IT Audit & Compliance Blog

The Linford & Company Blog is written by our very own auditors, who are experts in IT audits, information security, and compliance topics. Their auditing experience encompasses a broad spectrum of industries and organizations, and their specialized expertise can help your company or organization make the right decision for your auditing needs. Our specific areas of focus in our IT Audit & Compliance Blog include SOC 1 Audits, SOC 2 Audits, HIPAA Audits, HITRUST Certification, and FedRAMP Assessments, NIST & CMMC, and Penetration Testing.

Aligning COSO principles and SOC 2 TSCs

How the COSO Principles & SOC 2 Trust Services Criteria Align

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control-Integrated Framework and the AICPA Trust Services Criteria are two control frameworks that are used to assess and improve the effectiveness of internal controls. While the COSO Principles are more general in nature, the AICPA Trust Services Criteria are more specific to outsourced service […]

Cloud-based patch management

Cloud Patch Management Importance & Impact on SOC Reports

During SOC readiness assessments, we are often asked about the key controls surrounding the security of assets in the cloud. Cloud patch management is a critical part of maintaining security, and the controls around this process will be reviewed in any cloud computing audit, like a SOC report. This article will provide guidance on creating […]

Covered entities vs. business associates under HIPAA

HIPAA Business Associate vs. Covered Entity: Differences & Expectations

In order to properly assess the relevance of HIPAA compliance to your organization, it is important to understand what a Covered Entity (CE) and a Business Associate (BA) are. In this blog we’ll talk about what these items are, the differences between them, and how they are handled differently when assessing HIPAA compliance. Differences Between […]

A guide for audit readiness success

Audit Readiness – Professional Tips for a Successful Audit

The auditors are coming! Let’s face it, many organizations dread audit time–but it doesn’t have to be that way. Whether you’re facing your very first audit or preparing for the next recurring one, being audit-ready will save you time and effort, alleviate stress, and facilitate a smooth and successful audit process. As humans, we naturally […]

5 Common SOC 2 Myths

Myth Busting 5 Common SOC Audit Misconceptions

In the rapidly evolving landscape of technology services, companies are entrusted with handling sensitive client data. To ensure the security, availability, and integrity of this data, many executives consider undergoing a System and Organization Controls (SOC) audit. However, misconceptions surrounding SOC audits often cloud the decision-making process. So, what exactly is a SOC audit? In […]

What is StateRAMP

A Guide to StateRAMP: An Overview For Your Authorization Journey

In 2011, the Federal Risk and Authorization Management Program (FedRAMP) was introduced, establishing a standardized assessment methodology for federal agencies to manage risk within commercial cloud service provider environments. Acknowledging the “do once, use many” benefits of FedRAMP within the federal sector, the State Risk and Authorization Management Program (StateRAMP) was launched in 2021. StateRAMP […]

A guide to the types of vulnerability scans

Which Types of Vulnerability Scanners Can Help Protect Your Company?

As security breaches (such as these HIPAA security breaches) become more common and costly, it is important to understand ways to prevent breaches. Recently, we came across a scenario where a company was not using a vulnerability scanner to scan their development environment for secret credentials, thus making the secret credentials not so secret. The […]

Zero trust compliance guide

Zero Trust Concepts & Audit Implications

Over the past several years, the concept of Zero Trust has transitioned from an industry buzzword to a pillar of information security. In this blog post, we will break down what zero trust means in the industry, what the pillars of zero trust are, and how zero trust concepts impact auditing activities and other factors […]

ISO & Risk Management

ISO and Risk Management Frameworks for Supporting Enterprise Risk Assessments

As I pondered about what blog content may be interesting and useful to our current and prospective clients, I kept coming back to one interesting client discussion I recently had. I was working with a first-year SOC 2 readiness client, and they were asking for insights and my perspectives on best practices for conducting an […]