SSAE 18 SOC 2 Type 2 Certification for Giva's Cloud Help Desk Software

SSAE 18, also called Statement on Standards for Attestation Engagements 18, is a regulation created by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) for defining how data centers report on compliance controls. It replaced SSAE 16 in May of 2017 as the new standard for auditors to perform a variety of attestation reporting.

What is SAS 70 vs. SSAE 16 vs. SSAE 18?

The American Institute of Certified Public Accountants (AICPA) is the U.S. rule making body for the auditing industry and it sets standards for professional auditors which are typically large CPA and consulting firms. They created the SAS 70 standard which evolved into SSAE 16 and then into SSAE 18.  SAS is an acronym for Statement on Auditing Standards and likewise SSAE stands for Statements on Standards for Attestation Engagements.

What is SAS 70?

SAS 70 provided metrics to reporting on controls and processes at service companies. However, it did not require attestation about the design and effectiveness of controls, which of course are important for organisations wanting to outsource critical business functions.

What is SSAE 16?

SSAE 16 did what SAS 70 did not do, which is to provide a set of standards and guidance for attestation reporting on organisational controls and processes of service companies. SSAE 16 held a service company's management accountable by requiring, in writing, that the company's systems, control objectives, and operational activities were accurately reflected in the audit report.

What is SSAE 18?

The rise of worldwide outsourcing of critical business functions influenced the AICPA to evolve their standards from SSAE 16 to SSAE 18. Some examples of the type of business that often need SSAE 18 audits are:
  • Payroll or loan processing
  • Data centre/co-location
  • Software as a Service (SaaS)
  • Medical claims processors
SSAE 18 is the current auditing standard for service companies. It replaced SSAE 16 and updates and simplifies the auditing standards for reporting on organisational controls and processes.  Companies must provide risk assessments to the auditors, which is a very significant change. The companies must also sign a "Management Assertion" letter accepting significant responsibility which was not required under SSAE 16.  Under SSAE 16 they had to provide such a letter, but not have to sign it. The signed letter and the auditor's report now have different language that is more specific and detailed to provide more assurance to users of these reports. It also requires that companies to identify subservice organisations. Today, SOC 1, SCO 2 and SCO 3 audits use the standards of SSAE 18.

What is an SSAE 18 SOC 1 vs SOC 2 vs SOC 3 Audit?

An SSAE 18 SOC 1 is a report that is performed by auditors on the controls that a service organisation has in place to safeguard financial statements.
Systems and Organisation Controls 2 (SOC 2) is an audit process that evaluates a company's ability to securely manage any business data. By undergoing a SOC 2 audit, a company demonstrates that its ability to meet the security criteria that its customers require to confidently share their data.  SOC 2 was developed and administered by the American Institute of Certified Public Accountants (AICPA) since CPAs have the expertise needed to conduct audits and attest to the results.
An SSAE 18 SOC 3 audit is a report that is like a SOC 2, but it does not provide the same degree of detail.  SOC 3 reports are typically distributed to the public, but SOC 2 reports have restrictions on distribution.

What is SOC 2 Type 1 Compliance?

A Type 1 audit reviews are performed on the controls that govern data security and privacy. This audit requires less time and helps set parameters for future audits and is typically the initial audit.
The Type 1 SSAE certification performed for many data centres uses the following criteria:
  1. The description of the service organisation's system was designed and implemented as of only a single specified report date which is typically as of 12/31/xx.
  2. The control objectives stated in the description were suitably designed to achieve compliance as of only a single specified report date which is typically as of 12/31/xx.
In other words, a Type 1 report is just a snapshot in time at a particular date which is typically 12/31/xx.

What is SOC 2 Type 2 Compliance?

In sharp contrast, the Type 2 audit tests the same controls as Type 1, but also reports on how effectively the organisation is maintaining them over a period of a year. This audit is typically performed on a recurring annual basis in which data policies, processes and technologies are reviewed in depth.  An organisation's commitment to security and privacy is documented with a SOC 2 Type 2 audit report.
The Type 2 SSAE certification performed for Giva's data centres uses the following criteria which are more rigorous, difficult to pass and a higher overall standard:
  1. The description of the service organisation's system was designed and implemented over the period of examination which is typically a one-year period.
  2. The control objectives stated in the description were suitably designed to achieve compliance over the period of examination which is typically a one-year period.

SSAE 18

Technology

Enterprise and service provider class technology from Dell, Cisco, F5, VMware, EMC, Netapp, Tripwire, Trustwave, Microsoft and Red Hat.
HIPAA Green Arrow

People

Skilled HIPAA-certified engineers available 24/7/365.
HIPAA Green Arrow

Process

All processes are validated against a rigorous set of controls by an independent team of CPA auditors. The annual SSAE 18 SOC 2 Type 2 compliance reports is issued and shared with all Giva customers upon request.
Enterprise and service provider class technology from Dell, Cisco, F5, VMware, EMC, Netapp, Tripwire, Trustwave, Microsoft and Red Hat.
Skilled HIPAA-certified engineers available 24/7/365.
All processes are validated against a rigorous set of controls by an independent team of CPA auditors. The annual SSAE 18 SOC 2 Type 2 compliance reports is issued and shared with all Giva customers upon request.

