Maggie Cheney

Many U.S. companies receive what, until recently, were called SAS 70 audit reports from certain types of vendors. These reports come out once a year, typically in the late Fall. While most organizations do a good job of recognizing the need to request these reports, often they are not properly reviewed and evaluated when received. [...]

Let’s be honest—when you’re juggling daily priorities and a never-ending to-do list, audit risk probably isn’t the first thing on your mind. And hey, maybe the “out of sight, out of mind” approach feels easier. After all, it doesn’t exactly scream excitement, and there’s always something more urgent to handle. But here’s the thing: while [...]

In performing SOC audits for Linford & CO, the clear majority of organizations do a great job providing reasonable assurance they are meeting all their controls. But I wanted to hit on a list of seven common mistakes that seem to pop up to hopefully help your organization identify them before they become [...]

The recent CrowdStrike outage, which caused widespread system crashes and disruptions, served as an important reminder of the interconnectedness and fragility of our world as it relates to technology. While the incident was disruptive and many of our clients can attest to the headaches it caused, it also provided valuable insight into how organizations can [...]

Data classification is the underlying focal point of many compliance standards and requirements. Identifying, categorizing, and maintaining data protection can help achieve compliance requirements, reduce legal risk, prioritize the implementation of security controls, and in turn effectively allocate resources. What Is Data Classification & Why Is it Important? Knowing what data your organization collects, uses, [...]

Most people have some degree of familiarity with contracts, but the nuances of contractual requirements related to an audit engagement are not always understood. If you are looking to engage an auditor, or if you have an existing engagement letter with an auditor, it is important to understand these nuances and the requirements for audit [...]

What is operational risk management? And why is operational risk important? Simply defined, operational risk management is a continual process performed to identify and manage the risks inherent to running a business. Risk is fundamental to operating a business, and all businesses have to manage risk of all types, ranging from financial to operational to [...]

What is NIST, and why is it important? The National Institute of Standards and Technology (NIST) is a government agency whose mission is to “To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.” NIST was established in 1901 [...]

I’ll be the first to admit that buzzwords like “information security governance,” “cyber security organizational structure,” and “information security organizational structure” can sound like trendy but otherwise meaningless concepts. My goal is to explain what information security governance is in a way that helps you not only understand the goals of information security governance, but [...]

NIST 800-53, ISO/IEC 27001:2022, PCI, HITRUST, HIPAA, SOC 1, SOC 2, GDPR, CCPA…who needs another compliance framework? It’s an acronym soup, and who can keep them all straight anyway? I’m here to make the case that you may just have room for one more – the NIST Cybersecurity Framework (CSF), particularly if you’re seeking SOC [...]