Hacker News new | past | comments | ask | show | jobs | submit login

I've seen clamav used for PCI compliance too. Probably a lot of certifications that have some "security" component.



SOC-2 requires that you run an antivirus too.


No, it doesn't.

It's very important to distinguish between what is actually required for compliance, and what is being done in the name of compliance, and make sure that "compliance" isn't just abused to shut down discussions easily.

SOC2 does not have any criteria specifically requiring antivirus software.

The actual requirements are more generic; for example CC6.8: "controls to prevent or detect and act upon the introduction of unauthorized or malicious software". That doesn't even sound like an unreasonable requirement to me.

If your company reads "no computer without antivirus" into that, that's on your company (and what they put in their SOC2 Type 1). Of course AV manufacturers will gladly agree that it should be read that way, and auditors will be more familiar with that approach. But if you can achieve the same in a different way, that's ok too - you just have to write it down that way. And the auditors can be reasoned with - their focus is anyway more to verify that you can show evidence (e.g. screenshots) of actually doing what you wrote down.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: