IT Audit & Compliance Blog

Clients often ask me if policies and processes put in place for the Payment Card Industry Data Security Standard (PCI DSS) compliance can be used to pass their Service Organization Control (SOC) 2 audit. While some overlap exists between the security procedures required to “pass” your PCI and SOC 2 audits, the biggest difference between [...]

What is an Enterprise Environment? From a technology perspective, an enterprise environment is the total of all information assets that support the process, storing, or transmission of data that supports the business functions of an organization. Such assets include everything from user endpoints (e.g., laptops, phones, tablets), to servers (virtual or physical), data storage, network [...]

Organizations are continuously challenged in preparing for and performing an audit. Audits are commonly performed in large blocks of effort and treated like a project. Significant time and resources are often allocated to audit projects. To make things more challenging, audits are often time-bound and must be completed by a specified date. Additionally, audits are [...]

Static code analysis and static code reviews are key controls in a company’s control environment, specifically related to the system development lifecycle and change management processes, and should be considered for inclusion in a company’s SOC 2 control inventory. Adopting static code analysis and static code reviews and integrating these controls into a Company’s control [...]

Risk evaluation and mitigation strategies for SOC 2 compliance is something I am being asked more frequently about by many first-time clients. In the following paragraphs, I will be discussing requirements for service organizations to consider when contemplating or undergoing a SOC 2 audit. Specifically, risk assessment and mitigation strategies in place at the service [...]

Over the last few years, there has been a proliferation of SOC 2 audit and compliance tools coming to market. The companies providing the tools are promising to help clients prepare for and complete audits in record time. There is venture capital interest in the tools as well, with 200+ million in backing to date. [...]

What is NIST, and why is it important? The National Institute of Standards and Technology (NIST) is a government agency whose mission is to “To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.” NIST was established in 1901 [...]

Vulnerability management, in general, is supported by the idea that once an organization identifies a vulnerability that exists within its environment, proper steps should be taken to remediate that vulnerability. Those steps include being prepared, knowing when to identify the vulnerability, analyzing the vulnerability, communicating information to the right individuals internal and external to the [...]

In order to perform a HITRUST® assessment, you must be able to score your organization’s control environment compliance with the HITRUST CSF® Maturity Model. The maturity model is used for scoring both Self-Assessments and Validated Assessments (more info). Understanding how to use the HITRUST Maturity Model to accurately rate your controls’ compliance is critical as [...]

Upon scanning through the Common Criteria for a SOC 2, it doesn’t take long to come across criteria related to governance and the overall control environment. In particular, Common Criteria 1.2 (CC1.2)/COSO Principle 2 specifically addresses the role and expectations of the board of directors to provide oversight of internal controls. For small businesses or [...]