IT Audit & Compliance Blog

The Linford & Company Blog is written by our very own auditors, who are experts in IT audits, information security, and compliance topics. Their auditing experience encompasses a broad spectrum of industries and organizations, and their specialized expertise can help your company or organization make the right decision for your auditing needs. Our specific areas of focus in our IT Audit & Compliance Blog include SOC 1 reports, SOC 2 reports, HIPAA reports, Royalty audits, HITRUST and FedRAMP assessments.

HITRUST vs. SOC 2 audits

Navigating Compliance Frameworks: SOC 2 vs. HITRUST

Over the past few years, it seems like there is a new compliance framework that companies are required to follow every year. And many companies are trying to understand which one applies, how many they are required to obtain, and how much it is going to cost. This blog will discuss two frameworks: SOC 2 […]

How to score HITRUST CSF controls

How to Score HITRUST CSF Controls?

Preface: It is important to note that HITRUST changed the scoring mechanisms for HITRUST in early 2020. These changes increased the focus on the implementation of controls as is demonstrated through the increased weighting of the implementation criteria (40 vs. 25) and decreased weighting of policy criteria (15 vs. 25). In order to perform a […]

Vulnerability Assessment vs Penetration Testing for SOC 2 Audits

Vulnerability Assessment vs Penetration Testing for SOC 2 Audits

As a security practitioner and auditor, questions regarding the differences between vulnerability assessments and penetration testing come up often. Even though seasoned security professionals may already know the answer to a question like this, there are a number of non-security professionals who may need help understanding the differences, the benefits, and the costs. While larger […]

Performing SOC 1 and SOC 2 audit reports in accordance with International Standards (ISAE 3000 & 3402)

International Standards for SOC 1 & SOC 2: ISAE 3000 & ISAE 3402

The evolution of technology and its increased use has led businesses around the world to become more interconnected and interdependent of one another than ever before. Companies of all sizes can now easily reach and serve organizations around the globe, rather than just their region or country. As services provided by service organizations are increasingly […]

Importance of vulnerability scans for SOC 2 audits

Vulnerability Scanning: Importance of Vulnerability Scans in SOC 2 Audits

In light of prevalent and ongoing public data breaches, understanding where an organization’s vulnerabilities are is of great importance for prevention and security. Conducting vulnerability scans are a key component in helping prevent successful external adversary attacks. In this article, I will discuss briefly what vulnerability scans are, the common types, and how they help […]

what is data classification?

What is Data Classification? Data Classification Levels and Compliance

Data classification is the underlying focal point of many compliance standards and requirements. Identifying, categorizing, and maintaining data protection can help achieve compliance requirements, reduce legal risk, prioritize the implementation of security controls, and in turn effectively allocate resources. Knowing what data your organization collects, uses, stores, processes, and transmits and the level of security […]

How to choose an auditor

Choosing an Auditor: How Do I Find a Good, Better, Best Auditor?

The client/auditor relationship is unique and strange. Basically, your organization is paying someone to look at your highly confidential information (e.g. financials, systems, processes, and controls) to provide an opinion on that information. I’m sure you’re already aware, but the opinion is not meant for the client, but rather for the readers of the audit […]