Assurance

[Steven Carmody <>]

The Silver profile requires that any systems storing a user's password, 
or any systems that the user's password transits through in plaintext 
form, meet a number of operational and technical requirements. (eg 
4.2.3.4 (resistance of credential to guessing), 4.2.5.x, 4.2.8.2, 
4.2.8.4, etc).

Someone locally has asked me whether a data center that has been 
successfully audited against SOC2 would, by definition, meet all of 
those requirements ? Well, maybe not "resistance of credential to 
guessing". But, how many of the other requirement would it meet ?

SOC2 has been described to me as an auditing standard for data center 
operation. Its easy to find summary descriptions of it like "SOC2 
assures clients we use systems to protect their data. It audits 
security, availability, process integrity, privacy and confidentiality.".

Has there been any discussion about having Silver rely on SOC2 ?

Thanks!