Resource Center

SOC 2: The Definitive Guide

Your first audit doesn’t need to be overwhelming. This SOC 2 Definitive Guide will help you take a few, manageable steps now that will avoid major headaches later. Don’t put it off – get started today.

Expert Q&A: Get the Most Out of Your Pen Testing Results

This recorded Q&A with A-LIGN’s pen testing expert Joseph Cortese covers the results of your pen test: what they can and can’t tell you, and how you can use them for a variety of high-value purposes.

Expert Q&A: Why a Pen Test Should Be Part of Your SOC 2 Plan

This recorded Q&A features A-LIGN’s resident “ethical hacker” and pen testing expert Joseph Cortese, who sets the record straight on why organizations should consider adding penetration testing to their SOC 2 audit and answers the questions that you care about.

Expert Q&A: What to Expect from Your First Penetration Test

In this recorded interview, A-LIGN’s pen testing expert Joe Cortese dives deep into the pen testing process. Check it out to learn what to expect, step-by-step, as you go through it for the first time.

Expert Q&A: Are You Ready for Your First Pen Test?

Penetration testing should be part of any risk management strategy. In this recorded interview, A-LIGN resident ethical hacker Joe Cortese describes what you need to know to get ready for your first one.

The New Norm: The Reality of Remote Work

The reality of remote work is here to stay. Watch this on-demand webcast to learn how and why most organizations are transitioning to a permanent remote work policy, and the cybersecurity challenges introduced by this massive cultural shift.

Aires Attracts Contracts with ISO 27701 and CMMC

Aires is building a strategic compliance program that avoids tactical audits and transactional auditors in favor of a sustained relationship with A-LIGN that delivers continuous value over time. Having already established certification with ISO 27001, Aires has turned its attention to two relatively new frameworks, ISO 27701 and CMMC, to drive its next wave of business growth.

CMMC Survival Guide

Join an A-LIGN moderated panel consisting of thought leaders within the CMMC space where they cover everything from planning to certification. Listen as experts discuss commonly asked CMMC questions, including scoping, determining the appropriate level for you firm, technical implications, and more.

SOC 2 Readiness Checklist

A SOC 2 report can demonstrate to your customers that your business has elevated its information security controls to protect their valuable data from risk. That’s why you need to be ready to meet the highest standards when the time comes for your SOC 2 examination. Utilize this interactive checklist in order to determine your level of readiness for your upcoming SOC 2 audit.

Growing Your Business in the US with Compliance

The US market presents a number of compliance challenges for companies in Europe. Without the right compliance reports and security certifications, it can be difficult to win contracts and gain the trust of consumers. Find out how a more strategic approach to auditing can help your company build client trust, differentiate your business, and gain investor and stakeholder trust to drive revenue.

CMMC Explained: Practices, Processes, Domains and Levels

The Cyber Maturity Model Certification (CMMC) is a framework of five increasingly stringent control levels developed by the Office of the Under Secretary of Defense for Acquisition and Sustainment. But what does that really mean for your organization? This whitepaper will provide a an overview of this new framework as well as a breakdown of each of the levels and the associated focus points.

A-LIGN Pathways Communications Case Study

Case Study: The Path to Compliance with Pathway Communications

When Pathway Communications set out to upgrade their approach to meeting their complex compliance needs, their search brought them to A-LIGN. After years of struggling to manage multiple compliance frameworks with other firms, they finally found a partner capable of elevating their business when it came to security and compliance.

Fireside Chat: Accelerate Your Business with Strategic Compliance

Watch A-LIGN's fireside chat to learn how businesses, like TIBCO, Ancestry.com, and Provation Medical are streamlining compliance by centralizing evidence collection, standardizing compliance requests, and consolidating audits.

2020 Vision
Strategic Compliance and the Future of Business

Transform your organization with strategic compliance to deliver new efficiencies and allow your team the time to focus on dynamic digital transformation efforts.

The State of
Compliance 2020: An Interactive Town Hall

Want to peek into the compliance playbooks of other CIOs, CISOs and compliance professionals who are thinking about go-forward plans in light of everything happening in the world?

Gartner 2020 Market Guide for Organization Security Certification Services

Gartner says "SOC 2, SOC 2+, ISO 27001, PCI DSS, HITRUST and cloud security certifications can be perplexing and resource-intensive. Security and risk management leaders need to move beyond compliance and toward stakeholder-driven security assurance."

