Glossary

  • SOC 2 Bridge Letters

    Are you curious about SOC 2 bridge letters? If so, you’re in the right place. We’ll dive deep and provide you with an overview of what a SOC 2 bridge letter is, who issues them, and how long they last. A bridge letter is an important document in the world of system and organization controls …

  • SOC Trust Services Criteria

    What are SOC Trust Services Criteria? The SOC (Service Organization Control) Trust Services Criteria is a set of standards established by the AICPA (American Institute of Certified Public Accountants) for service organizations. These criteria are designed to provide assurance that a service organization has implemented proper internal controls over its operations.  The Trust Services Criteria …

  • GRC Tool

    What is GRC? GRC stands for Governance, Risk Management, and Compliance. It is a framework used to ensure that an organization efficiently manages risk and complies with relevant regulations and laws. GRC compliance includes processes such as internal audits, policies and procedures, training programs, monitoring systems, and reporting systems. GRC (Governance, Risk and Compliance) is …

  • Statement of Applicability (SoA)

    What is a statement of applicability?  A Statement of Applicability is a document used in information security management that outlines the applicable control objectives and controls for an organization. It is typically created as part of an Information Security Management System (ISMS) to identify which specific standards, laws, regulations, and best practices should be implemented …

  • Gap Analysis

    What is a gap analysis?  A gap analysis in compliance is an assessment of the difference between an organization’s current state of compliance and its desired level or standard. It is a process used to identify potential areas for improvement by comparing actual performance with expected performance. The goal of a gap analysis in compliance …

  • HIPAA Violation

    What is HIPAA? HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. It is a federal law that provides privacy standards to protect medical information about individuals, as well as security measures to safeguard the integrity of electronic protected health information (ePHI). HIPAA requires healthcare providers, insurers, and other entities that handle …

  • Carved-Out vs Inclusive Method

    What is the carved-out vs inclusive method? Simply put, these are two different methods for SOC reporting of your subservice organizations specifically. Subservice organizations include managed service organizations, data center providers, cloud providers, etc. Think about modern-day businesses. It is no longer common practice to develop your own system end-to-end. You would rather make use …

  • Attestation Report

    SOC 2 attestation, explained Breaking it down into definitions, an ‘attestation’ is defined as “a declaration that something exists”, and “evidence or proof of something”. A synonym for attestation is the word ‘vouch’. That is the best way to simplify this. What is a SOC 2 attestation report in the compliance and audit world? Well, …

  • SOC 3

    By now, you should be very familiar with a SOC 2 report. In terms of classification of the report itself, a SOC 2 report is a private report. The nature of the report means that it contains sensitive information about the organization and their control environment, including systems used, specific control information, management assertion information, …

  • Testing Procedure

    What SOC 2 compliance testing procedures does an auditor follow? This question can only be answered at a high-level. The reason for this is that the specific methodology of each auditing company varies. In all instances, the testing procedures that are defined, address the same requirements (i.e. a specific control is tested in a similar …

  • Subservice Organization

    Overview of subservice organizations As part of the SOC 1 or SOC 2 process, an organization needs to go through an exercise to identify vendors that are performing a service to the organization. Once those vendors are identified, the organization needs to understand which of those services performed have an impact on the control environment …

  • SOC 1

    Overview of SOC 1 compliance Outsourcing is a growing trend and companies increasingly depend on third-party providers to deliver critical services. Ten years ago, companies may have used only one or two major third-party services providers, now often depend on many providers to deliver any number of services. Third-party providers are becoming an increasingly growing …

  • SOC 2 Compliance Requirements

    SOC 2 standard SOC stands for Service Organization Controls (SOC). The controls that you design and implement inside your control environment will vary based upon the people, technology, and products your company develops. SOC 2 is based on five principles, which are: SOC 2 requirements When reviewing the nine SOC 2 trust service criteria (TSC) …

  • HIPAA Compliance

    The Health Insurance Portability and Accountability Act of 1996, or HIPAA, is a set of rules that specify how protected health information may be used and disclosed legally (PHI). The Office for Civil Rights (OCR) and the Department of Health and Human Services (HHS) both enforce HIPAA compliance laws (OCR). The OCR’s responsibility in preserving …

  • HIPAA Regulations

    What are HIPAA rules and regulations? The HIPAA laws and regulations include instructions on how to secure protected health information (PHI), use it appropriately, and respond in the event of a PHI breach. The HIPAA Privacy Rules, Security Rules, and Breach Notification Rules make up the three main parts of the HIPAA Rules and Regulations. …

