Articles

Practical guides for modern security

Honest writing on SOC 2 readiness, continuous compliance, vulnerability management, incident response, and the messy realities of keeping a regulated business secure.

19 articles
Compliance11 min read

The FTC Safeguards Rule: The Security Law Many Small Businesses Do Not Know Applies to Them

Auto dealers, tax preparers, accountants, mortgage brokers, and dozens of other Main Street businesses are "financial institutions" under the FTC Safeguards Rule — and the amended Rule now names specific controls they must run, from a designated Qualified Individual to MFA, encryption, and a written risk assessment. A plain-English tour of who it covers, what the nine required elements ask for, and how to prepare — not a promise that any tool makes you compliant.

Paul HittJul 10, 2026
Compliance10 min read

The CIS Controls IG1: A Concrete Starting Baseline When Frameworks Feel Paralyzing

Plenty of small teams stall on security not because they do not care but because the first question — "which framework?" — is genuinely paralyzing. The CIS Controls give a prioritized, community-maintained answer, and Implementation Group 1 carves out the essential-hygiene subset built specifically for organizations without a security team. It is not a certificate you earn; it is a defensible starting list you can actually work down.

Paul HittJul 9, 2026
Compliance11 min read

NIST 800-171 and the SPRS Self-Assessment: What Small Subcontractors Already Owe

Long before a CMMC assessor ever knocks, a DFARS clause already requires many defense subcontractors to protect Controlled Unclassified Information to NIST 800-171 and to post a current self-assessment score in SPRS — and a surprising number of small subs do not know the obligation exists. What the 110 requirements ask, how the SPRS score is actually calculated, and how the self-assessment relates to the CMMC bar coming behind it.

Paul HittJul 9, 2026
Compliance11 min read

ISO 27001 vs SOC 2: Choosing a Path

Sooner or later a customer asks whether you have SOC 2 or ISO 27001, and the honest answer is that they are different things solving overlapping problems. One is a certification against an international standard built around a management system; the other is an attestation report from an auditor against a set of trust criteria. Knowing how they differ — and how much evidence they share — helps you pick the path that fits your buyers instead of chasing both.

Paul HittJul 7, 2026
Compliance8 min read

Data Residency and Data Sovereignty: Knowing Where Your Data Actually Lives

Where your data physically sits, and whose laws reach it, is a question customers and regulators increasingly ask — and "somewhere in the cloud" is not an answer. Data residency is about location; data sovereignty is about the law that follows it. Here is the difference, why it matters for a lean team, and how to actually know and document the answer.

Paul HittJul 6, 2026
Compliance8 min read

Physical Security: The Control Category Software Teams Forget They Owe

Every serious framework — SOC 2, ISO 27001, HIPAA — has a physical-security section, and software teams routinely arrive at their first audit having never thought about it. The unlocked office, the server closet nobody controls, the visitor who badged in behind someone: a practical physical baseline for a team whose "data center" is a cloud account but whose laptops, backups, and offices are still very much real.

Paul HittJul 4, 2026
Articles — Hosting Security