David Schroth, Author at Design Compliance and Security, LLC

The SOC Report Time Machine: Understanding When & Why They Look Back, Not Forward

SOC reports (System and Organization Controls reports) are a cornerstone of trust in today’s digital landscape. They provide assurance to your customers and partners that your systems have met their service commitments and requirements. But understanding when these reports are issued, and crucially, what time period they cover, is vital. It’s a common misconception that a SOC report […]

The SOC Report Time Machine: Understanding When & Why They Look Back, Not Forward Read More »

What is the Hardest Part of Passing Your First Audit?

David Schroth

We have been working with companies to go from zero to compliant with something for over ten years now. That something has included SOC 1, SOC 2, HIPAA, FedRAMP, ISO, PCI and a bunch of other sets of requirements that get a bit esoteric to include at risk of making your eyes glaze over from

What is the Hardest Part of Passing Your First Audit? Read More »

SOC 2 Availability Criteria

David Schroth

What is SOC 2 Availability Criteria? The Availability Criteria is one of the five Trust Services Criteria defined by the AICPA. It is an incremental criteria to the Common Criteria (also known as the Security Criteria), so you can’t do this one on its own – it’s one for extra credit. The availability criteria focuses

SOC 2 Availability Criteria Read More »

SOC 2 CC9: Common Criteria related to Risk Mitigation

David Schroth

What is SOC 2 Risk Mitigation (CC9)? Risk mitigation is an incredibly important aspect of managing your organization’s security. While being able to respond to security incidents is essential, the best way to safeguard your organization is to reduce the likelihood of problems occurring in the first place. Your risk mitigation plan needs to be

SOC 2 CC9: Common Criteria related to Risk Mitigation Read More »

SOC 2 CC8: Common Criteria related to Change Management

David Schroth

What is SOC 2 Change Management (CC8)? Organizations are responsible for making necessary changes to protect, enforce, and improve its systems. Although being able to make changes and adapt to new situations is essential, it is important to have a plan in place for how to best go about implementing these critical actions. Managing changes

SOC 2 CC8: Common Criteria related to Change Management Read More »

SOC 2 CC7: Common Criteria related to System Operations

David Schroth

What is SOC 2 System Operations (CC7)? Organizations are responsible for managing the operation of their systems, which means they need to continuously work to detect, prevent, and address any security issues that may impact their business. Staying on top of monitoring security protocols, preventing and responding to security incidents, and having a plan of

SOC 2 CC7: Common Criteria related to System Operations Read More »

SOC 2 CC6: Common Criteria related to Logical and Physical Access

David Schroth

What is SOC 2 Logical and Physical Access (CC6)? Organizations are responsible for controlling logical and physical access to their protected information by using appropriate security software,infrastructure, and architectures. Implementing and maintaining these necessary controls will protect your company’s valuable data and prevent unwanted security events. It will also help you meet the requirements outlined

SOC 2 CC6: Common Criteria related to Logical and Physical Access Read More »

SOC 2 CC1: Common Criteria related to the Control Environment

David Schroth

What Is the SOC 2 Control Environment (CC1)? Out of the Common Criteria, the Control Environment (also known as CC1), addresses several entity level controls that are expected to be in place across the Company. Much like the Common Criteria 2 through 5, CC1 is based upon COSO and borrows from its requirements to use

SOC 2 CC1: Common Criteria related to the Control Environment Read More »

Bridge Letter: Things You Should Know

David Schroth

Have you ever been asked by a client for a bridge letter? Have you received one from a vendor, and you’re curious as to what it means? Is it an official document, or can anyone write and issue one? Read on to find out! What is a Bridge Letter? A bridge letter, also known as

Bridge Letter: Things You Should Know Read More »

Do I Really Need a SOC 1 or 2 Report?

David Schroth

The most common reason for a company to have a SOC report is because their customers ask for (or demand) the report to be able to either do business or continue doing business with the company. When someone calls us for the first time, we will first gain an understanding about why they feel like

Do I Really Need a SOC 1 or 2 Report? Read More »

Author name: David Schroth