Imagine an employee at your organization is terminated, but due to a communication gap or manual off-boarding process, their account isn’t disabled. Weeks later, another employee needs access to restricted data but hasn’t yet received approval for such access. Frustrated with delays, this employee uses the former employee’s still-active credentials to access the restricted data. […]

Let’s be honest—when you’re juggling daily priorities and a never-ending to-do list, audit risk probably isn’t the first thing on your mind. And hey, maybe the “out of sight, out of mind” approach feels easier. After all, it doesn’t exactly scream excitement, and there’s always something more urgent to handle. But here’s the thing: while […]

In the past several years, as SOC 2 reports have increased in popularity, one of the first things prospective clients ask when meeting with me is if there is a checklist of things they can have that will help them prepare for the audit and become SOC 2 compliant. There seems to be a common […]

A service organization may have a number of vendors and subservice organizations engaged to assist it in meeting its objectives or achieving the service commitments to its user entities, along with the system requirements necessary to do so. This article will explain the difference between a vendor and a subservice organization and provide some tips […]

When I audit small to mid-sized SaaS companies in the healthcare space, there’s one assumption I encounter over and over again: “We’re in the cloud, so compliance is handled.” It’s an easy misconception to fall into. After all, AWS, Azure, and Google Cloud talk extensively about HIPAA and HITRUST capabilities. But here’s the quiet truth—moving […]

When organizations pursue ISO 27001 certification, most of the focus is on building, maintaining, and auditing an Information Security Management System (ISMS). But who makes sure the auditors themselves are qualified and that the certification process is credible? That’s where ISO/IEC 27006 comes in. This standard governs how certification bodies (CBs) operate when auditing and […]

What is GovRAMP? In 2011, the Federal Risk and Authorization Management Program (FedRAMP) was introduced, establishing a standardized assessment methodology for federal agencies to manage risk within commercial cloud service provider environments. Acknowledging the “do once, use many” benefits of FedRAMP within the federal sector, the State Risk and Authorization Management Program (StateRAMP) was launched […]

Risk governance, as defined by NIST, is the “process by which risk management evaluation, decisions, and actions are connected to enterprise strategy and objectives. It provides the transparency, responsibility, and accountability that enables managers to acceptably manage risk.” While this concept is seemingly straightforward, a robust risk governance program has a lot of varied components! […]

Founded in 2007, HITRUST® issues certifications to businesses and organizations that are independently assessed for compliance with its Common Security Framework (CSF®). This guide will walk you through the HITRUST certification process, explain all available assessment types (e1, i1, r2), introduce newer offerings tailored to AI systems, and provide guidance on maintaining certification over time. […]

In a world where digital risk, regulatory expectations, and emerging technologies are accelerating, strong IT Governance remains foundational. SOC 2 compliance continues to be a key mechanism for service organizations to show they have strong controls. Understanding how IT governance and SOC 2 align, and where recent changes affect that alignment, is more critical than […]