing position related to this work? Would yoh guys do this? Or should I stick it out to the end? I expect us to be audit ready by the end of the summer

So I've done a Risk assessment on the company and discovered one of the servers they use is in a bad situation. The 3 critical problems are:
EOL of services (PHP, apache, and some others)
the data is sitting undecrypted currently
back ups are done but not tested

My first priority was to get the services upgraded to no longer be on EOL services
The 2nd issue is encrypting data.

However managment cannot approve the downtime of the server since the administrator said He can not encrypt the data on there since it would break the way SQL indexs files for searching. forcing him to completely rebuild the server from scratch. The entire company relies on its services for billing purposes. It would suffer to much lost revenue from the downtime.

Im at a pretty bad crossroads and dont know how to go about this. Im thinking as a compensating control we have users manually label data that contains PII / financial data (Which is really only about 15-20% of the data on the server, rest is publicly available data) so that we can then have those encrypted with "key words" added as tags so that if they need to search the file it can come up.

What would be an acceptable compensating control if we don't encrypt the entire database?
Has anyone suffered this issue before? how did you guys go abou it?