About Maggie Cheney (Partner | CRISC)

The recent CrowdStrike outage, which caused widespread system crashes and disruptions, served as an important reminder of the interconnectedness and fragility of our world as it relates to technology. While the incident was disruptive and many of our clients can attest to the headaches it caused, it also provided valuable insight into how organizations can […]

Data classification is the underlying focal point of many compliance standards and requirements. Identifying, categorizing, and maintaining data protection can help achieve compliance requirements, reduce legal risk, prioritize the implementation of security controls, and in turn effectively allocate resources. What Is Data Classification & Why Is it Important? Knowing what data your organization collects, uses, […]

Most people have some degree of familiarity with contracts, but the nuances of contractual requirements related to an audit engagement are not always understood. If you are looking to engage an auditor, or if you have an existing engagement letter with an auditor, it is important to understand these nuances and the requirements for audit […]

What is operational risk management? And why is operational risk important? Simply defined, operational risk management is a continual process performed to identify and manage the risks inherent to running a business. Risk is fundamental to operating a business, and all businesses have to manage risk of all types, ranging from financial to operational to […]

What is NIST, and why is it important? The National Institute of Standards and Technology (NIST) is a government agency whose mission is to “To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.” NIST was established in 1901 […]

I’ll be the first to admit that buzzwords like “information security governance,” “cyber security organizational structure,” and “information security organizational structure” can sound like trendy but otherwise meaningless concepts. My goal is to explain what information security governance is in a way that helps you not only understand the goals of information security governance, but […]

Of all the day-to-day priorities and to-do’s, worrying about audit risk probably has not risen to the top of your list. Should it? Maybe “out of sight, out of mind” is a better approach? It seems like a boring thing to think about, and you probably have more pressing matters on your mind. While this […]

NIST 800-53, ISO/IEC 27001:2022, PCI, HITRUST, HIPAA, SOC 1, SOC 2, GDPR, CCPA…who needs another compliance framework? It’s an acronym soup, and who can keep them all straight anyway? I’m here to make the case that you may just have room for one more – the NIST Cybersecurity Framework (CSF), particularly if you’re seeking SOC […]

“What are the responsibilities of management and the auditor in relation to internal control?” is a question we often hear from our clients and potential clients. We’ve talked a lot about what the auditor’s responsibilities are in an audit, but what about company management’s responsibilities in an audit? If you sign up for a SOC […]

Many U.S. companies receive what, until recently, were called SAS 70 audit reports from certain types of vendors. These reports come out once a year, typically in the late Fall. While most organizations do a good job of recognizing the need to request these reports, often they are not properly reviewed and evaluated when received. So, what do you do with the report once it has been received other than give it the internal and external auditors?