About L&Co Staff Auditors

Linford Team Icon

Linford & Co., LLP, founded in 2008, is comprised of professional and certified auditors with specialized expertise in SOC 1, SOC 2, HIPAA, HITRUST, FedRAMP and royalty/licensing audits. Our auditors hold CPA, CISA, CISSP, GSEC licenses and certifications. Learn more about our company and our leadership team.

ALL ARTICLES BY L&Co Staff Auditors:
CSOCs, The Cloud, & SOC Reports

Complementary Subservice Organization Controls (CSOCs), Cloud Considerations, & SOC Reports

Gartner analysts said that more than 85% of organizations will embrace a cloud-first principle by 2025 and will not be able to fully execute their digital strategies without the use of cloud-native architectures and technologies. With this ever-increasing move to a cloud environment, do you know what complementary subservice organization controls are, how to distinguish […]

IT Governance (GEIT) and SOC 2

Connecting IT Governance (GEIT) & SOC 2

With today’s rapid development and advancement in technology, organizations are more challenged than ever to align business and IT strategies with objectives, establish company-wide IT governance, and classify data. Failing to prioritize your company’s IT governance limits full benefits realization. By auditing IT governance implementation, strategies, processes, and controls, organizations can ensure their IT portfolio […]

Understanding security maturity models

Security Maturity Models: Common Levels of Maturity & How They’re Evaluated

With an ever-changing landscape of security threats and available tools and resources, it is important for organizations to periodically evaluate their security maturity and seek to make improvements to maintain a well-balanced security posture. Throughout this blog, we will explore the concept of the capability maturity model with a focus on security maturity in an […]

Risk matrix 101

When, How, And Why To Use A Risk Matrix

All SOC 2 examinations must include security common criteria. This includes reviewing a company’s (i.e. entity’s) risk assessment process (risks identified, risk matrix, controls in place to address the risks, etc.). However, one of the challenges that the AICPA has found when it comes to doing risk assessments is that companies are unclear on what […]

SOC 2 risk assessment criteria

The SOC 2 Risk Assessment Criteria: Through the Eyes of an Auditor

The most important common criteria tested within the SOC 2 report is the risk assessment. An organization’s risk assessment is the heart and soul of the SOC 2 report. Unfortunately, there are many consequences for lacking well-defined risk assessment and risk management processes: Business/system failure Financial loss Noncompliance with national and foreign laws, regulations, and […]

What is defense in depth?

Defense-in-Depth: What it is & How it Relates to SOC 2 Compliance

This article will outline a high-level overview of the concept of defense-in-depth as well as tie in how the concept relates to the ability to meet SOC 2 requirements. What is the Principle of Defense-in-Depth? Defense-in-depth is a very detailed and ‘in-depth’ concept, but I will provide a high-level base overview to help those unfamiliar […]


PII, PHI, PCI: Understanding the Differences for Compliance

Personal Identifying Information (PII), Payment Card Industry (PCI) information, and Protected Health Information (PHI) are all information requiring heightened controls to protect the owning person from exploitation. This year alone has seen significant breaches of personal data from Aon (insurance provider), MCG Health (health management system), and Block (cash application/payment processor), impacting roughly 9 million […]

PCI & SOC 2 audit requirements

PCI and SOC 2 Audit Requirements: Combining PCI & SOC 2 Audits

Clients often ask me if policies and processes put in place for the Payment Card Industry Data Security Standard (PCI DSS) compliance can be used to pass their Service Organization Control (SOC) 2 audit. While some overlap exists between the security procedures required to “pass” your PCI and SOC 2 audits, the biggest difference between […]

What is a business continuity plan?

What is a Business Continuity Plan? Importance & SOC 2 Requirements

Business Continuity Planning is critical to any organization. What do you do and how do you respond when a disaster hits that causes a disruption or outage of your services? This is where a business continuity plan (BCP) and disaster recovery plan (DRP), come into play. An effective business continuity plan helps to maintain normal […]