IT Audit & Compliance Blog

This article will outline a high-level overview of the concept of defense-in-depth as well as tie in how the concept relates to the ability to meet SOC 2 requirements. What is the Principle of Defense-in-Depth? Defense-in-depth is a very detailed and ‘in-depth’ concept, but I will provide a high-level base overview to help those unfamiliar […]

RPA is the automation of digital processes in which a software robot takes over the human actions in any software. The technology simplifies the build, deployment, and management of software robots that emulate human actions interacting with digital systems and software. In this article, we will outline the use of RPA and the impacts on […]

Personal Identifying Information (PII), Payment Card Industry (PCI) information, and Protected Health Information (PHI) are all information requiring heightened controls to protect the owning person from exploitation. This year alone has seen significant breaches of personal data from Aon (insurance provider), MCG Health (health management system), and Block (cash application/payment processor), impacting roughly 9 million […]

Think of the types of compliance audits or assessments that an organization may have throughout the year – SOC 1, SOC 2, PCI DSS, HIPAA compliance audits, Internal Audits, FedRAMP, and HITRUST assessments just to name a few. The list seems to ever increase as new regulations are added. The origination of an audit could […]

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013 internal control framework includes five COSO components and 17 COSO principles and is part of the common criteria included in a SOC 2 assessment. The five COSO components include the following: Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring Activities. For […]

In the following paragraphs we’ll discuss what hardening means, the benefits and disadvantages it brings, and where to begin in the process of securing an operating system. Let’s first understand what the hardening process is. The concept of hardening, in relation to computing, is when the system is made more secure through the use of […]

Clients often ask me if policies and processes put in place for the Payment Card Industry Data Security Standard (PCI DSS) compliance can be used to pass their Service Organization Control (SOC) 2 audit. While some overlap exists between the security procedures required to “pass” your PCI and SOC 2 audits, the biggest difference between […]

What is an Enterprise Environment? From a technology perspective, an enterprise environment is the total of all information assets that support the process, storing, or transmission of data that supports the business functions of an organization. Such assets include everything from user endpoints (e.g., laptops, phones, tablets), to servers (virtual or physical), data storage, network […]

Organizations are continuously challenged in preparing for and performing an audit. Audits are commonly performed in large blocks of effort and treated like a project. Significant time and resources are often allocated to audit projects. To make things more challenging, audits are often time-bound and must be completed by a specified date. Additionally, audits are […]

Static code analysis and static code reviews are key controls in a company’s control environment, specifically related to the system development lifecycle and change management processes, and should be considered for inclusion in a company’s SOC 2 control inventory. Adopting static code analysis and static code reviews and integrating these controls into a Company’s control […]