.webp?width=2169&height=526&name=Compass%20regular%20transparent%20website%20(1).webp "Compass IT Compliance Logo")
-1.webp?width=2169&height=620&name=Compass%20regular%20transparent%20website%20smaller%20(1)-1.webp "Compass IT Compliance")
What the 2026 Verizon DBIR Means for Your SOC 2 Compliance Program
by Rachel Hughes on June 10, 2026 at 3:55 PM
The 2026 Verizon Data Breach Investigations Report (DBIR) recently dropped. Vulnerability exploitation is officially the #1 breach vector at 31%. It is now the #1 way attackers are getting in, surpassing credential abuse, which dropped from 22% down to just 13% as an initial access me …
Subservice Organizations in SOC Reports: Carve-Out vs. Inclusive Method
by Rachel Hughes on June 9, 2026 at 4:33 PM
When a service organization relies on another vendor to perform part of its service, that vendor relationship doesn’t disappear from the SOC audit. Think of a payroll processor using a third-party data center, for example, or a SaaS company built on a major cloud infrastructure provid …
CMMC Scoping Guide: How to Define Your Level 2 Assessment Boundary
by Derek Boczenowski on June 5, 2026 at 11:30 AM
One of the most consequential (and most misunderstood) steps in preparing for CMMC compliance is defining the scope of your assessment boundary. Scope too broadly and you’re burdening your organization with unnecessary controls and cost. Scope too narrowly and you risk leaving Control …
Does SOC 2 Reduce Security Questionnaires, or Just Change Them?
by Derek Boczenowski on May 28, 2026 at 11:00 AM
Every B2B vendor chasing enterprise deals eventually asks the same thing. We are pouring real money and real calendar time into a SOC 2 Type 2 report, so will it actually reduce the security questionnaires we get buried under, or will buyers just keep sending them anyway?
Third Party Administrator (TPA) Risks: IT Security & Compliance Guide
by Kyle Daun on May 27, 2026 at 4:05 PM
%20Risks%20IT%20Security%20%26%20Compliance%20Guide.jpg)
If your organization handles sensitive data and outsources any operational work, there is a good chance a Third Party Administrator (TPA) is somewhere in your environment. Maybe they process claims for your self-funded health plan. Maybe they handle 401(k) recordkeeping. Maybe they ar …
What Are Buyers Actually Looking for in Your SOC 2 Type 2 Report?
by Cera Adams on May 22, 2026 at 12:12 PM
You spent six months getting ready for your SOC 2 Type 2 audit. You collected the evidence. You sat through the walkthroughs. You finally got the report, a polished sixtypage document with an unqualified opinion stamped on the front. Then you sent it to your first enterprise prospect. …