Resources | Insights | Why You Can’t Freely Share Your SOC 2 Report

Why You Can’t Freely Share Your SOC 2 Report

|

“Why can’t I share my SOC 2 report?” It’s a question we’re asked a lot, and given the time and expense of acquiring a SOC 2 report, it’s understandable. You can share it, but your report is restricted and there are good reasons behind this restriction.

SOC 2 Is a Restricted Use Report

The SOC 2 report is, by definition, a restricted use report. As such, it’s not suitable for public distribution. If you think about it, a SOC 2 report includes a detailed system description and a matrix of controls specific to your company that often includes proprietary information. From a process and security stance, it makes sense not to publish this information for your competitors or people with nefarious intentions to see. This is why if you do a Google search for “example SOC 2 report”, you can’t easily find one.

Suppose you use AWS or Microsoft Azure as your subservice organization and need a copy of their SOC 2 report. In that case, there’s a specific process to verify whether you should be given access to this information. Further, the AICPA standards look to the “intended reader” of the report and whether that reader has sufficient knowledge to understand the report’s content.

Case in point: The following excerpt is standard audit opinion language that appears in all SOC 2 reports detailing “Restricted Use.” You’ll notice that it reinforces the AICPA’s “intended reader” standards:

This report, including the description of tests of controls and results thereof in the section of our report titled “Description of Test of Controls and Results Thereof” is intended solely for the information and use of [Service Organization Name]; user entities of [Service Organization Name]’s [insert title of the description] during some or all of the period [Month XX, 20XX] to [Month XX, 20XX], business partners of [Service Organization Name]’s subject to risks arising from interactions with [Service Organization Name]’s processing system; practitioners providing services to such user entities and business partners; prospective user entities and business partners; and regulators who have sufficient knowledge and understanding of the following:

  • The nature of the service provided by the service organization.
  • How the service organization’s system interacts with user entities, subservice organizations, and other parties.
  • Internal control and its limitations.
  • Complementary user entity controls and complementary subservice organization controls and how those controls interact with the controls at the service organization to achieve the service organization’s service commitments and system requirements.
  • User entity responsibilities and how they may affect the user entity’s ability to effectively use the service organization’s services.
  • The applicable trust services criteria.
  • The risks that may threaten the achievement of the service organization’s service commitments and system requirements and how controls address those risks.

This report is not intended to be and should not be used by anyone other than these specified parties.

The Difference Between SOC 2 vs. SOC 3

For more general use, a SOC 3 report is an optional add-on for a SOC 2 report that omits detailed control listings and sensitive information and employs modified system descriptions. In effect, it is a summarized version of the SOC 2 Type 2 report. As such, it is defined as a “general use report” and can be distributed freely.

In contrast to the challenges of obtaining Amazon or Microsoft’s SOC 2 reports, both share their SOC 3 reports publicly.

For more information on why SOC 2 reports are restricted use and examples of other, more general alternatives, check out the AICPA’s guidance on the available SOC reports. If you’re considering a SOC 2 report, don’t hesitate to reach out to our team or visit our SOC 2 services page.

SOC 2

To satisfy customer’s privacy requirements, EPK chose Sensiba for a SOC 2 audit.

Download Case Study

Overview

Based in Ontario, Canada, EPK Training Solutions Inc. provides an innovative and continually evolving, on-demand learning platform to help companies increase the knowledge of their sales and customer service teams.

Services Provided

  • SOC 2 Readiness Platform: Drata
  • SOC 2 Type II Audit
  • SOC 3 Report

Challenge

EPK Training Solutions Inc. is an on-demand training provider specializing in helping companies improve sales and customer service. When one of its customers requested that EPK provide a SOC 2 report within 12 months in order to maintain the relationship, the company recognized a need to commit to a formal process.

EPK’s first attempt at obtaining their SOC 2 involved engaging with an audit firm whose processes were largely manual and cumbersome. This initial audit firm was applying the traditional approach to performing an audit; an antiquated excel based request list, time consuming document requests and limited organization on the overall project of the SOC 2 engagement. EPK’s CTO Dave Wiese says this effort was time-consuming and frustrating because, as their deadline loomed, the company wasn’t receiving guidance and didn’t feel it was making headway on completing the audit.

