Well, I'm not talking about everything, or the high level picture.
But I was checking what were called "IT controls" for their systems and a lot of that stuff was straight forward and yes, it did involve some rubber stamping, but a lot of it made sense: "Do you have a written approval process for adding users to this sensitive system?". "Can you show us how you mitigate not having a written process?".
And it wasn't super rare that besides the fact they didn't have the thing I asked for, but sometimes I couldn't even get them to understand why it would be a good idea.
But I was checking what were called "IT controls" for their systems and a lot of that stuff was straight forward and yes, it did involve some rubber stamping, but a lot of it made sense: "Do you have a written approval process for adding users to this sensitive system?". "Can you show us how you mitigate not having a written process?".
And it wasn't super rare that besides the fact they didn't have the thing I asked for, but sometimes I couldn't even get them to understand why it would be a good idea.
A lot of companies are the Wild West :-)