Linford & Co., LLP, founded in 2008, is comprised of professional and certified auditors with specialized expertise in SOC 1, SOC 2, HIPAA, HITRUST, FedRAMP and royalty/licensing audits. Our auditors hold CPA, CISA, CISSP, GSEC licenses and certifications. Learn more about our company and our leadership team.
Gartner analysts said that more than 85% of organizations will embrace a cloud-first principle by 2025 and will not be able to fully execute their digital strategies without the use of cloud-native architectures and technologies. With this ever-increasing move to a cloud environment, do you know what complementary subservice organization controls are, how to distinguish […]
With today’s rapid development and advancement in technology, organizations are more challenged than ever to align business and IT strategies with objectives, establish company-wide IT governance, and classify data. Failing to prioritize your company’s IT governance limits full benefits realization. By auditing IT governance implementation, strategies, processes, and controls, organizations can ensure their IT portfolio […]
With an ever-changing landscape of security threats and available tools and resources, it is important for organizations to periodically evaluate their security maturity and seek to make improvements to maintain a well-balanced security posture. Throughout this blog, we will explore the concept of the capability maturity model with a focus on security maturity in an […]
All SOC 2 examinations must include security common criteria. This includes reviewing a company’s (i.e. entity’s) risk assessment process (risks identified, risk matrix, controls in place to address the risks, etc.). However, one of the challenges that the AICPA has found when it comes to doing risk assessments is that companies are unclear on what […]
The most important common criteria tested within the SOC 2 report is the risk assessment. An organization’s risk assessment is the heart and soul of the SOC 2 report. Unfortunately, there are many consequences for lacking well-defined risk assessment and risk management processes: Business/system failure Financial loss Noncompliance with national and foreign laws, regulations, and […]
This article will outline a high-level overview of the concept of defense-in-depth as well as tie in how the concept relates to the ability to meet SOC 2 requirements. What is the Principle of Defense-in-Depth? Defense-in-depth is a very detailed and ‘in-depth’ concept, but I will provide a high-level base overview to help those unfamiliar […]
Personal Identifying Information (PII), Payment Card Industry (PCI) information, and Protected Health Information (PHI) are all information requiring heightened controls to protect the owning person from exploitation. This year alone has seen significant breaches of personal data from Aon (insurance provider), MCG Health (health management system), and Block (cash application/payment processor), impacting roughly 9 million […]
Think of the types of compliance audits or assessments that an organization may have throughout the year – SOC 1, SOC 2, PCI DSS, HIPAA compliance audits, Internal Audits, FedRAMP, and HITRUST assessments just to name a few. The list seems to ever increase as new regulations are added. The origination of an audit could […]
Clients often ask me if policies and processes put in place for the Payment Card Industry Data Security Standard (PCI DSS) compliance can be used to pass their Service Organization Control (SOC) 2 audit. While some overlap exists between the security procedures required to “pass” your PCI and SOC 2 audits, the biggest difference between […]
Business Continuity Planning is critical to any organization. What do you do and how do you respond when a disaster hits that causes a disruption or outage of your services? This is where a business continuity plan (BCP) and disaster recovery plan (DRP), come into play. An effective business continuity plan helps to maintain normal […]