About L&Co Staff Auditors

Linford Team Icon

Linford & Co., LLP, founded in 2008, is comprised of professional and certified auditors with specialized expertise in SOC 1, SOC 2, HIPAA, HITRUST, FedRAMP and royalty/licensing audits. Our auditors hold CPA, CISA, CISSP, GSEC licenses and certifications. Learn more about our company and our leadership team.

ALL ARTICLES BY L&Co Staff Auditors:
Understanding security maturity models

Security Maturity Models: Common Levels of Maturity & How They’re Evaluated

With an ever-changing landscape of security threats and available tools and resources, it is important for organizations to periodically evaluate their security maturity and seek to make improvements to maintain a well-balanced security posture. Throughout this blog, we will explore the concept of the capability maturity model with a focus on security maturity in an […]


PII, PHI, PCI: Understanding the Differences for Compliance

Personal Identifying Information (PII), Payment Card Industry (PCI) information, and Protected Health Information (PHI) are all information requiring heightened controls to protect the owning person from exploitation. This year alone has seen significant breaches of personal data from Aon (insurance provider), MCG Health (health management system), and Block (cash application/payment processor), impacting roughly 9 million […]

PCI & SOC 2 audit requirements

PCI and SOC 2 Audit Requirements: Combining PCI & SOC 2 Audits

Clients often ask me if policies and processes put in place for the Payment Card Industry Data Security Standard (PCI DSS) compliance can be used to pass their Service Organization Control (SOC) 2 audit. While some overlap exists between the security procedures required to “pass” your PCI and SOC 2 audits, the biggest difference between […]

Guidance for access management controls

What Are Access Management Controls? Guidance for Audit Compliance

One of the key parts of security compliance consists of access management controls. Whether your organization is aiming for compliance with the AICPA’s SOC criteria, NIST framework, GDPR, or even HIPAA certification, access controls play a key role in the internal control environment. Throughout this blog, we will explore the types of common access management […]

what is data classification?

What is Data Classification? Data Classification Levels and Compliance

Data classification is the underlying focal point of many compliance standards and requirements. Identifying, categorizing, and maintaining data protection can help achieve compliance requirements, reduce legal risk, prioritize the implementation of security controls, and in turn effectively allocate resources. Knowing what data your organization collects, uses, stores, processes, and transmits and the level of security […]

Internal Audit Planning

Why Is Internal Audit Planning Critical To An Effective Audit?

The task of internal audit planning can be overwhelming and involve many individuals. Sometimes it is difficult to even know where to begin. In this article we will break down a few of the common questions when it comes to an internal audit, elaborate on the key steps to the internal audit planning phase, and […]

HIPAA Security Rule Requirements

HIPAA Security Rule Requirements & Implementation Specifications

Compliance with the requirements of the HIPAA Security Rule starts with understanding how it is constructed. The HIPAA Security Rule is part of the overall HIPAA Privacy and Security Rule and consists of standards and implementation specifications. Per HIPAA Security Safeguards: Each Security Rule standard is a requirement: a covered entity must comply with all […]

HIPAA risk assessment

HIPAA Risk Assessment: Security Compliance vs Risk Analysis – What is the Difference?

Throughout 2018 and 2019, the OCR has identified the failure to conduct and adequate risk assessment as a key finding in nearly half of their settlements. Making it the largest single source of identified HIPAA violations. Many organizations undergo some level of third party reporting on their compliance with the HIPAA security rule. Generally these […]