How do companies keep track of who’s supposed to see what information? What if a disgruntled ex-employee still had access to sensitive files? Or a hacker could easily impersonate the CEO? Identity and Access Management (IAM) is the answer, ensuring the right people (and only the right people) get access to the right systems and data needed to perform their responsibilities. What is Identity & Access Management? Think of IAM as a high-tech security guard for your company’s digital assets. IAM ensures that employees, contractors, and even customers have access only to the information and too ..read more

Large Language Models (LLMs) and Generative AI are cutting-edge technologies in the field of artificial intelligence that are rapidly evolving in the business landscape. LLMs are a subset of Generative AI, focusing specifically on language-related tasks. While related, LLMs refer to AI systems capable of understanding and generating human-like text based on large datasets. Generative AI (Gen-AI), on the other hand, encompasses a broader category of AI systems capable of creating new content, including text, images, and audio, that mimics human creativity. This blog post will break down the sec ..read more

I’m sure you have heard the saying “trust, but verify” which has been a common theme in the audit world. The new saying for cybersecurity goes “never trust, always verify,” and that is the core of zero trust security. One of our clients was in the process of setting up a new environment for their service offering and they made it a goal to implement zero trust throughout. We talked through the steps they would need to meet that goal and we documented the outline as follows. Understanding Zero Trust What exactly is zero trust? Zero trust is driven by the principle of least privilege, which is d ..read more

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control-Integrated Framework and the AICPA Trust Services Criteria are two control frameworks that are used to assess and improve the effectiveness of internal controls. While the COSO Principles are more general in nature, the AICPA Trust Services Criteria are more specific to outsourced service providers offering software as a service (SaaS) systems or other outsourced activities. Both control frameworks can be used to identify and mitigate risks and improve the overall quality of internal controls. In 2013 ..read more

During SOC readiness assessments, we are often asked about the key controls surrounding the security of assets in the cloud. Cloud patch management is a critical part of maintaining security, and the controls around this process will be reviewed in any cloud computing audit, like a SOC report. This article will provide guidance on creating an effective cloud patch management program. As various areas of the cloud patch management program are explored, this article will note how they relate to specific controls and tests performed during a SOC examination. Inventory – Taking Stock of Assets in ..read more

In order to properly assess the relevance of HIPAA compliance to your organization, it is important to understand what a Covered Entity (CE) and a Business Associate (BA) are. In this blog we’ll talk about what these items are, the differences between them, and how they are handled differently when assessing HIPAA compliance. Differences Between Covered Entities & Business Associates The relevancy of HIPAA compliance is different depending on whether your company is a covered entity or a business associate. Both terms are used within HIPAA guidance, so it’s important to know which applies ..read more

The auditors are coming! Let’s face it, many organizations dread audit time–but it doesn’t have to be that way. Whether you’re facing your very first audit or preparing for the next recurring one, being audit-ready will save you time and effort, alleviate stress, and facilitate a smooth and successful audit process. As humans, we naturally seek predictability and familiarity, so being unprepared can leave you feeling stressed and uncertain. By following these audit readiness best practices, you can feel confident to showcase your compliance and security posture and may even, dare I say it, loo ..read more

In 2011, the Federal Risk and Authorization Management Program (FedRAMP) was introduced, establishing a standardized assessment methodology for federal agencies to manage risk within commercial cloud service provider environments. Acknowledging the “do once, use many” benefits of FedRAMP within the federal sector, the State Risk and Authorization Management Program (StateRAMP) was launched in 2021. StateRAMP is a 501(c)6 nonprofit organization with a focus on furthering cybersecurity best practices and cyber security posture of state, local, and education (SLED) agencies through education, pol ..read more

As security breaches (such as these HIPAA security breaches) become more common and costly, it is important to understand ways to prevent breaches. Recently, we came across a scenario where a company was not using a vulnerability scanner to scan their development environment for secret credentials, thus making the secret credentials not so secret. The intruder was able to take the secret credentials and ultimately breach the production environment. In this instance, a vulnerability scanner that searches for these types of vulnerabilities in the development environment would have prevented this ..read more

Over the past several years, the concept of Zero Trust has transitioned from an industry buzzword to a pillar of information security. In this blog post, we will break down what zero trust means in the industry, what the pillars of zero trust are, and how zero trust concepts impact auditing activities and other factors in the world of governance, risk, and compliance. What is Zero Trust? Beyond the Buzzword The most direct definition of zero trust can be obtained from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-207, “Zero Trust Architecture”, which de ..read more