- March 18, 2020
- Posted by: Ron Frechette
- Category: Blog
When demand becomes too great for a company to handle on their own, they often reach out to a managed service provider for help. Most often, specifically relates to a company’s IT infrastructure and end-user systems.
For businesses, this means granting a third party full access to all of your company’s sensitive data, including financial records, and more. Choosing a managed service provider therefore comes with a lot of trust.
But how do you know which is following the proper guidelines to keep your data safe? And as a managed service provider, how can you show companies that you have processes in place to secure their sensitive data?
The answer lies in being compliant with what’s known as SSAE 18.
In this post, we’re going to cover SSAE 18 and tell you what it is, why your data center needs to be compliant, and how GoldSky Cyber Security Solutions can help you become (and stay) compliant.
What Is SSAE 18?
SSAE 18 refers to the Statement on Standards for Attestation Engagements. This is an auditing standard for service organizations. Many industries will require vendors to be compliant of the standards in SSAE 18, known as System and Organization Controls (SOC) reports (more on these in a bit).
SSAE 18 is overseen by the Auditing Standards Board (ASB) which operates under The American Institute of Certified Public Accountants (AICPA). SSAE was superseded by SSAE 16 and prior to that, SAS 70.
Updates were made to the old standards to require that companies take more ownership of their own internal controls. These updates specifically helped close gaps in security regarding the management of third party relationships.
Most importantly, SSAE 18 requires that service providers implement a formal:
- Third Party Vendor Management Program
- Annual Risk Assessment process
Your company’s SOC report therefore must describe how you manage third party vendor relationships and your risk assessment process. These controls previously were not formally required.
While previous standards were mainly related to financially significant operations, SSAE 18 provides validation for just about any outsourced service. It provides a consistent, trusted set of auditing and reporting guidelines and allows for official, independent review.
Why Your Data Center Must Be SSAE 18 Compliant?
SSAE 18 standards should be thought of as requirements, not guidelines.
When an organization works with a managed service provider, they trust that the MSP has processes in place to safeguard the organization’s data. They also trust that any partner’s the MSP works with will meet the same security standards. The best reassurance an organization can find is SSAE 18 compliance via SOC reporting.
An SOC 1 report will show that a data center has the appropriate controls in place to protect an organization’s financial data. Meanwhile, SOC 2 reporting shows that the MSP has taken the necessary precautions to prevent a data breach. Because SSAE 18 standards are so thorough, an organization can also have confidence that any third parties involved will meet the same standards.
SSAE 18 compliance shows that a data center takes responsibility for itself and the vendors it works with. When organizations seek an MSP they can trust, they should start with making sure that the company is SSAE 18 compliant.
Who Does SSAE 18 Apply To?
SSAE 18 applies to many different service organizations in several industries. Most often, you will be asked to provide an SOC report if your service organization performs outsourced services that affect the financial services of another company.
These services include, but are not limited to:
- Network monitoring services
- Data center monitoring services
- Payroll processing
- Loan services
- Software as a Service (SaaS)
- Medical claims processing
SSAE 18 certification shows that your organization has a good reputation and can be trusted. It gives you extra credibility that can be crucial when you are trying to land new business. Many businesses, such as nonprofit organizations, government entities, and financial service companies, among others, will require SSAE 18 compliance.
The Differences Between SOC 1, SOC 2, & SOC 3 Audits
As we mentioned above, the standards within SSAE 18 are known as Service Organization Control (SOC) reports. An audit of these reports will test that a managed service provider has the proper controls in place.
Here are the three categories of SOC reports:
- SOC 1 – regards controls over financial reporting. Applies to organizations that provide financial services like payroll, investments, banking, and more.
- SOC 2 – protections for privacy, information security, integrity, and confidentiality. This addresses both cybersecurity and business process controls.
- SOC3 – greatly overlaps with SOC 2, with the difference being that SOC 3 is intended for a general audience. SOC3 can be used as a powerful marketing tool as it can be publicly posted on your website and social media.
SOC audits also come in two different types:
- Type I refers to a report that audits the state of company controls on the specific audit date
- Type II is a report that audits the state of controls over time, typically over the past 12 months. Type II provides more assurance as it shows that controls were in place for a long period of time.
The type of SOC report and category will depend on the industries that your managed service provider serves, as well as your specific services. These SOC reports are the standard for vendor management and risk assessments. They objectively show that your organization follows certain financial, cybersecurity, and privacy guidelines.
Knowing whether or not your organization meets the standards outlined in SSAE 18 can be tricky on your own. That’s why you may need the help of a company like GoldSky.
Why You Should Partner With GoldSky To Ensure SSAE 18 Compliance?
GoldSky works with many managed service providers who are in need of SOC 1, SOC 2, SOC 3, type I, and type II SSAE 18 reports.
To prepare you for an audit, GoldSky will examine the controls an organization has in place and test their effectiveness. We will perform a gap analysis to identify any deficiencies in security and suggest improvements. GoldSky will also deliver formal SOC reports on the state of the current controls in place that companies can use for your audits and/or marketing efforts.
GoldSky Security has offices in Orlando, Denver, Tampa, Nashville, Washington D.C., and Phoenix. Get in touch with us today to get your organization in line for an SSAE 18 audit.