Rubber chicken mutex, interesting. Also, on NIST and the AWS certification: the controls are supposed to be allocated as instances, so there are in practice sometimes more than the few hundred _types_ (or classes) mentioned for any non-trivial system. There may also be less; the parallel Canadian process is clear enough that only ones that apply to a given system (based on their governing instruments) are to apply (and there is a way to determine this). That said, I agree - the "we're regulated" is not an excuse. (I do hear it, still, alas.)
Dude that pain ridden laughter at 14:17 I know it all too well :(
So many valuable insights - thanks a lot for sharing!
Rubber chicken mutex, interesting. Also, on NIST and the AWS certification: the controls are supposed to be allocated as instances, so there are in practice sometimes more than the few hundred _types_ (or classes) mentioned for any non-trivial system. There may also be less; the parallel Canadian process is clear enough that only ones that apply to a given system (based on their governing instruments) are to apply (and there is a way to determine this). That said, I agree - the "we're regulated" is not an excuse. (I do hear it, still, alas.)