SSAE 18 SOC 2 Type 2 Certification

Learn about providing hospitals and healthcare organizations with an SSAE 18 SOC II type 2 certification.

Introduction

SSAE 18, also called Statement on Standards for Attestation Engagements 18, is a regulation created by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) for defining how data centers report on compliance controls. It replaced SSAE 16 in May of 2017 as the new standard for auditors to perform a variety of attestation reporting.

What is SAS 70 vs. SSAE 16 vs. SSAE 18?

The American Institute of Certified Public Accountants (AICPA) is the U.S. rule making body for the auditing industry and it sets standards for professional auditors which are typically large CPA and consulting firms. They created the SAS 70 standard which evolved into SSAE 16 and then into SSAE 18.  SAS is an acronym for Statement on Auditing Standards and likewise SSAE stands for Statements on Standards for Attestation Engagements.

What is SAS 70?

SAS 70 provided metrics to reporting on controls and processes at service companies. However, it did not require attestation about the design and effectiveness of controls, which of course are important for organizations wanting to outsource critical business functions.

What is SSAE 16?

SSAE 16 did what SAS 70 did not do, which is to provide a set of standards and guidance for attestation reporting on organizational controls and processes of service companies. SSAE 16 held a service company's management accountable by requiring, in writing, that the company's systems, control objectives, and operational activities were accurately reflected in the audit report.

What is SSAE 18?

The rise of worldwide outsourcing of critical business functions influenced the AICPA to evolve their standards from SSAE 16 to SSAE 18. Some examples of the type of business that often need SSAE 18 audits are:
  • Payroll or loan processing
  • Data center/co-location
  • Software as a Service (SaaS)
  • Medical claims processors
SSAE 18 is the current auditing standard for service companies. It replaced SSAE 16 and updates and simplifies the auditing standards for reporting on organizational controls and processes.  Companies must provide risk assessments to the auditors, which is a very significant change. The companies must also sign a "Management Assertion" letter accepting significant responsibility which was not required under SSAE 16.  Under SSAE 16 they had to provide such a letter, but not have to sign it. The signed letter and the auditor's report now have different language that is more specific and detailed to provide more assurance to users of these reports. It also requires that companies to identify subservice organizations. Today, SOC 1, SCO 2 and SCO 3 audits use the standards of SSAE 18.

What is an SSAE 18 SOC 1 vs SOC 2 vs SOC 3 Audit?

An SSAE 18 SOC 1 is a report that is performed by auditors on the controls that a service organization has in place to safeguard financial statements.
Systems and Organization Controls 2 (SOC 2) is an audit process that evaluates a company's ability to securely manage any business data. By undergoing a SOC 2 audit, a company demonstrates that its ability to meet the security criteria that its customers require to confidently share their data.  SOC 2 was developed and administered by the American Institute of Certified Public Accountants (AICPA) since CPAs have the expertise needed to conduct audits and attest to the results.
An SSAE 18 SOC 3 audit is a report that is like a SOC 2, but it does not provide the same degree of detail.  SOC 3 reports are typically distributed to the public, but SOC 2 reports have restrictions on distribution.

What is SOC 2 Type 1 Compliance?

A Type 1 audit reviews are performed on the controls that govern data security and privacy. This audit requires less time and helps set parameters for future audits and is typically the initial audit.
The Type 1 SSAE certification performed for many data centers uses the following criteria:
  1. The description of the service organization's system was designed and implemented as of only a single specified report date which is typically as of 12/31/xx.
  2. The control objectives stated in the description were suitably designed to achieve compliance as of only a single specified report date which is typically as of 12/31/xx.
In other words, a Type 1 report is just a snapshot in time at a particular date which is typically 12/31/xx.

What is SOC 2 Type 2 Compliance?

In sharp contrast, the Type 2 audit tests the same controls as Type 1, but also reports on how effectively the organization is maintaining them over a period of a year. This audit is typically performed on a recurring annual basis in which data policies, processes and technologies are reviewed in depth.  An organization's commitment to security and privacy is documented with a SOC 2 Type 2 audit report.
The Type 2 SSAE certification performed for Giva's data centers uses the following criteria which are more rigorous, difficult to pass and a higher overall standard:
  1. The description of the service organization's system was designed and implemented over the period of examination which is typically a one-year period.
  2. The control objectives stated in the description were suitably designed to achieve compliance over the period of examination which is typically a one-year period.

