This article will outline a high-level overview of the concept of defense-in-depth as well as tie in how the concept relates to the ability to meet SOC 2 requirements. What is the Principle of Defense-in-Depth? Defense-in-depth is a very detailed and ‘in-depth’ concept, but I will provide a high-level base overview to help those unfamiliar […]
IT Audit & Compliance Blog
The Linford & Company Blog is written by our very own auditors, who are experts in IT audits, information security, and compliance topics. Their auditing experience encompasses a broad spectrum of industries and organizations, and their specialized expertise can help your company or organization make the right decision for your auditing needs. Our specific areas of focus in our IT Audit & Compliance Blog include SOC 1 reports, SOC 2 reports, HIPAA reports, HITRUST and FedRAMP assessments.
Robotic Process Automation (RPA) Audit Process Guide & Impacts
RPA is the automation of digital processes in which a software robot takes over the human actions in any software. The technology simplifies the build, deployment, and management of software robots that emulate human actions interacting with digital systems and software. In this article, we will outline the use of RPA and the impacts on […]
PII, PHI, PCI: Understanding the Differences for Compliance
Personal Identifying Information (PII), Payment Card Industry (PCI) information, and Protected Health Information (PHI) are all information requiring heightened controls to protect the owning person from exploitation. This year alone has seen significant breaches of personal data from Aon (insurance provider), MCG Health (health management system), and Block (cash application/payment processor), impacting roughly 9 million […]
What is Audit Fatigue? How to Mitigate Common Stresses From Multiple Audits
Think of the types of compliance audits or assessments that an organization may have throughout the year – SOC 1, SOC 2, PCI DSS, HIPAA compliance audits, Internal Audits, FedRAMP, and HITRUST assessments just to name a few. The list seems to ever increase as new regulations are added. The origination of an audit could […]
Considerations for Fraud Risk Assessment: COSO Principle 8
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013 internal control framework includes five COSO components and 17 COSO principles and is part of the common criteria included in a SOC 2 assessment. The five COSO components include the following: Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring Activities. For […]
Operating System Hardening: Benefits, Importance, & Other Considerations
In the following paragraphs we’ll discuss what hardening means, the benefits and disadvantages it brings, and where to begin in the process of securing an operating system. Let’s first understand what the hardening process is. The concept of hardening, in relation to computing, is when the system is made more secure through the use of […]
PCI and SOC 2 Audit Requirements: Combining PCI & SOC 2 Audits
Clients often ask me if policies and processes put in place for the Payment Card Industry Data Security Standard (PCI DSS) compliance can be used to pass their Service Organization Control (SOC) 2 audit. While some overlap exists between the security procedures required to “pass” your PCI and SOC 2 audits, the biggest difference between […]
Enterprise Security — 5 Steps to Enhance Your Organization’s Security
What is an Enterprise Environment? From a technology perspective, an enterprise environment is the total of all information assets that support the process, storing, or transmission of data that supports the business functions of an organization. Such assets include everything from user endpoints (e.g., laptops, phones, tablets), to servers (virtual or physical), data storage, network […]
Agile Auditing from an Insider’s Perspective
Organizations are continuously challenged in preparing for and performing an audit. Audits are commonly performed in large blocks of effort and treated like a project. Significant time and resources are often allocated to audit projects. To make things more challenging, audits are often time-bound and must be completed by a specified date. Additionally, audits are […]
Static Code Analysis & Static Code Review: Are These Key SOC 2 Controls?
Static code analysis and static code reviews are key controls in a company’s control environment, specifically related to the system development lifecycle and change management processes, and should be considered for inclusion in a company’s SOC 2 control inventory. Adopting static code analysis and static code reviews and integrating these controls into a Company’s control […]