The 2025 HITRUST® Trust Report is more than just a retrospective on certification trends—it is a reflection of where cybersecurity assurance is heading. In a landscape where compliance complexity is growing and AI is rapidly transforming risk dynamics, the HITRUST ecosystem stands out as a scalable, rigorous, and data-driven model for building trust. Whether you’re […]

In a landscape where cyber threats are growing more sophisticated by the day, understanding an organization’s vulnerabilities is a strategic imperative for security and compliance. Conducting vulnerability scans is a key component in helping prevent successful external adversary attacks. In this article, I will discuss what vulnerability scans are, the common types, and actions your […]

Access control encompasses a broad range of concepts and practices that can vary significantly depending on an organization’s industry, risk appetite, and compliance requirements. This blog focuses specifically on the post-implementation phase of access control. It discusses the critical questions: “Once access controls are in place, how do you make sure they remain effective? What […]

Let me tell you a secret: Auditors don’t hate IaaS cloud platforms. We just dislike cloud chaos. As a SOC 2 auditor, I’ve seen things. Shared administrator accounts. Production secrets in plaintext. And one time—brace yourself—a company used a whiteboard to track administrator access credentials. I wish I were kidding. Every once in a while, […]

A few years ago, I was working with a scrappy, fast-growing SaaS startup getting ready for their first SOC 2 audit. They had great tech, strong leadership, and loyal customers—what they didn’t have was a dedicated security team. The CTO greeted me with a tired laugh and a spreadsheet labeled “SOC 2 Checklist?”—the question mark […]

The Federal Risk and Authorization Management Program (FedRAMP) was established in December 2011 by the U.S. Office of Management and Budget (OMB) through Memo M-12-03, in response to the federal government’s increasing adoption of cloud technologies. Its primary goal was to provide a standardized approach to security assessment, authorization, and continuous monitoring for cloud services […]

Many software-as-a-services (SaaS) companies rely on Amazon Web Services (AWS) as the backbone of their infrastructure—and for good reason. AWS’s robust physical, network, and operational controls offer a strong foundation for building secure, scalable systems. But having AWS controls in place is not the same as demonstrating to your auditor that your controls meet the […]

Your company, the Organization Seeking Assessment (OSA), has determined that it has to achieve CMMC Level 2 certification to be in compliance with contractual requirements with the Department of Defense (DoD) as defined in 32 CFR Part 170. An initial and critical step in attaining CMMC Level 2 certification is creating a system security plan […]

In completing SOC 1 and SOC 2 examinations (and most other types of audits), there is testing involved to determine the operating effectiveness of controls. There are different types of tests that can be applied to testing controls, and to complete a majority of these tests, a sampling of populations that are required. In this […]

Data centers have always possessed a certain mystique. They are places where blinking lights, humming machines, and climate control technology make you feel as though you have stumbled into a top-secret bunker straight out of a sci-fi movie. Today, however, data centers are far more than buzzing, refrigerator-like facilities. They are the backbone of modern […]