What Is SSAE 18, and How Does it Relate to SOC Reports?

Mar 23, 2022 Continuum GRC 0 Comment

Featured SSAE 18 insights from Continuum GRC. Enhance 2025 compliance with top GRC software, risk assessment, and AI-powered cybersecurity defenses.

SSAE 18 is a statement that sets standards for reporting on the controls and processes related to financial reporting. It comes from the American Institute of Certified Public Accountants, outlining the framework for reporting on internal controls. The SSAE 18 is designed to provide assurances that the reporting of service organizations is secure, thorough, and on point. For SOC reports, an SSAE 18 statement outlines controls to ensure they’re reliable.

Most organizations have at least heard of SOC reports. Published and administered by the American Institute of Certified Professional Accountants (AICPA), the SOC umbrella of attestations helps organizations demonstrate adherence to best practices around data privacy, cybersecurity, risk assessment and financial reporting.

Since SOC requirements come directly from the AICPA, the organization releases documents pertaining to guidance for audits and compliance. One of the primary documents for SOC compliance is Statement on Standards for Attestation Engagements no. 18 (SSAE 18).

FedRAMP and CISA: What Is Binding Operational Directive 22-01

Mar 16, 2022 Continuum GRC 0 Comment

Featured FedRAMP guides by Continuum GRC. Achieve 2025 regulatory compliance with top GRC software for federal cloud security and vulnerability management.

Managing cybersecurity threats is a full-time job, and most cybersecurity specialists rely on shared knowledge between experts in the field to combat these threats. The Common Vulnerabilities and Exposures (CVE) database provides a starting point for this kind of knowledge, centralizing an index of known security vulnerabilities in the wild.

The CVE program recently joined with the Cybersecurity and Infrastructure Security Agency (CISA), which then feeds into new directives for federal agencies and cloud service providers (CSPs). One of these directives, Binding Operational Directive 22-01, establishes this new list and several other requirements for regulated organizations and is trickling down into other security requirements, including FedRAMP.

Social Engineering and Enterprise Security

Mar 2, 2022 Continuum GRC 0 Comment

Featured social engineering prevention by Continuum GRC. 2025 GRC strategies for employee training, zero trust, and regulatory compliance.

Discussions about security and compliance disproportionately focus on businesses and enterprises, precisely because these organizations serve as central repositories for critical industrial or consumer information. Accordingly, regulations and best practices are often tied to securing this infrastructure, with consumers getting little to no attention.

However, the reality of modern cybersecurity threats is that almost all major security breaches are related in one way or another to social engineering–that is, the manipulation of people to breach data systems. Unfortunately, that doesn’t seem like it is changing any time soon.