GLOSSARY

SSAE 16

Terms

Annex A Controls

Attestation of Compliance (AOC)

Compliance risk management

Compliance software

Cardholder Data (CHD)

Cardholder Data Environment (CDE)

HIPAA Business Associates

HIPAA Compliance

HIPAA Covered Entities

HIPAA employee training

HIPAA Risk Assessment

HIPAA Rules: Breach Notification Rule

HIPAA Rules: Enforcement Rule

HIPAA Rules: Omnibus Rule

HIPAA Rules: Privacy Rule

HIPAA Rules: Security Rule

HIPAA Safeguards

HIPAA Sanctions

Health Information Technology for Economic and Clinical Health Act (HITECH)

ISMS Governing Body

ISO 27001 security standard

ISO 27001 Internal Audit

ISO 27001 Key Performance Indicators (KPIs)

ISO 27001 Management Review

ISO 27001 Nonconformities

ISO 27001 Risk Assessment

ISO 27001 Risk Treatment Plan

ISO 27001 Stage 1 Audit

ISO 27001 Stage 2 Audit

IT security policy

Information Security Management System (ISMS)

Protected health information

Payment Card Industry Data Security Standard (PCI DSS)

Qualified Security Assessor (QSA)

Report on Compliance (ROC)

Security questionnaire

SOC 2 Type I report

SOC 2 Type II report

SOC Trust Services Criteria

Self-Assessment Questionnaire (SAQ)

Service Provider

Statement of Applicability

Vendor assessment

Vendor management policy

What is SSAE 16?‍

‍

The Statement on Standards for Attestation Engagements No. 16 (SSAE 16) is a set of auditing standards and guidance published by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA).

‍

Auditors use SSAE 16 as a guide when creating two specific audit reports: The first is a snapshot to reflect the status of an organization's controls on a particular day, and the second is to incorporate historical data that reflects how controls have changed over time. Auditing standards, like SSAE 16, are used by auditors to guide the discovery of controls, including security controls, in all types of organizations, such as data centers, internet service providers (ISPs) and other entities that incorporate information security controls. The use of such standards is important in order to help both organizations and auditors in demonstrating information security compliance with regulations, such as Sarbanes-Oxley.

‍

Clients use the SSAE 16 standard to pursue a SOC 1 report.

Vanta is the easy way to get SOC 2, HIPAA, or ISO 27001 compliant. Over 1000 fast-growing companies trust Vanta to automate their security monitoring and get ready for security audits in as little as two weeks. Simply connect your tools to Vanta, fix the gaps on your dashboard, and then work with a Vanta-trained auditor to complete your audit. We'll guide you throughout the process and help tailor your security monitoring and compliance to meet the needs of you and your customers. Vanta was founded in 2017 and headquartered in San Francisco.