Healthy Security Playbook

Taking a proactive approach to personal healthcare is an invaluable way to stay healthy and help prevent future complications. Similarly, being proactive with your healthcare organization’s security posture can save time, money, resources and stress down the road and help to mitigate future risks.

FedRAMP, FISMA and NIST: Understanding Federal Compliance

Watch A-LIGN’s Federal Practice Lead, Tony Bai, as he explains federal assessments and why they could be important for your organization. Every day, the federal government processes large amounts of data ranging from personal information to matters of national security.

Overlap and Differences Between the Revised SOC 2 Framework and ISO 27001

As market demand increases the need for organizations to demonstrate adequate internal control and risk management practices, many organizations are considering the combination of a SOC 2 report and an ISO/ IEC 27001:2013 (ISO 27001) certification.

A-LIGN’s Belay Approach

For many organizations, completing a SOC 2 examination for the first time can be a daunting task. For organizations that are unable to complete a readiness assessment, A-LIGN has revolutionized a unique audit approach that still provides some of the same benefits of a readiness assessment. Sticking true to our value of “Innovating Constantly,” A-LIGN has created an audit approach referred to as the Belay Approach.

Simplifying the Data Center Compliance Process with A-LIGN

Data center compliance can be a complex challenge due to the volume of locations that require audits, as well as the numerous standards required by customers across multiple service lines. That’s why national colocation firm vXchnge chose A-LIGN to help them protect their customers’ data.

The SOC 2 Examination Process

A SOC 2 audit provides both detailed information and assurance of the service organization’s controls relevant to security, availability, processing integrity, confidentiality or privacy of a given service or system. This whitepaper answers frequently asked questions regarding SOC 2 audits, describes the differences between a Type 1 and Type 2 report and outlines the SOC 2 Examination process.

The Path to PCI DSS Compliance: Cloudreach’s Journey with A-LIGN

Cloudreach, the world’s largest cloud-native company, partnered with A-LIGN to help them achieve PCI DSS compliance in 2018. In this whitepaper, A-LIGN and Cloudreach share the story of their journey together, the unique challenges they faced, the solutions that A-LIGN proposed and how Cloudreach achieved PCI DSS success.

Leveraging Compliance Report Whitepaper A-LIGN

Leveraging Your Compliance Report

Compliance examination reports are more than an attestation of your commitment to quality and security; they can drive revenue, build client trust and position your organization as a cybersecurity leader in your industry. In this whitepaper, A-LIGN will show you how your organization can leverage your compliance report for growth opportunities.

What to Expect
in PCI DSS 4.0

Watch A-LIGN’s PCI Practice Lead Dustin Rich as he explains PCI DSS and the road to PCI DSS 4.0. As the industry prepares for changes with the 4.0 update, now is a great time to look at what to expect from the new update and review the successes and challenges of PCI DSS 1.0-3.0.

Reviewing Federal Compliance: FedRAMP, FISMA and NIST

Every day, the federal government processes large amounts of data, including financial information, personal information, issues of national security and intellectual property and patents. A-LIGN takes a deeper look at the compliance process and how FedRAMP, FISMA and NIST 800-171 can benefit your organization.

The HITRUST CSF
Companion Guide

The HITRUST CSF is a robust and scalable framework for managing regulatory compliance and risk management of organizations and their business associates. Originally designed specifically for the healthcare industry, the HITRUST framework has found success across multiple industries thanks to its unifying regulatory requirements and recognized frameworks.

Cybersecurity Audit
Buyer’s Guide

Cybersecurity examinations are an important undertaking for your organization, its health and projected future. Our helpful Cybersecurity Audit Buyer’s Guide helps you prepare by revealing inside tips to save time, money and resources.

What Are the Top Policies and Procedures Needed for a SOC 2 Audit?

The core of SOC 2 Examinations is based upon the AICPA’s Trust Services Criteria (TSC). The TSCs mandate that an organization has information documented regarding their security and operational policies, procedures, and processes in place for consistent compliance.

Penetration Testing:
An Introduction to Hacking

Stay ahead of hackers by getting into the mind of one. A-LIGN’s Associate Manager and Penetration Tester, Van Bettis, reviews his experience as a hacker working to help organizations bolster information security and avoid hacks.

SOC 2 Report Types

Your organization needs a SOC 2, but how do you choose between a diagnostic report, readiness assessment, type 1 or type 2 report? This helpful guide will clarify the procedures required across each report type, as well as the expected deliverables.

