Over the last few years, there has been a proliferation of SOC 2 audit and compliance tools coming to market. The companies providing the tools are promising to help clients prepare for and complete audits in record time. There is venture capital interest in the tools as well, with 200+ million in backing to date. […]

What is NIST, and why is it important? The National Institute of Standards and Technology (NIST) is a government agency whose mission is to “To promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.” NIST was established in 1901 […]

Vulnerability management, in general, is supported by the idea that once an organization identifies a vulnerability that exists within its environment, proper steps should be taken to remediate that vulnerability. Those steps include being prepared, knowing when to identify the vulnerability, analyzing the vulnerability, communicating information to the right individuals internal and external to the […]

In order to perform a HITRUST assessment, you must be able to score your organization’s control environment compliance with the HITRUST CSF Maturity Model. The maturity model is used for scoring both Self-Assessments and Validated Assessments (more info). Understanding how to use the HITRUST Maturity Model to accurately rate your controls’ compliance is critical as […]

Upon scanning through the Common Criteria for a SOC 2, it doesn’t take long to come across criteria related to governance and the overall control environment. In particular, Common Criteria 1.2 (CC1.2)/COSO Principle 2 specifically addresses the role and expectations of the board of directors to provide oversight of internal controls. For small businesses or […]

If your organization has gone through an audit against a compliance framework, whether it be SOC 1, SOC 2, HITRUST, FedRAMP, or HIPAA, you might shudder at the thought of the words “findings,” “gaps,” and “deficiencies.” However, even an audit with a favorable outcome (e.g. unqualified opinion, certification, authorization) could come with findings and recommendations […]

Cyber Threat Intelligence (CTI) encompasses the people, processes, and technologies that a Company uses to proactively identify and mitigate threats to its brand, assets, employees, third parties, and clients. In simple terms, the goal of CTI is to stay one step ahead of malicious actors and take action before an attack occurs or avoid the […]

Consider this, an organization has an internal or external audit about to start or an incident has occurred that needs to be investigated. These activities each require evidence to support the who, when, what, where, and why of the activity. One way this can be done is by tracing the activity through an audit trail. […]

When we are approached by a prospective client to perform a SOC 1 (f. SSAE 16) audit, we will ask what control objectives they want to include in the scope of the examination. In some cases, they have responded with their own question: What is a control objective? This blog will address that question, as […]

If you were asked what every company or organization has in common, what would you say? Well, there are many potential answers, but one thing is for certain — all companies/organizations are at risk for internal cyber security threats. There is a lot of attention in the media about companies being hacked by external parties […]