We have a few blogs written on penetration testing. These blogs include information on the steps or phases to properly conduct a penetration test, how penetration tests relate to satisfying SOC 2 requirements, information on how penetration testing compares to vulnerability assessments, and more. Feel free to check out these related blogs: External Penetration Testing […]

I spent many years in the hospitality industry, helping guide hospitality companies through their compliance journeys, working with ownership groups to meet their compliance needs and goals, and reviewing technology vendors and their solutions to ensure we were not putting our properties at unnecessary risk. Today, I lead audit engagements at a CPA firm that […]

Risk governance, as defined by NIST, is the “process by which risk management evaluation, decisions, and actions are connected to enterprise strategy and objectives. It provides the transparency, responsibility, and accountability that enables managers to acceptably manage risk.” While this concept is seemingly straightforward, a robust risk governance program has a lot of varied components! […]

Founded in 2007, HITRUST® issues certifications to businesses and organizations that are independently assessed for compliance with its Common Security Framework (CSF®). This guide will walk you through the HITRUST certification process, explain all available assessment types (e1, i1, r2), introduce newer offerings tailored to AI systems, and provide guidance on maintaining certification over time. […]

In a world where digital risk, regulatory expectations, and emerging technologies are accelerating, strong IT Governance remains foundational. SOC 2 compliance continues to be a key mechanism for service organizations to show they have strong controls. Understanding how IT governance and SOC 2 align, and where recent changes affect that alignment, is more critical than […]

It is a misconception that the job of an auditor can be summed up to individuals that examine financial records with the goal of forming an opinion about the fairness of information presented within a company’s financial statements

Audit risk assessments are an integral part of any company’s internal control structure and are relevant to compliance frameworks, including SOC 2, HIPAA, and ISO 27001. Risk assessments can be daunting as they encapsulate risks across an entire company, and it can be difficult to understand what considerations should be taken and even where to […]

Many cloud services and SaaS providers are eager to enter the federal market, but many underestimate what it really takes to achieve a FedRAMP authorization. FedRAMP is not just a checklist or an exercise in paperwork; it’s a high stakes, high complexity, and high-cost project that demands the right people, the right systems, the right […]

In an era where organizations increasingly rely on the cloud to manage sensitive information, protecting personal data is no longer just a best practice—it’s a business imperative. ISO/IEC 27018 steps in as a purpose-built privacy standard designed to help public cloud service providers handle personally identifiable information (PII) responsibly and transparently. Focused on real-world challenges […]

With the frequent personnel changes that many companies are experiencing right now, it’s important to consider how turnover affects companies’ compliance efforts. Almost every company is required to comply with some type of law, rule, regulation, or reporting standard.  This blog post will provide some ideas for helping to provide sufficient compliance training as part […]