Application Service / Hosting ProvidersAsset ManagementBenefits AdministratorsClaims Filing Administration & ProcessingClearinghousesCollection AgenciesCo-locations / Data CentersComputer Hardware and SoftwareCredit Card Processinge-Commerce ProvidersElectronic Payment Systems
Financial ServicesGaming/Government LotteriesInformation and Records ManagementInsurance and Financial ServicesPayroll Service ProvidersPension AdministratorsPrint / Mail Fulfillment HousesSoftware as a Service (SAAS) ProvidersThird Party Administrators
STATEMENT ON STANDARDS FOR ATTESTATION ENGAGEMENTS 18 (SSAE18)
In SSAE 18 the focus is on Trust Service Principles (TSP), Criteria and Attributes/Controls. The TSP are security, availability, processing integrity, confidentiality, and privacy.
Security: That the system is protected against unauthorized access, both physically and logically.
Availability: That the system is available for operation and use as committed or agreed.
Processing Integrity: That System processing is complete, accurate, timely, and authorized.
Confidentiality: That the information held by an organization is securely protected.
Privacy: That personal information is protected.The trust services principles and criteria of security, availability, processing integrity, and confidentiality are organized into four broad areas:
Policies: The entity defines and documents its policies for the security of the system.
Communications: The entity communicates its defined system security policies to responsible parties and authorized users.
Procedures: The entity placed in operation procedures to achieve its documented system security objectives in accordance with its defined policies.
Monitoring: The entity monitors the system and takes action to maintain compliance with its defined system security policies.
Privacy principle is organized in 10 Generally Accepted Privacy Principles (GAPP) or broad areas.
Generally Accepted Privacy Principles (GAPP). The following are the 10 GAPP or broad areas:
Management. The entity defines, documents, communicates, and assigns accountability for its privacy policies and procedures.
Notice. The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed.
Choice and consent. The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information.
Collection. The entity collects personal information only for the purposes identified in the notice.
Use and retention. The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes.
Access. The entity provides individuals with access to their personal information for review and update.
Disclosure to third parties. The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual.
Security for privacy. The entity protects personal information against unauthorized access (both physical and logical).
Quality. The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice.
Monitoring and enforcement. The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related complaints and disputes.
The biggest change from SSAE 16 to SSAE 18 relates to the monitoring of subservice organizations.
A subservice organization is a service organization used by another service organization to perform some of the services provided to user entities that are likely to be relevant to those user entities’ internal controls over financial reporting.
SSAE 18 requires controls to be implemented that monitor the effectiveness of controls at the subservice organization.
A service organization may choose to apply the change by creating a Third-Party Vendor Management Policy that requires a periodic review of significant third parties.
SSAE 18 states that monitoring activities may include: “reviewing and reconciling output reports, holding periodic discussions with the subservice organization, making regular site visits to the subservice organization, testing controls at the subservice organization by members of the service organization’s internal audit function, reviewing type 1 or type 2 reports on subservice organization’s system, and monitoring external communications, such as customer complaints relevant to the service by the subservice organization.”
Security, Availability, Processing Integrity, and Confidentiality Criteria
