I recently completed a SOC 2 Type I audit and tools like Lynis are indispensable not only to configure your servers according to a standard, but more importantly being able to produce evidence that the servers meet the standard.
This tool looks like it is for AWS / GCP accounts and help to both secure and to prove audit and compliance. The easier it is for the auditor to review your controls and evidence the easier to pass the audit. Really looking forward to using this tool and checking to see what has changed in the CIS.
That's exactly one of the use cases we are targeting. Beyond the standard benchmarks, Steampipe has a simple HCL + SQL language to write your own controls [1]. It feels like writing Terraform, but is for operational and security controls.
Hope you can give it a try, we'd love your feedback and suggestions!
Hmmm. The stuff for HIPAA isn’t great. If this is meant to actually be of value to covered entities and business associates then NIST CSF (and related) is the benchmark to use.
There are known gaps in HIPAA per OCR. The actual expectation is that entities identify these gaps under the annual risk management mandate thus the more frequently updated NIST is what’s preferred (or even HITRUST…yuck)
I haven’t seen many engineers who know the first thing about controls. But it’s literally most of what internal audit, compliance, privacy & risk people do.
How about an export feature from Archer or <name your internal audit tool here> that would save everyone a bunch of time and effort.
The other issue is that most of these client audits are a word or excel doc. Throwing your SOC back at them doesn’t work in most cases.
This tool looks like it is for AWS / GCP accounts and help to both secure and to prove audit and compliance. The easier it is for the auditor to review your controls and evidence the easier to pass the audit. Really looking forward to using this tool and checking to see what has changed in the CIS.