Assurance

[Steven Carmody <>]

On 3/6/13 3:01 PM, Etan Weintraub wrote:
> So, if my understanding is correct, then it is not something that would
> eliminate the possibility of Silver, but we must implement some type of
> policy and procedure for if it is compromised at the foreign system.
> I.e. knowing every account that is on that system, and have a policy
> that if that system is compromised, they would need to notify us, and
> then we would require all accounts in that population to change/reset
> their passwords?

Our Auditor and Security Officer have suggested that in cases like this 
(ie an enterprise password potentially passing thru a data 
center/machine outside the control of the campus enterprise) that we 
should ask both the data center operator and the application owner (if 
different) for the results of an audit using the SOC2 framework.

It is their opinion that SOC2 is much more detailed than previous 
frameworks (eg SAS-70), and that any "situation" that can prove a 
successful audit against SOC2 would be "more than compliant with 
Silver". They tell me that Google has already supplied us with a SOC2 
audit, for instance.

Has anyone else thought of using this approach ?