With an ever-changing landscape of security threats and available tools and resources, it is important for organizations to periodically evaluate their security maturity and seek to make improvements to maintain a well-balanced security posture. Throughout this blog, we will explore the concept of the capability maturity model with a focus on security maturity in an […]
About L&Co Staff Auditors
Linford & Co., LLP, founded in 2008, is comprised of professional and certified auditors with specialized expertise in SOC 1, SOC 2, HIPAA, HITRUST, FedRAMP and royalty/licensing audits. Our auditors hold CPA, CISA, CISSP, GSEC licenses and certifications. Learn more about our company and our leadership team.
PII, PHI, PCI: Understanding the Differences for Compliance
Personal Identifying Information (PII), Payment Card Industry (PCI) information, and Protected Health Information (PHI) are all information requiring heightened controls to protect the owning person from exploitation. This year alone has seen significant breaches of personal data from Aon (insurance provider), MCG Health (health management system), and Block (cash application/payment processor), impacting roughly 9 million […]
What is Audit Fatigue? How to Mitigate Common Stresses From Multiple Audits
Think of the types of compliance audits or assessments that an organization may have throughout the year – SOC 1, SOC 2, PCI DSS, HIPAA compliance audits, Internal Audits, FedRAMP, and HITRUST assessments just to name a few. The list seems to ever increase as new regulations are added. The origination of an audit could […]
PCI and SOC 2 Audit Requirements: Combining PCI & SOC 2 Audits
Clients often ask me if policies and processes put in place for the Payment Card Industry Data Security Standard (PCI DSS) compliance can be used to pass their Service Organization Control (SOC) 2 audit. While some overlap exists between the security procedures required to “pass” your PCI and SOC 2 audits, the biggest difference between […]
What Are Access Management Controls? Guidance for Audit Compliance
One of the key parts of security compliance consists of access management controls. Whether your organization is aiming for compliance with the AICPA’s SOC criteria, NIST framework, GDPR, or even HIPAA certification, access controls play a key role in the internal control environment. Throughout this blog, we will explore the types of common access management […]
What is Data Classification? Data Classification Levels and Compliance
Data classification is the underlying focal point of many compliance standards and requirements. Identifying, categorizing, and maintaining data protection can help achieve compliance requirements, reduce legal risk, prioritize the implementation of security controls, and in turn effectively allocate resources. Knowing what data your organization collects, uses, stores, processes, and transmits and the level of security […]
Why Is Internal Audit Planning Critical To An Effective Audit?
The task of internal audit planning can be overwhelming and involve many individuals. Sometimes it is difficult to even know where to begin. In this article we will break down a few of the common questions when it comes to an internal audit, elaborate on the key steps to the internal audit planning phase, and […]
HIPAA Security Rule Requirements & Implementation Specifications
Compliance with the requirements of the HIPAA Security Rule starts with understanding how it is constructed. The HIPAA Security Rule is part of the overall HIPAA Privacy and Security Rule and consists of standards and implementation specifications. Per HIPAA Security Safeguards: Each Security Rule standard is a requirement: a covered entity must comply with all […]
What is the Scope of HIPAA Compliance?
The first step in conducting a HIPAA security compliance audit is to “take inventory” of the electronic protected health information (ePHI) environment.
HIPAA Risk Assessment: Security Compliance vs Risk Analysis – What is the Difference?
Throughout 2018 and 2019, the OCR has identified the failure to conduct and adequate risk assessment as a key finding in nearly half of their settlements. Making it the largest single source of identified HIPAA violations. Many organizations undergo some level of third party reporting on their compliance with the HIPAA security rule. Generally these […]