Get NIST-y

·S2 E26

Evidence Collection Without the Compliance Fire Drill

June 30
22 mins

Episode Description

Security questionnaires are not the finish line. They are the opening move in a negotiation, and saying “yes” to everything can create a bigger problem than admitting what is still in progress.


In this episode of Get NIST-y, the cybersecurity and compliance podcast from Blacksmith InfoSec, Jared and Michael talk about turning evidence collection into a recurring habit instead of a Friday afternoon panic spiral.


Takeaways:

- Treat customer security questionnaires like a negotiation, not a checkbox confession booth

- User audits should follow your policy, but monthly IDP reviews can catch offboarding misses and billing weirdness

- Screenshots are not evidence if the underlying work is fake

- Backup “success” logs are not enough if you never test whether restoration actually works


We answer:

- What evidence should an MSP collect regularly so client questionnaires stop becoming fire drills?

- How much evidence is enough before the MSP becomes a full-time document janitor?

- What should small businesses keep when changing vendors so old proof does not disappear?


Make sure to follow the podcast or ask your own questions at:

https://blacksmithinfosec.com/nisty/

See all episodes