Briskinfosec - Your Perfect Cybersecurity Partner

Stay Connected:

SSAE Compliance - Services and Solutions | Briskinfosec

Statement Of Standards For Attestation Engagements (SSAE) 18

SSAE 18

SSAE 18, is an attestation standard issued by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA). SSAE18 is an attestation standard geared towards addressing engagements conducted by ‘Service Auditors’ (or) ‘Practitioners’ on service organizations for purposes of reporting on the design of controls and their operating effectiveness.

As of now, SOC 1 SSAE 18 engagements conducted by service auditors on service organizations will result in the issuance of either a SSAE 18 Type 1 or Type 2 Report.

Speak to an Expert

For more information on how our Briskinfosec penetration testing services can help to safeguard your organisation, call us now on +91 860 863 4123 or request a call back using the form below.

Awesome Image

What is SOC 1 and SOC 2 Reports?

SOC 1 Reports: Reporting on controls relevant to internal controls over financial reporting (ICFR) and reporting is conducted in accordance with Statement on Standards for Attestation Engagements - SSAE as per the standards of SSAE 18 audit guide.

SOC 2 Reports: Reporting on controls relevant to security, availability, processing integrity, confidentiality, or privacy. SOC 2 reporting are conducted in accordance with AT Section 101 and will utilize an audit guide titled Reports on Controls at a Service Organization over Security, Availability, Processing Integrity, Confidentiality, or Privacy

 

What is Type 1 & Type 2 Report?

  • Type 1 report is technically known as a "Report on Management's Description of a Service Organization's System and the Suitability of the Design of Controls", or simply known as a SOC 1 SSAE 18 Type 1 report.

  • Type 2 report, it is technically known as a "Report on Management's Description of a Service Organization's System and the Suitability of the Design and Operating Effectiveness of Controls", or simply known as a SOC 1 SSAE 18 Type 2 report.

Free Download Center

Cybersecurity starts from proper awareness. Briskinfosec BINT LAB cybersecurity researchers continuously put extraordinary effort to help you to realise cybersecurity better and faster. Just download the Case Study and ThreatSploit Adversary report.

Need a Quote

To plan, build and certify your Organization as HIPAA Compliant. Kindly provide your contact details, as mentioned below.

Approach to SOC & How it Works?

Data security is a concern for customers of service organizations across all industries, but especially for companies that process financial transactions on behalf of others.

Assessment about Readiness

Once the scope is determined, a service organization like Briskinfosec may decide to assess the gap and existing controls in place and to determine if they satisfy management’s control objectives are in place.

Through this, internal controls would be analyzed to determine

  • Whether they meet the control objectives and all are in order
  • In case if controls are not adequate a remediation effort will be designed / developed to take counter measures and to fix the gaps.

At the end of this phase, Top Management will receive a final report that identifies key controls for each control objective and criteria, and any necessary remediation efforts.

Remediation Services of control gaps

Following sequence of steps occur during the remediation phase:

  • Remediation services would be provided and efforts are tracked and adequacy of controls established in order to close and to fix the gaps.
  • Service provider will draft a system description that identifies processes and controls that deliver the services within the scope of the engagement. This description is the basis of the auditor’s opinion and will be included in the final report.

Authentication - Accuracy about the Controls

Following sequence of steps occur during the remediation phaseAfter remediation services performed and identified control gaps including the control description. The successful result of these procedures is the issuance of a Type 1 SOC report with Service Auditors Opinion as of a specific date.

Awesome Image

Benefits of A SOC Report

It’s a kind of belief and trust from your valuable Customers; who have received services from your organization, for the internal controls maintained and implemented.

Because of the changes from SSAE 16 to SSAE 18, your service organization can benefit in the following ways:

  • Provide a broad-based Centric Approach, enhanced reporting of your control system.

  • Full Assurance for your customers on the internal control Audits affecting their financial reporting are timely and accurate in order to stay in compliance with company policies and government regulations.h3>

SSAE 18 engagements identify key areas for improvement that can ultimately help to reduce risk, decrease the frequency of irregularities, and minimize chances of fraud.

 

What Does CPA Reporting Mean - For SSAE18 physical security compliance?

 

When an independent CPA reports about your high compliance to SSAE, you’d be able to assure your clients that you have high level of security that would not be compromised.

This is because means that you have set the right hierarchical responsibility for access to your premises and most importantly that you work with partners that don’t take data security lightly.

How Is SSAE 18 Different From SSAE 16?