  • ISO 27701

    Overview of the ISO 27701 standard ISO 27701 is a branch standard that stems from the ISO 27001 standard, which focuses on the Information Security Management System (ISMS). The ISO 27701 standard is a great addition to the ISMS and key for any organization looking to create a strong integration between security and privacy controls.The …

  • Compliance Software

    What is compliance management software Compliance has become a hot topic in today’s world. When organizations hear the word “compliance” they tend to think of ways to shortcut this process. Compliance software is the answer to that shortcut and can be essential for organizations looking for more effective and efficient ways to comply with the …

  • AICPA

    What is the AICPA? The AICPA (American Institute of Certified Public Accountants) is the US’s organization of Professional CPAs (Certified Public Accountants). The AICPA is the founder and originator of the SOC reporting standard and audit. Furthermore, the AICPA is a very influential body of professional accountants, and they combine the skills and expertise of …

  • Security Compliance

    Overview of security compliance The concept of security and compliance used in the same sentence has become a common theme in recent years. The word ‘security’ specifically in the information technology arena brings up several topics, especially the relevant risks that are associated with these topics, for example: The list goes on and on, but …

  • SOC Reports

    What is a SOC report? SOC stands for Service Organizations Controls. A SOC report provides a detailed assessment of the controls, processes, and implementation thereof within an organization. A SOC report is one the easiest and most effective ways to verify and ensure that an organization is following industry best standards and that the controls …

  • Audit Period

    Think of the audit period as the time duration over which the policies/procedures/IT control environment/etc. are evaluated. An audit period is relevant in the world of compliance and auditing. Before a potential business partner or customer enters into contract agreements, paying money, and handing over important information, they want to be assured that the company …

  • SOC 2 Evidence Collection

    When it comes down to collecting evidence for the SOC 2 audit itself, there are a few key points that one needs to remember. Obtaining and submitting the incorrect audit evidence can cause audit headaches as it will most times mean having to recapture, extract, and submit the evidence again – showing the necessary key …

  • Auditor's Opinion

    SOC 2 is based on the American Institute of Certified Public Accountants (AICPA) standards to provide an audit opinion on the security, availability, processing integrity, confidentiality, and/ or privacy of a service organization’s controls.  What is a SOC 2 audit opinion? An audit opinion is the audit result or the audit outcome of a SOC …

  • Vendor Management Policy

    Sometimes, a third-party contractor only needs access to certain company databases or permissions. Or, a third party’s services may only be required on certain days of the week. In order to sort out these technicalities, it is necessary for outsourcers to create a vendor management policy statement. What is a vendor management policy? A vendor …

  • Third-Party Risk

    Example A company’s offices could follow airtight security practices and have a comprehensive keycard system that keeps unwanted and potentially malicious visitors out. But none of that will matter if one of the hired painters leaves their keycard on the bus, and that card finds itself in the possession of a competitor or some other …

  • Self-Assessment Questionnaire (SAQ)

    What is a self-assessment questionnaire? A self-assessment questionnaire (SAQ) is an important step towards auditing success when aiming for compliance of a varying degree based on results from an SAQ assessment. The goal of the questionnaires is to prepare your organization for what the audit will entail and to make sure you are set up …

  • SOC 2 Readiness Assessment

    What is a SOC 2 readiness assessment? A SOC 2 readiness assessment is exactly what the word implies: an assessment that is performed to see if a company or more specifically, the control environment of the company’s product, is ready for a SOC 2 audit. The objective of the report is to summarize the current …

  • Information Produced by the Entity (IPE)

    IPE audit evidence IPE, or Information Produced/Provided by the Entity, is a term used in compliance and auditing that regards the actual information used by the auditor in order to assess, test, and draw conclusions about controls, and ultimately, the audit opinion. There is no clear-cut, oxford-dictionary definition of what constitutes IPE, or IPE audit …

  • Complementary User Entity Control (CUEC)

    Complementary user entity controls (CUEC) are controls that reside at the user entity level of a service organization. User entities are organizations that utilize the services of a service organization. Essentially what it means is that there is a shared responsibility between two parties to ensure the control criteria is being achieved. Think of CUECs …

