Are you familiar with SSAE 18 yet? It came into effect on May 1. We'll go through what it is and how it affects vendor management at your institution.
Welcome to this week’s Third Party Thursday! My name is Aaron Kirkpatrick and I’m the Information Security Officer here at Venminder.
In this video, we’re going to cover what you need to know about the SSAE 18. But, before we dive into that, let’s cover some basic knowledge related to how SSAE 18 works with the other SOC type documents.
Now that we covered that, let's cover more about what SSAE 18 is.
SSAE 18 requires a new creation and mandatory inclusion of Complementary Subservice Organization Controls when applicable - so controls related to your fourth parties. This will provide additional clarity of how your vendor is addressing their own vendor management obligations - so how they are handling your fourth parties.
More specifically, your vendors must identify the functions and controls that your vendor assumes their vendors are performing – all to provide you with a product or service as agreed in your contract and service level agreement.
This is good news because now vendor management is no longer just your problem, it's also your vendor's problem.
The bad news is this does not provide you with any additional assurance as the scope of your vendor’s audit will not include the operating effectiveness of the controls at your fourth party. However, it will provide the guidance you need to perform an informed review of your fourth party's SOC 1 or 2 report or other available and comparable documentation.
With SSAE 18 coming into effect, there's also 3 key updates to SOC 1’s.
The official date was May 1, 2017. And also now, SSAE 16 will no longer be used. By mid to late 2017, you should begin to see the first SSAE 18’s being provided by vendors.
Our customers who use our SOC Analysis service already know that subservice organizations have been a focus in our analysis’ and this update will further our ability to provide even more insight into the operations of your vendors.
Now you know the key updates associated with SSAE 18, when to expect SSAE 18's, and why it matters to you.
Again…I’m Aaron Kirkpatrick and thank you for watching! If you haven’t already subscribe to the Third Party Thursday series.