SOC 2 Framework

SSAE 18 SOC 2 Type 1 or Type 2 audits will evaluate and report on the information and systems used to support the comprehensive set of criteria known as five Trust Services Principles:
  1. Security: Information and systems are protected against unauthorised access, unauthorised disclosure of information and damage to systems that could compromise the availability, integrity, confidentiality and privacy of information or systems and impact the organisation's ability to meet its objectives.
  2. Availability: Information and systems are available for operation and use to meet the organisation's objectives.
  3. Processing Integrity: System processing is complete, valid, accurate, timely and authorised to meet the organisation's objectives.
  4. Confidentiality: Information designated as confidential is protected to meet the organisation's objectives.
  5. Privacy: All information is collected, used, retained, disclosed and disposed of to meet the organisation's objectives.

SSAE 18 SOC 2 Compliance Checklist

  • Organisation & Management
    • Acceptable Use
      The Acceptable Use policy details terms and conditions that employees must agree to for access to the corporate network and other company assets.
    • Organisation's Ethics
      The company encourages the values of high ethics, trust, and integrity.
    • Personnel Security
      Company employees and contractors understand their roles and responsibilities around security and privacy.
  • Asset Management
    • Technology Equipment Handling and Disposal
      The company appropriately disposes of equipment that contains sensitive information.
  • Information & Communication
    • Information Classification
      Information is assigned a value so it can be organised according to its risk to loss from disclosure.
    • Workstation Security
      The company protects laptops and workstations and their contents using security industry best practises.
  • Risk Management
    • Risk Assessment
      The company implements regular risk assessments and uses industry best practises in remediation.
    • Vendor Management
      The company actively manages risks around 3rd party vendors and their access to company data.
    • Information Security
      The company carefully manages changes of any IT security policies, implements and documents security controls, provides security awareness training, and tracks compliance with customers, independent auditors, regulatory agencies, and third-party vendors.
  • Access Control
    • Key Management and Cryptography
      The company utilises the latest proven and secure encryption algorithms.
    • Server Security
      The company manages, configures, and protects servers and hosts based on industry best practises including a comprehensive change management process.
    • Access Control
      Policies define requirements and guidelines on user account management, access control, monitoring, separation of responsibilities of administrators and other key individuals, and remote access.
  • Software Development Security
    • Software Development
      The company designs and builds software with security and privacy as design principles.
  • Security Operations
    • Vulnerability Management
      The company conducts scheduled application/network scanning and penetration testing on an ongoing basis using independent 3rd parties.
    • Incident Management
      Any security incidents that threaten the security or confidentiality of information assets are properly identified, contained, investigated, and remediated. Root cause analysis is performed and communicated to the highest level of the organisation.
  • Audit & Compliance
    • Customer Support and SLA
      Customers are highly valued to the company, and it provides Service Level Agreement (SLA) to support customers.
SSAE 18 SOC 2 Compliance Checklist

Data Centre Specifications

  • Power
    • Direct connection to power grid at 13.2 kV
    • 2N electrical design
    • Dual Redundant UPS / Battery Strings
    • Automatic Transfer Switch
    • 750 kW back-up generator
    • 2300 Gallons of fuel onsite
    • Enough capacity for up to 7 days
  • Cooling
    • n+1 Design
    • Redundant CRAC Cooling
    • Temperature of 70 degrees F / 50% Hum
    • Hot Aisle/Cold Aisle Design
    • Redundant Glycol Pumps
  • Fire
    • Dry-piped pre-action fire protection system
    • FM200 Gas Fire Suppression System
  • Connectivity
    • 3 Tier 1 Network Carriers
    • 30 Gbps Bandwidth
    • 4 Fiber Paths
    • 2N Network Design

Learn More About Giva HIPAA Compliance

HIPAA-Compliant HIPAA Basics
HIPAA Basics
HIPAA-Compliant Data Encryption
Data Encryption
HIPAA-Compliant Onsite & Offsite Encrypted Backups
Onsite & Offsite Encrypted Backups
HIPAA-Compliant Physical, Logical & Network Access Controls
Physical, Logical & Network Access Controls
HIPAA-Compliant Vulnerability Management & Logging
Vulnerability Management & Logging
HIPAA-Compliant Defined & Tested Security Policies & Procedures
Defined & Tested Security Policies & Procedures
HIPAA-Compliant SSAE 18 SOC II Type 2 Certification
SSAE 18 SOC II Type 2 Certification
HIPAA-Compliant Security Risk Assessments & Breaches
Security Risk Assessments & Breaches
HIPAA-Compliant Web Apps, Websites & Hosting
Web Apps, Websites & Hosting
HIPAA-Compliant Phone, Mobile & Computer Devices
Phone, Mobile & Computer Devices
HIPAA-Compliant Common Violations, Breaches & Mistakes
Common Violations, Breaches & Mistakes
HIPAA-Compliant Remote Work Conferencing & Telehealth
Remote Work Conferencing & Telehealth
HIPAA-Compliant HIPAA Audits
HIPAA Audits

Client Success

  • 50% reduction in time to deploy Giva's change, incident, problem, asset management and knowledgebase modules
  • 60% reduction in the 5 year Total Cost of Ownership (TCO)
  • Saved at least 1 FTE due to lower ongoing administration
  • Saved 1 week per month due to easy to use reports
  • Increased to 90% achievement in meeting service level agreements
  • 70% reduction in generating reports and admin; eliminated 35 hours/month
  • 50% faster to create/assign a service request
  • 60% increase in information captured during the initial phone call
  • 50% increase in the number of service requests created due to intuitive design
  • 80% increase in productivity by using Giva's dashboards and reports
  • 60% increase in meeting service level agreements
  • 45% increase in the number of the calls logged due to Giva's intuitiveness and ease of use
  • 50% increase in productivity by using Giva's integrated custom forms