SSAE 18

Technology

Enterprise and service provider class technology from Dell, Cisco, F5, VMware, EMC, Netapp, Tripwire, Trustwave, Microsoft and Red Hat.
HIPAA Green Arrow

People

Skilled HIPAA-certified engineers available 24/7/365.
HIPAA Green Arrow

Process

All processes are validated against a rigorous set of controls by an independent team of CPA auditors. The annual SSAE 18 SOC 2 Type 2 compliance reports is issued and shared with all Giva customers upon request.
Enterprise and service provider class technology from Dell, Cisco, F5, VMware, EMC, Netapp, Tripwire, Trustwave, Microsoft and Red Hat.
Skilled HIPAA-certified engineers available 24/7/365.
All processes are validated against a rigorous set of controls by an independent team of CPA auditors. The annual SSAE 18 SOC 2 Type 2 compliance reports is issued and shared with all Giva customers upon request.

SOC 2 Framework

SSAE 18 SOC 2 Type 1 or Type 2 audits will evaluate and report on the information and systems used to support the comprehensive set of criteria known as five Trust Services Principles:
  1. Security: Information and systems are protected against unauthorized access, unauthorized disclosure of information and damage to systems that could compromise the availability, integrity, confidentiality and privacy of information or systems and impact the organization's ability to meet its objectives.
  2. Availability: Information and systems are available for operation and use to meet the organization's objectives.
  3. Processing Integrity: System processing is complete, valid, accurate, timely and authorized to meet the organization's objectives.
  4. Confidentiality: Information designated as confidential is protected to meet the organization's objectives.
  5. Privacy: All information is collected, used, retained, disclosed and disposed of to meet the organization's objectives.

SSAE 18 SOC 2 Compliance Checklist

  • Organization & Management
    • Acceptable Use
      The Acceptable Use policy details terms and conditions that employees must agree to for access to the corporate network and other company assets.
    • Organization's Ethics
      The company encourages the values of high ethics, trust, and integrity.
    • Personnel Security
      Company employees and contractors understand their roles and responsibilities around security and privacy.
  • Asset Management
    • Technology Equipment Handling and Disposal
      The company appropriately disposes of equipment that contains sensitive information.
  • Information & Communication
    • Information Classification
      Information is assigned a value so it can be organized according to its risk to loss from disclosure.
    • Workstation Security
      The company protects laptops and workstations and their contents using security industry best practices.
  • Risk Management
    • Risk Assessment
      The company implements regular risk assessments and uses industry best practices in remediation.
    • Vendor Management
      The company actively manages risks around 3rd party vendors and their access to company data.
    • Information Security
      The company carefully manages changes of any IT security policies, implements and documents security controls, provides security awareness training, and tracks compliance with customers, independent auditors, regulatory agencies, and third-party vendors.
  • Access Control
    • Key Management and Cryptography
      The company utilizes the latest proven and secure encryption algorithms.
    • Server Security
      The company manages, configures, and protects servers and hosts based on industry best practices including a comprehensive change management process.
    • Access Control
      Policies define requirements and guidelines on user account management, access control, monitoring, separation of responsibilities of administrators and other key individuals, and remote access.
  • Software Development Security
    • Software Development
      The company designs and builds software with security and privacy as design principles.
  • Security Operations
    • Vulnerability Management
      The company conducts scheduled application/network scanning and penetration testing on an ongoing basis using independent 3rd parties.
    • Incident Management
      Any security incidents that threaten the security or confidentiality of information assets are properly identified, contained, investigated, and remediated. Root cause analysis is performed and communicated to the highest level of the organization.
  • Audit & Compliance
    • Customer Support and SLA
      Customers are highly valued to the company, and it provides Service Level Agreement (SLA) to support customers.
SSAE 18 SOC 2 Compliance Checklist

Data Center Specifications

  • Power
    • Direct connection to power grid at 13.2 kV
    • 2N electrical design
    • Dual Redundant UPS / Battery Strings
    • Automatic Transfer Switch
    • 750 kW back-up generator
    • 2300 Gallons of fuel onsite
    • Enough capacity for up to 7 days
  • Cooling
    • n+1 Design
    • Redundant CRAC Cooling
    • Temperature of 70 degrees F / 50% Hum
    • Hot Aisle/Cold Aisle Design
    • Redundant Glycol Pumps
  • Fire
    • Dry-piped pre-action fire protection system
    • FM200 Gas Fire Suppression System
  • Connectivity
    • 3 Tier 1 Network Carriers
    • 30 Gbps Bandwidth
    • 4 Fiber Paths
    • 2N Network Design
Request a Live Demo
See It In Action
Assess Your Needs
Download Tool
Try Giva's 30 Day Trial
Sign Up Today