“We could tell that with all of the information we were collecting, it was going to be a nightmare to organize and, ultimately, demonstrate we were following our policies and protecting our customers’ data,” Wiese says.

“The guidance and responsiveness we encountered working with Sensiba alleviated our anxiety throughout the remainder of the process. They encouraged us to call when we had questions, and I could sleep at night knowing we were on the right path and had someone in our corner.”

David WieseChief Technology Officer, EPK Training Solutions Inc.
EPK Training Solutions Inc.

Solution

SOC 2 Readiness

After recognizing the challenges with manual data collection, and a fast-approaching deadline, EPK pivoted and began evaluating automation tools. After comparing options, they ultimately selected Drata’s SOC automation platform for data collection, analysis, and continuous monitoring. The platform provides customizable security policies and features a dashboard that helps businesses understand their compliance status and security controls by monitoring devices, applications, vendors, and risks across the company.

SOC 2 Type II Audit

After a smooth onboarding, EPK asked Drata for recommendations on a new audit partner and were introduced to Sensiba — a firm well versed in the benefits of the use of readiness platform tools such as Drata.

“Sensiba was very responsive,” Wiese says. “They helped us identify and prioritize critical aspects of the audit, focus our efforts where it mattered most, and circle back to less urgent elements later in the process.”

While the majority of SOC 2 “trust service principles”— security, availability, confidentiality, and privacy — were addressed in the audit, Wiese says its customer was especially interested in safeguarding the privacy of its employees who were participating in the training modules EPK develops and delivers.

“While we don’t perform transactions and store sensitive payment information, we do have employee names and email addresses to protect,” Wiese says. “We and our customers understand that if any information gets out, that reflects poorly on them, and we have an obligation to protect that data.”

Result

Despite losing time with their prior manual approach and audit firm, using Drata, EPK and Sensiba were able to complete the SOC 2 Type II audit ahead of the customer’s deadline and provide objective confirmation that the company’s security processes and controls are effective.

The successful SOC 2 audit project has provided EPK with several benefits, including the elimination of security-related discussions during contract renewal with its customers and greater confidence in explaining its security and privacy policies to prospective customers.

Perhaps more importantly, Wiese says the audit process caused a cultural shift within EPK’s teams that placed security at the forefront of the company’s internal discussions.

“It has really focused the company to ask security questions first,” Wiese says. “When we started the process, there was some trepidation that focusing on security might make us less agile. That hasn’t happened, and now we’re talking about security in everything we do. Everyone’s bought into the value of compliance, and I’m very happy about that.” In addition to the SOC 2 Type II, EPK also obtained a SOC 3 report to share with its sales and marketing teams.

Asked what advice he would share with other companies approaching a SOC 2 audit, Wiese says it’s important to evaluate SOC readiness tools before starting the process.

“I’d say don’t do this without a dedicated tool,’” he says. “Yes, you can do an audit without a readiness platform, but it’s extremely difficult to track continuous compliance manually. Spreadsheets are great for certain things, but not for compliance monitoring because you don’t want to update a spreadsheet every day with the status of all your infrastructure. You can just automate that.”

As part of that process, he also suggests making sure the audit firm you choose is familiar with your readiness platform.

“That will set you up for success,” Wiese says. “Don’t try to nickel-and-dime the tool and professionals that will help make sure you’re compliant.”

Ready to get started?

Find out how our Risk Assurance team can help you with your compliance. Contact us to learn more about how we can work together toward your goals.

Contact Us

Case Studies

View all case studies

Ready for more inspiration? Dive into additional client success stories where we showcase diverse projects, innovative solutions, and the transformative impact we’ve had on businesses like yours.

International Organization for Standardization (ISO)

ISO/IEC 27001 Case Study: Lucidworks

Read More

ISO/IEC 42001 Case Study: Cresta

Read More

SOC 1 Case Study: Vector AIS

Read More

SOC 2

With growing expectations it could demonstrate effective security practices, Beneration enlisted Sensiba for a SOC 2 Type II audit.

