Rob Pierce

If your organization handles protected health information—whether in paper form (PHI) or electronic format (ePHI)—you’re subject to the HIPAA Security, Privacy, and Breach Notification Rules. Maybe a client asked you to sign a business associate agreement (BAA), or you’re proactively tightening your security controls. Either way, the question remains: Are you really HIPAA compliant? And [...]

When I audit small to mid-sized SaaS companies in the healthcare space, there’s one assumption I encounter over and over again: “We’re in the cloud, so compliance is handled.” It’s an easy misconception to fall into. After all, AWS, Azure, and Google Cloud talk extensively about HIPAA and HITRUST capabilities. But here’s the quiet truth—moving [...]

It’s a chilly Monday morning in Denver, and I’m standing in the glass-walled conference room of a mid-sized SaaS company. The CTO looks at me, exhausted. “This is our third audit this year,” she says, showing me a color-coded spreadsheet with over 200 controls. “SOC 2, ISO 27001, and now HIPAA. There’s got to be [...]

Let me tell you a secret: Auditors don’t hate IaaS cloud platforms. We just dislike cloud chaos. As a SOC 2 auditor, I’ve seen things. Shared administrator accounts. Production secrets in plaintext. And one time—brace yourself—a company used a whiteboard to track administrator access credentials. I wish I were kidding. Every once in a while, [...]

A few years ago, I was working with a scrappy, fast-growing SaaS startup getting ready for their first SOC 2 audit. They had great tech, strong leadership, and loyal customers—what they didn’t have was a dedicated security team. The CTO greeted me with a tired laugh and a spreadsheet labeled “SOC 2 Checklist?”—the question mark [...]

Many of our clients have built a Software-as-a-Service (SaaS) application on top of AWS and are leveraging AWS controls as part of their systems environment. One reason our clients do this is to leverage the AWS SOC 2-compliant infrastructure. Service organizations like AWS have their own SOC 2 report to provide assurance to stakeholders that [...]

In this article, we will cover some common questions that come up related to SOC 2 reports. SOC 2 does not have to be difficult although, with some of the terminology, it can initially be confusing. So what are SOC 2 reports? Let’s dive in! With today’s prevalence of cloud computing, information security and the [...]

Who likes dealing with regulatory compliance? It’s not the most fun or popular task for organizations to deal with. Yet we live in a world with increasing risks related to information security, increasing regulation, and less time to commit to dealing with these factors. With the proliferation of artificial intelligence (AI) and compliance automation tools [...]

We frequently are asked by our clients and prospective clients, “What are SOC 1 reports and when they should be considered?” Our response is usually a question, “Can your service impact the financial statements of your clients?” In some cases, the prospective client has an immediate answer and describes the financially relevant process. In other [...]

Over the last few years, there has been a proliferation of SOC 2 audit and compliance tools coming to market. The companies providing the tools are promising to help clients prepare for and complete audits in record time. There is venture capital interest in the tools as well, with 200+ million in backing to date. [...]