"*" indicates required fields
The Linford & Company Blog is written by our very own auditors, who are experts in IT audits, information security, and compliance topics. Their auditing experience encompasses a broad spectrum of industries and organizations, and their specialized expertise can help your company or organization make the right decision for your auditing needs. Our specific areas of focus in our IT Audit & Compliance Blog include SOC 1 Audits, SOC 2 Audits, HIPAA Audits, HITRUST Certification, and FedRAMP Assessments, NIST & CMMC, and Penetration Testing.
A few years ago, I was working with a scrappy, fast-growing SaaS startup getting ready for their first SOC 2 audit. They had great tech, strong leadership, and loyal customers—what they didn’t have was a dedicated security team. The CTO greeted me with a tired laugh and a spreadsheet labeled “SOC 2 Checklist?”—the question mark […]
The Federal Risk and Authorization Management Program (FedRAMP) was established in December 2011 by the U.S. Office of Management and Budget (OMB) through Memo M-12-03, in response to the federal government’s increasing adoption of cloud technologies. Its primary goal was to provide a standardized approach to security assessment, authorization, and continuous monitoring for cloud services […]
Many software-as-a-services (SaaS) companies rely on Amazon Web Services (AWS) as the backbone of their infrastructure—and for good reason. AWS’s robust physical, network, and operational controls offer a strong foundation for building secure, scalable systems. But having AWS controls in place is not the same as demonstrating to your auditor that your controls meet the […]
Your company, the Organization Seeking Assessment (OSA), has determined that it has to achieve CMMC Level 2 certification to be in compliance with contractual requirements with the Department of Defense (DoD) as defined in 32 CFR Part 170. An initial and critical step in attaining CMMC Level 2 certification is creating a system security plan […]
In completing SOC 1 and SOC 2 examinations (and most other types of audits), there is testing involved to determine the operating effectiveness of controls. There are different types of tests that can be applied to testing controls, and to complete a majority of these tests, a sampling of populations that are required. In this […]
Data centers have always possessed a certain mystique. They are places where blinking lights, humming machines, and climate control technology make you feel as though you have stumbled into a top-secret bunker straight out of a sci-fi movie. Today, however, data centers are far more than buzzing, refrigerator-like facilities. They are the backbone of modern […]
A few years ago, during a SOC 2 audit for a mid-sized SaaS company, we noticed a gap: their patch management program looked solid on paper, but the execution was flawed. The client had a policy that mentioned monthly updates, a ticketing system for patch deployment, and even a patch management report that was presented […]
In performing SOC audits for Linford & CO, the clear majority of organizations do a great job providing reasonable assurance they are meeting all their controls. But I wanted to hit on a list of seven common mistakes that seem to pop up to hopefully help your organization identify them before they become
Many of our clients have built a Software-as-a-Service (SaaS) application on top of AWS and are leveraging AWS controls as part of their systems environment. One reason our clients do this is to leverage the AWS SOC 2-compliant infrastructure. Service organizations like AWS have their own SOC 2 report to provide assurance to stakeholders that […]
Many U.S. companies receive what, until recently, were called SAS 70 audit reports from certain types of vendors.