Download Case Study

Overview

Beneration helps companies simplify the world of employee benefits and billing. Beneration’s proprietary platform offers consolidated invoicing enhanced with robust auditing technology, plus custom-built billing solutions that meet even the most complex requirements. With Beneration’s streamlined billing solutions, companies can eliminate errors, save time, and focus more on their people.

Services Provided

  • SOC 2 Readiness Platform: Vanta
  • SOC 2 Type II Audit

Challenge

Beneration provides a range of tools and services to assist employers, insurance carriers, and brokers in optimizing their employee benefits billing and administration.

The company has always placed a strong emphasis on maintaining the security of the sensitive employee benefit data it manages on behalf of its clients, but Beneration was looking for ways to demonstrate that commitment to prospects and customers, and to verify that it was aligning its practices to evolving industry standards. Faced with growing customer and prospect expectations that it could demonstrate effective security practices, Beneration enlisted Vanta and Sensiba to prepare for and perform a SOC 2 Type II audit.

“Any time we had a question, Sensiba walked us through it so we could figure out our situation and what we needed to do. Sensiba explained everything well and provided clarity throughout the process. We weren’t just interacting with an email address.”

Josh WinigradManaging Director, Beneration
Beneration

Solution

“In some areas, it’s almost like filling the blanks,” says Josh Winigrad, Managing Director at Beneration. “Vanta says you’re going to need something, and highlights potential gaps so you can track down what you need or make adjustments.”

SOC 2 Type II Audit:

After onboarding with the readiness platform, Vanta introduced Beneration to potential audit partners. Vanta helped Beneration clarify its needs and facilitated interviews with several firms before Beneration selected Sensiba.

“Vanta supported us by asking questions about our operation and our goals, and by suggesting potential partners for us” Winigrad says. “The Sensiba team stood out not only for its technical expertise but also its competitive pricing and a cultural fit. We really thought they were a firm that had reasonable expectations for our first audit, but also had the capability to allow us to grow in subsequent audits. Both of us understand that security is an ongoing, iterative process.

Result

The SOC 2 Type II audit represented a relatively straightforward process for Beneration, Winigrad says, in part because Vanta automated so much of the required data collection and analysis.

“Vanta helped us collect and organize everything in an orderly fashion, and Sensiba was there to help with any questions that came up,” Winigrad says.

Any time we had a question, someone from Sensiba walked us through it so we could figure out our situation and what we needed to do. Sensiba explained everything well and provided clarity throughout the process. We weren’t interacting with an email address.”

The successful SOC 2 Type II audit report provides Beneration with independent, objective confirmation that its security processes and controls are effective and performing as designed.

In addition, the audit report helps the company compete in the marketplace and pursue larger opportunities. With larger organizations expecting potential vendors to have a SOC 2 Type II audit report, completing the process places Beneration on the same footing as its competitors.

As another benefit, the preparation work that fueled its first audit has positioned Beneration effectively for its ongoing security audits.

“With our connections and integrations set up in Vanta, the work we’ve done will give us capacity to make improvements in future years,” Winigrad says. “Our next audits will be more focused, which will help us improve our security processes.”

Ready to get started?

Find out how our Risk Assurance team can help you with your compliance. Contact us to learn more about how we can work together toward your goals.

Contact Us

Case Studies

View all case studies

Ready for more inspiration? Dive into additional client success stories where we showcase diverse projects, innovative solutions, and the transformative impact we’ve had on businesses like yours.

International Organization for Standardization (ISO)

ISO/IEC 27001 Case Study: Lucidworks

Read More

ISO/IEC 42001 Case Study: Cresta

Read More

SOC 1 Case Study: Vector AIS

Read More

SOC 2

Clario demonstrates its commitment to protecting customer data with Vanta and Sensiba.

Download Case Study

Overview

Clario is singularly focused on equipping mid-sized marketers with the same data, machine learning, and expertise the giants are using today to run radically customer-centric organizations whose growth is fueled by scientific experimentation, measurement, and automation.

Services Provided

  • SOC 2 Readiness Platform: Vanta
  • SOC 2 Type II Audit

Challenge

Clario, Inc. is a growing SaaS company, building the most intelligent audience automation platform for marketers. As a tech company, Clario understands the importance of maintaining data security, and effective policies and procedures. As they continue to build market momentum, providing customers objective evidence about Clario’s commitment to security has become increasingly important (and often a requirement) in competing for deals and responding to RFPs.