ISO 27001 Certification Process Whitepaper A-LIGN

The ISO 27001 Certification Process

ISO 27001 can help organizations reduce risk, optimize operations within an organization due to clearly defined responsibilities and business processes, and build a culture of information security.

Defend Against Cyber Invaders

The cyber invasion has begun. Are you prepared? Join the mission against cyber invaders and begin defending your organization today with our interactive infographic.

Migrating to AICPA’s Updated SOC 2

Following the Trust Services Criteria (TSC) section 100 publication in 2017, the AICPA announced the finalized revisions for the SOC 2 guidance which will be required for SOC 2 reports with review periods ending after December 15, 2018.

Understanding the New SOC 2 Guidelines

In 2017, the AICPA published revisions to the Trust Services Criteria for security, availability, processing integrity, confidentiality or privacy, codified as TSP Section 100. This updated guidance is required for SOC 2 examinations with a review period ending after December 15, 2018.

The Privacy Revolution

With the global influence of both the GDPR enforcement and the Facebook discovery, organizations are under scrutiny for their privacy practices. Following these events, the industry anticipates new standards and laws increasing consumer privacy rights.

GDPR Toolkit

We continue to receive questions from organizations trying to understand how they can get ahead of the privacy curve, comply with GDPR standards and avoid the fallout. Our privacy team has assembled the GDPR Toolkit to help our clients and any organization concerned about how the privacy landscape will impact their organization, its clients, and its ability to do business.

Halfway to the Summit: Security & Compliance in 2018

Since the beginning of 2018, organizations anticipated and put resources in place to understand the impact of the Internet of Things (IoTs), ransomware, blockchain, and other emerging technologies. However, 6 months into the year, have the top concerns changed?

State of Cybersecurity Florida Report: 3 Takeaways

A-LIGN’s Director of Cyber Risk and Privacy, Petar Besalev reviews the three major cybersecurity trends affecting Florida businesses and Florida citizens. The review is based on the 2017 State of Cybersecurity in Florida report developed by The Florida Center for Cybersecurity (FC2) and Gartner Consulting.

Compliance in the Cloud – Uncovering Your Risks & Audit Options

As organizations continue to move to the cloud, security concerns are playing an important role in selecting a cloud service provider. Achieving compliance in the cloud can be a daunting experience, especially as it pertains to determining whose responsibility it is to address cloud computing regulations and requirements, and to ensure security.

State Lottery

Healthcare

Information Technology

Government and Public Sector

Financial Services

Payroll Processing

Document Management

Legal Services

Payment Card Processing

Accounts Receivable Management and Collections

Real Estate, Title, and Loan Processing

Transportation and Logistics

Colocation and Managed Services

New PCI DSS 3.2 Service Provider Requirements in Effect – Are You Ready?

With the effective date of February 1, 2018, service providers must now adhere to the new PCI DSS Version 3.2 requirements. To help prepare for these new requirements, A-LIGN’s Senior Manager, Dustin Rich, will review the new PCI DSS 3.2 requirements.

Meet Shareholders and Compliance Needs with a SOC for Cybersecurity

As the cybersecurity landscape evolves and data breaches become more frequent, it's imperative organizations demonstrate and maintains the security of their information. To accommodate these emerging challenges, the AICPA developed SOC for Cybersecurity.

Achieving PCI Compliance for Higher Education

As universities gear up their compliance initiatives, A-LIGN examines industry trends, citing emerging risks, new technologies and updated requirements that make it necessary to achieving PCI compliance for higher education.

GDPR Preparedness: Ensuring Compliance

The deadline for organizations to comply with the General Data Protection Regulation (GDPR) has passed. However it's never too late to become compliant.

Securing Privacy: Understanding the Impact of GDPR

The deadline to comply with the General Data Protection Regulation (GDPR) is May 25, 2018. This regulation affects any organization that processes and/or handles the information of European Union citizens.

The Ultimate Cyber Defense Guide

Through identifying emerging trends, highlighting industry statistics, and providing preventative tips, organizations can begin strategizing and implementing effective cybersecurity.

Future of Healthcare: The Transforming Healthcare Industry

The healthcare sector is regarded as one of the fastest evolving industries in the nation. This transformative environment is pushing organizations to provide unique solutions while handling new challenges.

