Confidentiality of SOC 2 Reports: Why They Aren’t Publicly Shared

December 11, 2023

Why not just post your SOC 2 report as a downloadable version on the website to speed up the sales process?

Consider this scenario: Imagine you ran a high-security bank, and you had a set of security plans to the building – let’s say it described the locations of cameras, the gates, the type of safes, the guard patrol routes, and other safety checks in place – you would not willingly publish those plans.

Why? Of course, it would make it easy for a thief to plot a route around such protections. Additionally, it might not be fully understood or appreciated by the larger public who aren’t aware of best practices in this area.

You might decide to share the plans with a commercial customer who is considering banking with you, but has security concerns.

In the same way, it is not prudent (or, indeed, allowed) to publish your SOC 2 report as it describes your information security environment in some level of detail.

Let’s say a bad actor could just download the SOC 2 report from your website. The first thing they would check would be for controls exceptions – low hanging fruit for a ‘hacker’. If they see inconsistencies in your security awareness training plan, then phishing will be the way to go, and it will be all too easy to create a personalized email phish using the environmental information from the report. If they see patch management problems, then perhaps they will probe your network for unpatched vulnerabilities.

Infographic by Digital Guardian

But even assuming your report is completely clean, it still describes the security environment to such a level of detail that could give an attacker the information they need to compromise your systems. While there can always be some benefit from transparency of information, it comes at a cost as well, and you need to consider the impact of both sides of that coin.

Because of this, you want to ensure that the folks who receive a copy appear legitimate, have a legitimate business need, and sign an NDA to prevent unauthorized dissemination of the report.

What qualifies as a legitimate business need? Organizations typically reserve the sharing of SOC 2 reports for individuals or entities with current customers, potential clients, business partners, auditors, and regulators—those who can demonstrate a justified need and, in many cases, are bound by non-disclosure agreements (NDAs) to prevent unauthorized dissemination of the report’s contents.

In summary, the decision not to publicly share SOC 2 reports isn’t merely a matter of concealing information but rather a strategic measure to uphold the integrity of an organization’s security framework and shield against potential security risks.

Looking for an auditor who can help guide you through the SOC 2 process? – Contact Render

Share this post

Keep reading...

policy SOC report

Building Effective Security Policies: FOMO vs. Build-as-you-Go

04/22/2024

Ever gone to check the company policy for something and found yourself lost and hopeless in a thousand page policy jungle?

Beyond Fast Audits – Prioritizing Quality in Compliance Automation

03/26/2024

In the fast-paced world of compliance automation, where promises of rapid audits abound, it’s time to pause and reconsider our priorities.

SOC 2 timeline

How long does my first SOC 2 Exam take?

03/19/2024

Determining the timeline for achieving SOC 2 compliance is a bit like asking “how long does it take to build a car?”

Security Questionnaire

SOC 2 vs. Security Questionnaire?

03/06/2024

What’s the difference and how do they match up?

Navigating Compliance in a Serverless World

02/12/2024

It may be obvious that running a ‘serverless’ environment reduces your operational responsibilities.

What is a SOC 2 Gap Assessment?

01/28/2024

A SOC 2 Gap Assessment is a high-level review of a firm’s control’s environment against SOC 2 criteria to identify existing gaps.