About Jenny Shen (CISA, CISSP, CCSFP)

Jenny has been in risk advisory and compliance since 2008. She spent 7 years at Ernst & Young where she was responsible for both audit and advisory engagements across financial services, energy, technology, and healthcare sectors. Since 2015, she has been focusing on serving SaaS-based companies, assessing their control environments as part of SOC reporting, HIPAA compliance, and HITRUST certification initiatives. She is a certified information systems auditor (CISA), HITRUST assessor (CCSFP), information systems security professional (CISSP), and AWS cloud practitioner. Jenny received her Bachelor of Science and Master’s degrees in Information Systems Management from Brigham Young University.

ALL ARTICLES BY Jenny Shen (CISA, CISSP, CCSFP):
A guide to regulatory compliance

Navigating Regulatory Compliance – An Auditor’s Insights

With no shortage of regulations around data security and privacy, it’s no wonder that determining which regulations must be complied with and whether your company has compliance gaps can be a daunting task. Regulatory compliance is mandatory, but can be overwhelming. Where should you start? Perform a Risk Assessment Risk assessments are valuable tools for […]

IT risk assessment guidance

IT Risk Assessment and HIPAA Compliance

The HIPAA Security Rule places so much emphasis on the importance of risk analysis that it is positioned as the first requirement of HIPAA compliance. Yet, as we conduct HIPAA compliance gap assessments for organizations, it is rare to find that a formal IT Risk Assessment has been completed, and rarer still to find that […]

What are HITRUST correction action plans (CAPs)

What are HITRUST Correction Action Plans (CAPs)? Answers to Common Questions

Following months of hard work, you and your External HITRUST Assessor finally “complete” the assessment and the assessment dashboard now displays 100% of requirements under the “External Assessor Review Complete” status – now what? For most Assessed Entities, that phase is followed by formulating CAPs for requirement statements as part of a control reference required […]

Corrective action plans for audit results

Corrective Action Plans 101: Guide for Managing Audit Findings

If your organization has gone through an audit against a compliance framework, whether it be SOC 1, SOC 2, HITRUST, FedRAMP, or HIPAA, you might shudder at the thought of the words “findings,” “gaps,” and “deficiencies.” However, even an audit with a favorable outcome (e.g. unqualified opinion, certification, authorization) could come with findings and recommendations […]

What is a security operations center (SOC)

What is a Security Operations Center (SOC) & Why Should You Invest in One?

In our increasingly digital world, cybersecurity is critical to ensure the security, availability, and confidentiality of customer data. Recent events around the world, such as the ransomware attack that forced the shutdown of the nation’s biggest fuel pipeline in May 2021, should be sufficient cause for all businesses to place cybersecurity as their top priority. […]