Using HITRUST CSF v9 to Meet Your Compliance Requirements

With the release of HITRUST CSF v9, Senior Consultant and HITRUST CCSFP, Blaise Wabo, discusses the latest evolution of the HITRUST CSF.

Risk Response: Establishing a Plan for Business Continuity and Disaster Recovery

The FDIC has created guidance to more-clearly supervise financial institution contracts with TSPs as they relate to business continuity planning.

Taking Steps Towards GDPR Compliance

The deadline for organizations to comply with the General Data Protection Regulation (GDPR) is May 25, 2018. Are you prepared?

Preparing for the Transition to SOC 1 Under the SSAE 18 Attestation Standard

The SOC 1/SSAE 18 was released by the Auditing Standards Board (ASB) of the American Institute of Certiﬁed Public Accountants (AICPA) providing assurance regarding the controls at a service organization relevant to the user entities’ internal control over financial reporting.

Cyber Defense Guide: Part 2

In part 2 of our Cyber Defense Guide, our experienced assessors take a deeper look into breach statistics, review the types of social engineering and malware attacks, and provide actionable prevention tips.

Mastering the Limited Access Death Master File to Achieve Certification

The Limited Access Death Master File (LADMF) contains information about deceased persons that is used by financial and credit firms, as well as government agencies, to match records and prevent identity fraud.

Moving on Up: Migrating from SSAE 16 to SOC 1/SSAE 18

Any SSAE 16 report with an opinion dated on or after May 1, 2017, will be issued under the new SSAE 18 standard.

Cyber Defense Guide: Part 1

As we look at the breach landscape, it becomes apparent that continued education is necessary in order to protect information. A-LIGN discusses the cybersecurity landscape, the different types of hacks that your organization could face, and 10 actionable tips to prevent hacking in your organization.

Scammed: Defend Against Social Engineering

Do you and your employees know how to identify a social engineering attack? As hackers become increasingly savvy at breaking into accounts through social engineering, organizations need to better understand how to avoid becoming another target.

Putting the Pieces Together: What is HITRUST and how does it fit into the compliance puzzle?

HITRUST is the sum of multiple audit standards and serves as a comprehensive certification for those in the healthcare industry.

The Survival Backpack: Gearing up for Compliance in 2017

In 2016, as many standards and methodologies, such as PCI DSS, FedRAMP and HITRUST were met with revisions, we look at how to appropriately implement these changes for your organization.

decade-unchanged-security-vulnerabilities

The Song Remains the Same: A Decade of Unchanged Security Vulnerabilities

A decade of security innovation and awareness, combined with maturing compliance standards have improved our security culture. However, the same security vulnerabilities found in 2006 continue to appear today in standard penetration testing.

How to Avoid Common PCI DSS Assessment Pitfalls

There are a few basic issues that plague many companies when it comes to attempting to comply with (and maintain compliance with) the most prescriptive security frameworks in information security: The Payment Card Industry – Data Security Standards (PCI DSS).

Going for Gold: Becoming ALTA Best Practices Certified

As Michael Phelps and Katie Ledecky make their way home from the Olympics in Rio, A-LIGN’s experienced assessors consider the journey that organizations take to “Go for the Gold” and become ALTA Best Practices certified.

What is the Right Audit for Your Title Company?

While there is no one audit that fits all, nor is there an audit that is currently required within the industry, the answer to our question in the title of this whitepaper is driven by your stakeholder’s request and your organizational objectives.

Preparing for a PCI DSS Audit: Top 10 Key Issues

Does your organization know how to successfully prepare for a PCI DSS assessment? Without proper preparation, a PCI DSS audit can become more time and resource intensive than necessary.

SOC 1 and SOC 2: Weighing Your Compliance Options

Organizations are constantly asking A-LIGN’s experienced assessors about the audit options that make sense for their organization.

“Failed” Your SOC Examination? Here’s Why

While you theoretically cannot fail a SOC examination, there are SOC reports that have control design or operating deficiencies, which result in the audit report opinion to be modified or qualified.

Outline of Revisions in PCI DSS 3.2

In light of the release of PCI DSS 3.2, A-LIGN has assembled a detailed outline of the changes in PCI DSS 3.2 including implementation timelines, changes to the requirement, and changes to the assessment procedure..

Breached: Now What?

Data breaches are on the forefront of our minds as they occur with increased frequency and severity. Data breaches can be disastrous for not only the victim organization, but for an entire chain of affected entities.

