Upon scanning through the Common Criteria for a SOC 2, it doesn’t take long to come across criteria related to governance and the overall control environment. In particular, Common Criteria 1.2 (CC1.2)/COSO Principle 2 specifically addresses the role and expectations of the board of directors to provide oversight of internal controls. For small businesses or […]

If your organization has gone through an audit against a compliance framework, whether it be SOC 1, SOC 2, HITRUST, FedRAMP, or HIPAA, you might shudder at the thought of the words “findings,” “gaps,” and “deficiencies.” However, even an audit with a favorable outcome (e.g. unqualified opinion, certification, authorization) could come with findings and recommendations […]

Cyber Threat Intelligence (CTI) encompasses the people, processes, and technologies that a Company uses to proactively identify and mitigate threats to its brand, assets, employees, third parties, and clients. In simple terms, the goal of CTI is to stay one step ahead of malicious actors and take action before an attack occurs or avoid the […]

Consider this, an organization has an internal or external audit about to start or an incident has occurred that needs to be investigated. These activities each require evidence to support the who, when, what, where, and why of the activity. One way this can be done is by tracing the activity through an audit trail. […]

When we are approached by a prospective client to perform a SOC 1 (f. SSAE 16) audit, we will ask what control objectives they want to include in the scope of the examination. In some cases, they have responded with their own question: What is a control objective? This blog will address that question, as […]

If you were asked what every company or organization has in common, what would you say? Well, there are many potential answers, but one thing is for certain — all companies/organizations are at risk for internal cyber security threats. There is a lot of attention in the media about companies being hacked by external parties […]

Imagine that your system is under attack and your customers are unable to access your system because of this disruption in service. What do you do next and how do you respond? This is where incident management comes into play. An effective incident management process and incident response plan helps to return your system to […]

Service organization environments are ever-changing. As the organization adapts, the systems used by the service organization change in alignment. This process of migrating to a new application or migrating your infrastructure to the cloud can be significant, not just to the organization, but to the service organization’s users. What is a Data Migration & When […]

Simply put, yes, blockchain companies should be audited. Many organizations rely on blockchain companies to perform key services in support of the user organization’s operations. Those services may include, but are not limited to, processing financial transactions, including crypto and Non-Fungible Tokens (NFTs), sharing medical data, supply chain, and logistics monitoring, and administration and execution […]

Security controls are a critical component to meet a Company’s primary SOC 2 goals of security, availability, processing integrity, confidentiality, and privacy of data. There are different control types that can be implemented, and each control that is mapped to a control type is represented with a different identified functionality and purpose. Controls are put […]