“We have a meaningful compliance regime and security controls, and we know we can speak confidently about those to clients.”

Dan ReilandDirector of IT Operations, Clario
Clario 1

Solution

SOC 2 Readiness

Clario had considered a SOC 2 audit in the past, but, between the lack of viable readiness tools and high costs, it couldn’t justify the investment. But with the increased availability and affordably of readiness platforms in recent years, the company gained new options.

After a careful evaluation, Clario selected the Vanta readiness platform. Along with a smooth onboarding process, Vanta offers direct integration with Amazon Web Services, the cloud-based infrastructure Clario uses, as well as automated evidence collection, controls assessments, and real-time monitoring to establish a compliance baseline and prompt corrective actions that improve the company’s security posture.

SOC 2 Type II Audit

In addition to evaluating SOC readiness platforms, Clario evaluated firms to perform their SOC 2 audit. Clario wanted an audit partner not only with technical expertise, but that was aligned with its culture and work style. Clario partnered with Sensiba to conduct the examination and testing required for its SOC 2 Type 2 audit, based on compatibility between the teams.

“Sensiba was definitely a good fit in that regard,” says Dan Reiland, Clario’s Director of IT Operations. “The Sensiba team was incredibly forthright. They were collaborative and willing to answer a variety of questions even before they were selected. Throughout the observation period, they were responsive about providing context and validation, and they completed the audit without wasting any time.

Result

Clario has a successful SOC 2 Type 2 Audit Report, which provides objective confirmation that the company’s security processes and controls are effective.

Equally important, the company has sustainable processes and an enhanced ability to reassure customers about protecting their data — as well their customers’ data. The company is better able to conduct ongoing risk assessments, and to adjust its policies and procedures quickly as conditions change.

“We have a meaningful compliance regime and security controls, and we know we can speak confidently about those to clients,” Reiland says. “Being able to provide that level of comfort goes a long way. We also have external validation that our controls are appropriate and performing as designed. There’s an additional comfort that was worth the effort of obtaining the audit.”

Looking back, Reiland says the process was smooth and he wishes Clario had undergone the SOC 2 audit sooner. He also says it’s important to be selective when evaluating tools and partners to help.

“The readiness platform is important, but companies should also be choosy as they interview auditors,” he says. “There’s value in those direct human interactions. It’s not necessarily just about cost. Taking the time to find the right fit is important.”

Ready to get started?

Find out how our Risk Assurance team can help you with your compliance. Contact us to learn more about how we can work together toward your goals.

Contact Us

Case Studies

View all case studies

Ready for more inspiration? Dive into additional client success stories where we showcase diverse projects, innovative solutions, and the transformative impact we’ve had on businesses like yours.

International Organization for Standardization (ISO)

ISO/IEC 27001 Case Study: Lucidworks

Read More

ISO/IEC 42001 Case Study: Cresta

Read More

SOC 1 Case Study: Vector AIS

Read More
Resources | Insights | Understanding the Privacy and Confidentiality Criteria in a SOC 2 Examination

Understanding the Privacy and Confidentiality Criteria in a SOC 2 Examination

|

As service organizations prepare for SOC 2 examinations, understanding the roles of the Privacy and Confidentiality Trust Services Criteria (TSC) can help them manage risk more effectively and optimize the scope of SOC 2 audits.

Privacy and Confidentiality are two of the five TSCs that can be considered in a SOC 2 review. The Security criteria is mandatory, while Confidentiality and Privacy, along with Availability and Processing Integrity, are optional areas for review.

The Confidentiality and Privacy criteria, although similar in nature, have important differences that a service organization should consider as it decides which criteria should be included in an upcoming SOC 2 review.

Understanding Privacy vs. Confidentiality

It’s important for companies scoping a SOC 2 audit to understand the differences between the Confidentiality and Privacy criteria:

Confidentiality

Confidentiality refers to a service organization’s ability to secure proprietary information from unauthorized access or disclosure. The types of data that need to be secured will vary among providers, but typically include:

  • Business plans
  • Trade secrets
  • And similar forms of information.

