Notes from the Field: CIS Control 16 – Application Software Security 

by Greg Halpin / April 3, 2024

Recently, I’ve been working with a small Software as a Services (SaaS) company, and it quickly became clear they didn't have much in place by way of security. They didn't have a documented policy. They didn't do code reviews. New code releases were deployed on the fly. They didn't do secure scans of code or the web application. They didn't have a web application firewall (WAF). The application database was…

Notes from the Field: CIS Control 15 – Service Provider Management 

by Greg Halpin / March 7, 2024

The client I was conducting a gap analysis for had an incredibly detailed Service Provider Management Policy. It required the company compliance team to conduct due diligence on all prospective service providers, including a risk analysis of each. The policy required the compliance team to review the prospective vendor's SOC 2 audit report and research the vendor's financial stability and reputation. The compliance team was to conduct annual reviews of…

Notes from the Field: CIS Control 14 – Security Awareness and Skills Training 

by Greg Halpin / March 7, 2024

Security awareness training is something I see companies doing either very well or not at all. It's unfortunate for the companies that don't do much, as a little training goes a very long way. Security awareness training is an investment that more than pays for itself. The more your employees are trained against potential threats and attacks, the safer your company and customer data. The less trained they are, the…

5 Internal Control Components using COSO Principles

by Joseph Kirkpatrick / January 15, 2024

Implementing Internal Controls for SOC 1 Compliance When an organization pursues SOC 1 compliance, they’ll be tested against the COSO Internal Control – Integrated Framework. This framework is one of the most common frameworks used to design, implement, maintain, and evaluate internal controls. For an organization to successfully complete a SOC 1 audit, they’ll need to meet the three objectives of internal control, demonstrate that they have the five components…

What is an Audit Scope?

by Joseph Kirkpatrick / December 29, 2023

What is an Audit Scope and How Does it Impact an Audit? Knowing where your assets reside and which controls apply to them are critical for any organization. Why? This is the only way you can manage and secure them from a potential data breach or security incident. During the initial phases of a SOC 1 or SOC 2 audit, an auditor will walk you through defining the scope of…