  • Compliance Program

    As a leader in a developing company, you are well aware that creating a compliance program is something you will have to deal with at some time as you grow. Because industry standards frequently have overlapping criteria, an organization may establish a single policy or a set of rules that meets various needs. It’s vital …

  • Audit Trail

    An audit trail, or sometimes referred to as an audit log, is a documented flow of transactions, security relevant records, or data changes that are date and time stamped. It keeps a sequential record of the history and details around the change. Depending on the area of expertise, audit trails/logs come in different shapes and …

  • Security Management Policy (IS Policy)

    It is a very well known fact that all organizations require written policies, procedures, and rules in order to achieve compliance. Think about a practical example of building a house. For any solid structure to be developed, you need a solid foundation. The policies are the foundation of an organization. Policies are the principles and …

  • Cloud Security Compliance

    “The Cloud” is terminology that is so commonly used nowadays. Cloud computing refers to the availability of resources required by computer systems, including and specifically related to data storage and computing power without the user/organization having direct management. When we talk about cloud compliance, we are referring to the procedures, policies, and practices that monitor …

  • Compliance Process Automation

    For many companies, meeting security and compliance requirements at the same time can be a daunting task. For one thing, many companies do not have their own compliance capabilities. Rather, the security team does the compliance work. They are responsible for time-consuming audit requests, documenting and making changes to internal controls, etc. The preparation is …

  • Vendor Review

    Nowadays, there is a plethora of vendor tools, services, and products that exist for almost every business requirement and focus area of an organization, and it is often easier, and more cost effective to use a vendor’s established product or service rather than spending the time and money developing your own. However, using one of …

  • SOC 2 Auditor

    What does a SOC 2 auditor do? An auditor who has been accredited by the AICPA can attest and report on if controls were suitably designed, and effectively implemented during the audit period for an organization. Not all accountants are CPAs, so when hiring an auditor it is important to be sure they are commissioned …

  • ISO 27001 Security Standard

    A standard that was developed in 2013 by the International Organization for Standardization and IEC (International Electrotechnical Commission). What is the purpose of the ISO 27001 framework? ISO/IEC 27001 is an international standard on how to manage information security. This standard formally specifies an Information Security Management System (ISMS) to be established, maintained, and continuously …

  • Compliance Frameworks

    A set of criteria that is developed by an organization that achieves some objective or outcome with the intended purpose of having some type of benefit to the organization. Compliance frameworks allow you to take parts of your organization’s procedures, policies, and other documentation and compile them all into one cohesive entity. There are always …

  • Data Security Controls

    Data security controls are any parameters used to prevent and safeguard data within your company. Such controls can be in the form of policies, rules, systems, or any other for the sake of guaranteeing compliance. Controls conducted outside of a system are called manual controls whereas controls configured within a system that are used to …

  • Data Classification Policy

    A policy that specifies the required tagging of data stored by a company. This data is usually specific in nature such as PCI data, Health Information, and Personally Identifiable Information.  If you have ever worked for a large enterprise, you know how daunting it can be to get up to speed on things. Things are …

  • SOC 2 Type II Report

    A SOC 2 Type II report assesses the design and operating effectiveness of an organization’s controls over a period of time. A SOC 2 Type II report is a report on an organization’s internal controls, capturing how a company safeguards customer data and how well those controls are operating. SOC 2 Type II Trust Principles …

  • IT Security Policy

    Information Security Policies or also known as IT Security Policies, allow an organization’s management team to implement administrative controls and ensure that standards are set for information security across the organization.  The minimum an IT data security policy should include At a minimum the organization should be reviewing policies and procedures on a yearly basis …

  • ISO 27001 Compliance

    The ISO 27001 standard has continued to be a popular option despite the ever-expanding list of industry-specific solutions due to its applicability across both business sectors and continents. The ISO 27000 series The deployment and maintenance of an information security management system are the primary focus of the ISO 27001 standard, which is officially known …

  • Data Compliance

    What is data compliance? Data compliance is a practice and a process. It refers to the adherence of protocols and standards that are designed to safeguard personal data and information. Data compliance requirements and regulations define (1) how data is collected, used, processed, and stored, and (2) the processes to ensure the data is protected …

  • Security Questionnaires

    Security questionnaires are very common among business to business transactions. These often occur before a business decision is made regarding a product or service to be implemented by an organization. Security questionnaires will often contain questions regarding the security posture of the organization, and if the organization has undergone things such as vulnerability scans, outside …

Book a Demo