Brian Sandenaw

In a recent Linford & Co. article, Partner Richard Rieben illuminated some of the growing problems with the SOC 2 assurance – particularly mentioning check-the-box audits, the lack of quality inherent in bargain-basement assessments, and threats to independence. These are all problems that go largely unchecked due to the lack of oversight from a governing [...]

HITRUST has issued an interesting third-party report on the ROI of a HITRUST certification. It focuses on quantifiable and qualitative outcomes such as ROI, operational efficiency, business growth, and risk reduction. As an external HITRUST assessor with many years of experience with HITRUST and many completed assessments, it piqued my interest, and I wanted to [...]

The Cloud Security Alliance is a non-profit organization that promotes the use of best practices for providing secure cloud computing. Since 2010, the CSA has released four versions of a free Cloud Controls Matrix for public use. [...]

Many organizations do a tabletop test each year of their Incident Response (IR) or Business Continuity/Disaster Recovery (BC/DR) plan to evaluate its effectiveness and make sure it’s current. While tabletop is generally the weakest form of testing and has some significant limitations, there are some things that can be done to make it a better [...]

With the use of cloud technology trending upward, many cloud companies are touting themselves as “HIPAA certified.” In fact, there is no such thing as a HIPAA certification. [...]

It’s been discussed elsewhere what the Cloud Security Alliance is and what their CSA Security Trust Assurance and Risk (STAR) program entails. To summarize, the CSA STAR program provides a Cloud-focused alternative to the more traditional audits. It’s based on the CSA Cloud Controls Matrix (CCM) and offers multiple levels of certification/attestation and a flexible [...]

In previous articles, we’ve covered what HITRUST® is and how to get HITRUST certified, but one very frequent question is, “What’s the difference between HIPAA vs HITRUST?” While they both relate to information security, and HITRUST initially began as part of HIPAA, they’re very different concepts. Let’s dive in. What Is the Difference Between HIPAA [...]

Any time we make “first contact” with someone who needs a HITRUST® assessment there are always 3 overarching questions, “What is this going to cost?”, “How hard is this going to be?”, and the question I will be covering in this article – “How long is this going to take?” In the past, before the [...]

Any organization that has completed a HITRUST® assessment knows they represent a significant amount of effort and a significant commitment to compliance and certification. While many HITRUST levels of certification are only good for one year, HITRUST’s r2 certification is good for two years, but…the HITRUST r2 certification requires an ‘interim’ assessment every other year [...]