Building HITRUST: Related Frameworks, Scoping and Scoring

At the core, HITRUST CSF (Common Security Framework) is build upon other standards and authoritative sources relevant to the healthcare industry, including ISO 27001, NIST SP 800-53, and HIPAA: Security, Breach and Privacy rules.

HITRUST-Mitigates-Challenges-Facing-Healthcare

How HITRUST Mitigates the Challenges Facing Healthcare

Healthcare currently faces strict regulatory needs, causing many challenges when considering the options for risk management and mitigation. In order to ease these challenges, HITRUST can be implemented to minimize risk and alleviate healthcare pain points.

Keeping E-commerce Safe: Key PCI DSS Requirements

Every day, card data is pilfered from both Point-of-Sale (POS) and web-facing merchants. This presentation will focus on key, and often ignored, PCI requirements that provide greater safety to your business.

Active Shooters in the Workplace: Are You Prepared?

Violence in the workplace has always been a concern for companies. With the dramatic rise of shooting incidents in the workplace over the last few years, companies are realizing that their current employee safety procedures have not kept up with the times.

Relevant-Audit-Selection-Cloud-Providers

Relevant Audit Selection for Cloud Providers

We detail the different kinds of audits that are applicable to the Cloud industry based on what kind of service they provide: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS).

A-LIGN’S Cybersecurity Defense Guide

2014 was an eye-opening year in regards to cybersecurity. In this whitepaper, we explore the different attacks that happened and give detailed insight into how to protect your organization from attack.

Migrating your ISMS from ISO 27001 2005 to 2013

We give a simplified overview to the complex task of transitioning your ISO 27001 program from 2005 to 2013.

9 Critical Payroll Pain Points

Dr. Daniel Selby, PhD, CPA, CISA, professor-in-residence at A-LIGN, has written this whitepaper to inform payroll professionals on nine issues that are critical to their ability to process payroll.

Security Awareness Boot Camp: Train Employees to be Your First Line of Defense

President Gene Geiger hosts the A-LIGN Security Awareness Boot Camp! Our boot camp is designed to take viewers through rigorous course objectives that will strengthen their knowledge of information security and improve their reaction to potential threats.

Happy Birthday ‘SOC’ – Farewell SAS 70

The goal of the discussion is to outline the lessons we have learned as service auditors and service organizations over the last year.

ISO 27001 Certification: An All-Access Pass

As a globally recognized security standard, the ISO 27001 certification is gaining traction in the U.S. as more companies are pursuing the certification to meet contractual obligations or to gain a competitive advantage.

Preparing for the COSO Framework Deadline: What Do I Need to Update Prior to December 15, 2014?

By December 15, 2014, all organizations utilizing the COSO Framework will need to complete their updates. The concepts underlying the 5 COSO components have now been codified as principles and must be satisfied as part of your framework.

Defend Your Data: Cybersecurity Lessons Learned from 2014

Learning from the cybersecurity incidents of 2014, Gene Geiger, President at A-LIGN will host a webinar during which Marc Rubbinaccio, Senior Consultant at A-LIGN, will review the incidents, identify common themes, and discuss how organizations can strengthen their information security.

SSAE 16 or SOC 2? Knowing What Path is Right for Your Company

Chief Executive Officer, Scott Price and Director of Compliance, Steve Simmons take a comprehensive look at‪ SOC1/SSAE 16 and SOC 2 audits.

Audit Survival Kit: How to Plan, Prepare and Achieve Compliance

This webinar discusses how to determine the right security or compliance assessment for your organization.

Countdown to Compliance: What You Need to Know for PCI 3.0

The goal of this webinar is to provide highlights of the changes in the PCI DSS standard from Version 2.0 to 3.0, discuss the required implementation timeline and how organizations should approach these changes.

CFPB Examination – Getting Your Agency Ready!

The goal of this webinar is to provide a high-level overview of the key areas that Collection Agencies should focus on as they prepare for the CFPB Examination.

PCI Data Security Standard Implementation Challenges – An Industry Perspective

The goal of this webinar is to provide a high-level overview of the Payment Card Industry Data Security Standard (PCI DSS), outline implementation challenges, and provide real-world examples of industry specific hurdles.

Reducing Audit Impact by A-ligning PCI DSS, SOC 1 & 2 Requirements

The goal of this webinar is to equip organizations that undergo multiple compliance audits annually by aligning PCI DSS, SOC 1 & 2 requirements with guidance on how to better prepare for, schedule, and undergo audits from external auditors.