nav2011.jpg
 
 

Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, was finalized by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) in January 2010.  SSAE 16 effectively replaces SAS 70 as the authoritative guidance for reporting on service organizations. SSAE 16 was formally issued in April 2010 with an effective date of June 15, 2011 (ssae16.com).

The SSAE 16 scope includes:

Business Objectives

Information Technology Objectives

Organization and Administration
Organization Chart
Roles and Responsibilities
Hiring and Termination Practices
Orientation and Training
Employee Handbook
Policy Acknowledgement
Security Awareness

Network Security and Design
Security Risk Analysis
Risk Analysis Methodology
Security Policy
Security Strategy
Third Party Providers
Security Trust Zones
Trust Zone Classification
Trust Zone Implementation
Separation of Duties
Separation of Duties on Perimeter Components
Separation of Duties on Internal Systems

Logical Security
Hardened Systems
Harden Server Operating Systems Configurations
Harden Workstation Operating Systems Configuration
Routers
Network Segmentation
Switches
Switch Placement
Switch Usage
Firewalls
Firewall Rule Requirements
Firewall Configuration
Remote Access Virtual Private Networks (VPNs)
VPN Utilization
VPN Configuration
Intrusion Detection / Intrusion Prevention
Intrusion Detection Program

Physical Security
Perimeter Physical Security
Building / Structure
Access Controls / Locks
Surveillance
Environmental Physical Security
Fire Suppression
Power Protection / UPS / Generators
Cooling Requirements / Adequacy
Interior Physical Security
Access Controls / Locks
Visitor Authorization / Authentication

Third-Party Network Security Testing
External Network Security Assessments
Penetration Testing
Internal Network Security Assessments
Internal Testing

Disaster Recovery and Business Continuity
Disaster Recovery and Business Continuity Plan Analysis
Disaster Recovery and Business Continuity Plan Methodology
System Backups
Infrastructure Data
Operational Data
User Data

Project Management

Change Management
Operating System Patches / Updates
Server Patch Management
Workstation Patch Management
Application Patches / Updates
Mission-Critical Hardware / Software / Applications
 













 


 
 

Copyright  2012 BLU3 Technologies Incorporated
All Rights Reserved