When your business runs on technology – and let’s face it, whose doesn’t these days? – you’re not just relying on servers and software. You’re betting your reputation, your client trust, and often your entire operational capacity on systems you can’t see and barely touch. That’s where Information Technology (IT) audits step in. They’re not […]

PCI compliance refers to an entity implementing the data security standards promulgated by the Payment Card Industry (PCI). The PCI Data Security Standard (DSS) applies to organizations involved with payment card processing, including merchants, processors, acquirers, issuers, and service providers that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD). If your […]

The 2025 HITRUST Trust Report is more than just a retrospective on certification trends—it is a reflection of where cybersecurity assurance is heading. In a landscape where compliance complexity is growing and AI is rapidly transforming risk dynamics, the HITRUST ecosystem stands out as a scalable, rigorous, and data-driven model for building trust. Whether you’re […]

In a landscape where cyber threats are growing more sophisticated by the day, understanding an organization’s vulnerabilities is a strategic imperative for security and compliance. Conducting vulnerability scans is a key component in helping prevent successful external adversary attacks. In this article, I will discuss what vulnerability scans are, the common types, and actions your […]

Access control encompasses a broad range of concepts and practices that can vary significantly depending on an organization’s industry, risk appetite, and compliance requirements. This blog focuses specifically on the post-implementation phase of access control. It discusses the critical questions: “Once access controls are in place, how do you make sure they remain effective? What […]

Let me tell you a secret: Auditors don’t hate IaaS cloud platforms. We just dislike cloud chaos. As a SOC 2 auditor, I’ve seen things. Shared administrator accounts. Production secrets in plaintext. And one time—brace yourself—a company used a whiteboard to track administrator access credentials. I wish I were kidding. Every once in a while, […]

A few years ago, I was working with a scrappy, fast-growing SaaS startup getting ready for their first SOC 2 audit. They had great tech, strong leadership, and loyal customers—what they didn’t have was a dedicated security team. The CTO greeted me with a tired laugh and a spreadsheet labeled “SOC 2 Checklist?”—the question mark […]

The Federal Risk and Authorization Management Program (FedRAMP) was established in December 2011 by the U.S. Office of Management and Budget (OMB) through Memo M-12-03, in response to the federal government’s increasing adoption of cloud technologies. Its primary goal was to provide a standardized approach to security assessment, authorization, and continuous monitoring for cloud services […]

Many software-as-a-services (SaaS) companies rely on Amazon Web Services (AWS) as the backbone of their infrastructure—and for good reason. AWS’s robust physical, network, and operational controls offer a strong foundation for building secure, scalable systems. But having AWS controls in place is not the same as demonstrating to your auditor that your controls meet the […]

Your company, the Organization Seeking Assessment (OSA), has determined that it has to achieve CMMC Level 2 certification to be in compliance with contractual requirements with the Department of Defense (DoD) as defined in 32 CFR Part 170. An initial and critical step in attaining CMMC Level 2 certification is creating a system security plan […]