Privacy

Privacy refers to the service organization’s ability to collect, use, retain, dispose of, and disclose personally identifiable information (PII) in accordance with client agreements as well as any applicable laws or regulations. This will typically include:

  • Customer and employee names
  • Addresses
  • Medical or financial data
  • Purchase histories
  • And similar data that can be associated with a specific individual.

When to Choose Specific Trust Criteria

Deciding whether to include one, the other, or both criteria depends on several factors, including the types of data the service organization handles on behalf of its clients and the sensitivity of that data.

For example, the Privacy TSC is important for providers that interact directly with individuals or process PII on behalf of their clients. In these instances, the service organization’s client (and their customers) will share data with the system and thus may also want to understand the steps the service organization follows to protect that sensitive data within the system.

The applicability of the Confidentiality TSC will likely vary among service organizations and their clients, but it often comes into scope when the provider is processing or using information it is contractually required to protect.

For instance, a service organization that provides purchasing software for its clients will need to secure the customers’ purchase history from unauthorized access, but with perhaps less technical rigor than it would apply to someone’s health insurance claim or personally identifiable data.

Developing Privacy and Confidentiality Controls for Compliance

After classifying data and selecting the appropriate criteria, service organizations will need to design and implement appropriate controls to ensure compliance with the Privacy and Confidentiality TSCs.

Effective Privacy controls often include policies and procedures for:

  • Obtaining and documenting customer consent for data.
  • Limiting the collection of PII to what’s needed for legitimate business purposes.
  • Cleansing non-relevant data as it’s being collected.
  • Providing individuals with access to their information, as requested.
  • Destroying information that isn’t needed or for which a legitimate purpose has expired.

Effective Confidentiality controls may vary, but often address:

  • Classifying information based on its sensitivity.
  • Restricting access to a need-to-know basis.
  • Monitoring access to stored confidential information.
  • Encrypting confidential information while it’s being shared or stored.

Choosing the right TSC, or a combination of criteria, is important in mitigating risk while also developing an effective and cost-effective scope for a cloud service provider’s SOC 2 audit.

For more information about Privacy vs. Confidentiality or if you need help preparing for your SOC audit, contact our team.

Cyber Incident Response, Business Impacts, and SOC 2

Click here to download a copy of the slide deck used during the presentation.

In this webinar, learn how cyber incident response and SOC 2 audits intersect with one another, the challenges and impacts we see our clients face, and ways you can automate the process with BreachRx.

Let’s talk about your project.

Whether you need to unravel a complex challenge, launch a new initiative, or want to take your business to the next level, we’re here. Share your vision and we can help you achieve it.

SOC 2 & Risk Management

Formally identifying and addressing risk is an audit requirement, but is also a responsible exercise for your company to undertake. Download our guide and gain insight into the types of risks that should be on your radar.

5 Things to Do Prior to a SOC 2 Audit

Learn how to avoid the most common mistakes that can increase the complexity and cost of obtaining a SOC 2 compliance report.

Your customers depend on the results of SOC 2 audits as they evaluate cloud service providers, but five common mistakes — ranging from preparing improperly for an audit to ignoring ongoing risk management— can extend the audit process, increase the cost, or hinder your ability to take advantage of the assurance a SOC 2 compliance report offers your customers.

Download our white paper today to gain real-world insights from our experienced SOC 2 audit practitioners.

Improving Cloud Security Controls Before a SOC 2 Audit

With cloud service providers (CSPs) increasingly integrated into companies’ day–to–day operations, security is crucial for your organization’s success.

A SOC 2 Attestation provides assurance to customers and prospects that you are following current security practices through an objective, third–party evaluation
of your compliance with the SOC 2 criteria.

Download our white paper, “Improving Cloud Security Controls Before a SOC 2 Audit,” to learn simple ways to improve your cloud security. The paper outlines:

  • The Shared Responsibility Model, including key questions to ask CSPs
    and common cloud threats.
  • Key controls reviewed during a SOC 2 audit, including logical access,
    data protection, monitoring, and endpoint and application security.
  • What a SOC 2 audit includes, and how a SOC 2 readiness platform can
    help you prepare.