While the SSAE 16 was specific to SOC 1 audits, SSAE 18 is an umbrella standard that applies to most types of attestation engagements, clarifying and formalizing requirements to enhance their reporting potential. The SSAE 16 examination will no longer be referred to as an SSAE 16 examination but will simply be known as a SOC 1 examination.

SSAE 18 features significant changes in the following areas:

  • Vendor management
  • Risk assessment
  • Complementary subservice organization controls
  • Data validation
Our Milestones

Awards and Affiliations

CIO Review

We are honoured as one among the top 20 most promising information security solution providers by the CIO review.

Indian book of records

We reported 8000 vulnerabilities within 4 hours and have registered our name in the “India Book of Records”.

ISO/IEC 270001:2015

We have been empanelled with ISO/IEC 270001:2015 for our commitment towards security.

Awesome Brand Image

Briskinfosec’s cyber security initiatives are affiliated by the National Cyber Defence Research Centre (NCDRC).

Council of CIA

Briskinfosec is the founding member of the Council of CIA (Confidentiality, Integrity and Availability).

Awesome Brand Image

Briskinfosec is a CERT-In (Computer Emergency Response Team - India) empanelled auditing firm.

FAQ

Is there any changes been made to Statements on Standards for Attestation Engagements (SSAE) No. 18 that will affect service auditors’ engagements?

Whether SOC 2 is more appropriate than a SOC for security?

Based on our experience, the SOC 2 is increasingly valuable in business to business compliance and assurance. It continues to expand in usefulness as a tool to meet other requirement standards (i.e. GDPR, HIPAA & PCI) that require detailed oversight of third-party vendors. This clearly indicates that they are expanding their business and controls and better protecting their responsibilities to their valuable clients..

Is there any way that SOC for Information / Cyber security more appropriate than a SOC 2 or SOC 3?

We are examining thru R & D that the SOC for security is more useful for large MNC Companies including MSME that need a measurement of their own cyber security posture. CISO needs to quantify risk over time for board members who want to know if cyber security risks are being adequately mitigated. It is a great way to measure whether very specific controls have provided ROI..

Who is responsible for HIPAA?

Both the healthcare organization and individual staff members who accesses PHI are responsible. The organization is responsible to put all necessary safeguards in place for HIPAA compliance. Every individual (office manager, doctor, etc.) is held responsible for health information they should, can, or do access. Individuals and companies can independently face criminal charges for mishandling PHI.

Whether is there any prescribed set of control objectives for SSAE 18 – SOC 2 & 3 engagements?

A service auditor may be engaged to report on a description of a service organization’s system and the suitability of the design and operating effectiveness of controls relevant to one or more of the trust services principles

In SSAE 18 - SOC 2 and SOC 3 engagements, the service auditor uses the criteria mainly Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Technical Practice Aids)), for evaluating and reporting on controls relevant to security, availability, processing integrity, confidentiality, or privacy.

Accordingly, in every SOC 2 and SOC 3 engagement that addresses the same principle(s), the criteria will be the same (the applicable trust services criteria).

What are the Basic Requirements for SOC 2 Compliance?

The most important requirement of SOC 2 is that businesses need to develop security policies and procedures that are written out and followed by everyone. These policies and procedures serve as guides for auditors who will review them.

Policies and procedures should cover security, availability, processing integrity, confidentiality and privacy of data stored in the cloud.

What needs to be monitored?

The most important things to monitor include any unauthorized, unusual or suspicious activity to a specific client. This type of monitoring usually focuses on the level of system configuration and user access and monitors for known and unknown malicious activity, such as phishing or other types of inappropriate and unauthorized access. The best means of monitoring is through a continuous security monitoring service.

What alerts are needed?

Alerts set up to detect unauthorized access to customer information and customer data, or any other anomalous behaviour related to a client’s data, are crucial in assisting busy IT leaders in meeting SOC 2 requirements.

What Is A SOC 2 Readiness Assessment?

A SOC 2 scoping and readiness assessment helps service organizations better determine the necessary scope of a specific audit. This important exercise helps IT teams understand which important elements of the control environment require attention and remediation before performing the official audit.

Who must comply with SOC 2 Requirements?

SOC 2 requirements are mandatory for all engaged, technology-based service organizations that store client information in the cloud. Such businesses include those that provide SaaS and other cloud services while also using the cloud to store each respective, engaged client’s information.

How often must A Service Organization schedule A SOC 2 Audit?

Most SOC 2 reports cover for one year period, but there are times when service organizations perform this audit every three / six months, depending on the client’s preference and any ongoing concerns in the operational control environment.

Speak to an Expert

For more information on how our Briskinfosec penetration testing services can help safeguard your organisation, call us now on +91 860 863 4123 or request a call back using the form below.