Home/SOC Reporting

How Long Does It Take to Get a SOC 2 Report?

The SOC 2 reporting process can take anywhere from 4 weeks - 18 months on the extreme ends of the spectrum (6 weeks - 3 months on average). The reason for such variance depends on the type of report (Type I vs. Type II), project complexity, firm maturity, motivation to obtain a SOC 2 report, and variations in each phase of [...]

By |2020-01-17T21:20:42+00:00December 5th, 2017|SOC Reporting|0 Comments

Should I Get a SOC 2 Report? Examining the ROI of SOC 2 Compliance

If you are trying to determine if your company would benefit from obtaining a SOC report, here are a few questions and answers that may help make the decision. 1) Are clients requesting a SOC report? Many firms find that obtaining a SOC report is a cost of doing business because clients or prospects ask for SOC reporting as part of [...]

By |2020-07-02T15:38:38+00:00November 27th, 2017|SOC Reporting|0 Comments

Simplify Compliance by Creating One Set of Controls to Manage Risk

Heavily regulated companies spend a lot of time mapping and creating new business processes to meet compliance requirements. This is especially frustrating for businesses that face multiple compliance requirements. We see this often in the financial technology (FinTech) and healthcare technology (HIT) space. Companies like these have an almost unmanageable number of regulatory frameworks to navigate. (SOC 2, ISO 27001, GLBA, [...]

How to Effectively Communicate Your Security and Compliance Story to Prospective Clients and Business Partners

I read an article last week about Wal-Mart forcing some of their vendors off Amazon’s cloud. Wal-Mart has an incredible amount of leverage over their vendors so my guess is that most SaaS providers probably went along with Wal-Mart’s request. This type of thing isn’t uncommon in the world of vendor management. I have personally worked with high-growth companies and service [...]

Developing an IT Audit & Security Plan for Microsoft Office 365

Our team was recently tasked with developing an audit plan for Microsoft Office 365. While there are plenty of tools available to assist organizations with performing ongoing audits of user privileges and object permissions in Microsoft Office 365, we were hard pressed to find any solid thought leadership on auditing Office 365 beyond user and object permissions. It almost appears that [...]

Securing Corporate Wireless Access Points (WAPs)

The set of controls and conditions IT auditors look for during assessments of Wireless Access Points (WAPs) tends to vary auditor to auditor. In some cases, the IT auditor may make great suggestions for controls I have not seen many organizations put into place while in other cases, the auditor might point out the absence of seemingly weak controls that leaves [...]

Developing & Implementing a Data Classification Policy

Properly classifying and labeling information assets is fundamental to a successful information security program, yet many organizations fail to implement one. Without proper asset classification, the organization exposes itself to additional risk of data breaches, accidental loss/release of sensitive information, losses in efficiency or additional costs associated with securing data that may not require it (hardware-based encryption doesn’t come cheap!). It [...]

Deploying a HIPAA Compliant Encryption Policy

HIPAA, or the Health Insurance Portability and Accountability Act, presents a fairly robust set of standards and rules that any organization within the United States handing PHI (Personal Health Information) are compelled by law to address. On the surface, many of HIPAA’s rules appear strait forward, but as I quickly learned while performing a recent AT601 Compliance Attestation, things are not [...]

Managing User Access in the Manufacturing Environment

Managing User Access in the Manufacturing Environment Managing user access in the manufacturing environment, especially at the plant level, is tricky. Unique machinery and production requirements call for specific skills and infrastructure that may not be supported centrally by corporate managers.  This means that many plants must operate as independent sub-businesses within a larger corporation.  Thus, governance and control of critical plant infrastructure and machinery [...]

TSA Failure Highlights the Importance of Audit and Assurance

Executives should love IT auditors because auditors provide something every CEO/CIO wants: A view into the operating effectiveness of their company or department. Without audit functions a company might be wasting money, man-power, or spending a lot of time doing things that have no impact on the business. Today, a story broke that an audit of the TSA's security procedures revealed [...]