Kevin Anderson

Imagine an employee at your organization is terminated, but due to a communication gap or manual off-boarding process, their account isn’t disabled. Weeks later, another employee needs access to restricted data but hasn’t yet received approval for such access. Frustrated with delays, this employee uses the former employee’s still-active credentials to access the restricted data. [...]

One of the most common requests I get from organizations preparing for a SOC 2 audit is for the SOC 2 control list that specifies the required controls. However, unlike other security frameworks, SOC 2 does not come with a set list of controls. Rather, the amount and type of SOC 2 controls an organization [...]

In recent years, as the digital landscape has evolved with the growth of cloud-based environments and tools, SOC 2 Type 2 (also written as Type II) reports have emerged as a basis of trust and assurance for organizations and their stakeholders. But what exactly constitutes a SOC 2 Type 2 report, and why is it [...]

If you have recently completed a Type I SOC report, congratulations! It is no small task to prepare and complete a SOC examination. However, for most companies, a Type I SOC report is just a step in the process of eventually completing a Type II SOC report, as that is what most user entities expect [...]

When preparing for a SOC 1 or SOC 2 examination, service organizations, particularly those who elect to report their subservice organizations using the carve-out method, often conclude that anything related to their subservice organizations is out of scope for their own SOC report. However, that is not the case. This blog will discuss the requirements [...]

I once attended a training where the class was broken out into small groups, and each group was tasked with assembling an elaborate box of blocks and accessories in a precise order to create a motorcycle. However, for this exercise, the instructions were removed from the box and the moderator did not provide any guidance [...]

Data has become a valuable resource for organizations across the world, and large amounts of data are being collected every day. At the same time, there has been an increase in or emphasis on the laws and regulations aimed at providing safeguards for data collected. A tool that can be used to help manage data [...]

Upon scanning through the Common Criteria for a SOC 2, it doesn’t take long to come across criteria related to governance and the overall control environment. In particular, Common Criteria 1.2 (CC1.2)/COSO Principle 2 specifically addresses the role and expectations of the board of directors to provide oversight of internal controls. For small businesses or [...]