Skip to Content.
Sympa Menu

assurance - RE: [Assurance] RE: Passwords and Office365

Subject: Assurance

List archive

RE: [Assurance] RE: Passwords and Office365


Chronological Thread 
  • From: Etan Weintraub <>
  • To: "" <>
  • Subject: RE: [Assurance] RE: Passwords and Office365
  • Date: Thu, 7 Mar 2013 16:48:12 +0000
  • Accept-language: en-US
  • Authentication-results: sfpop-ironport04.merit.edu; dkim=neutral (message not signed) header.i=none

Thanks Steve. This actually makes sense now. I'm going to pass this info
along up the tree and see what comes of it.

-Etan E. Weintraub
Sr. Systems Engineer
Directory Architecture
IT@Johns
Hopkins
Johns Hopkins at Mt. Washington
5801 Smith Ave.
Suite 3110B
Baltimore, MD 21209
Phone: 410-735-7945
E-mail:



-----Original Message-----
From:


[mailto:]
On Behalf Of Steven Carmody
Sent: Thursday, March 07, 2013 10:51 AM
To:

Subject: Re: [Assurance] RE: Passwords and Office365

On 3/6/13 3:01 PM, Etan Weintraub wrote:
> So, if my understanding is correct, then it is not something that would
> eliminate the possibility of Silver, but we must implement some type of
> policy and procedure for if it is compromised at the foreign system.
> I.e. knowing every account that is on that system, and have a policy
> that if that system is compromised, they would need to notify us, and
> then we would require all accounts in that population to change/reset
> their passwords?
>

Our Auditor and Security Officer have suggested that in cases like this
(ie an enterprise password potentially passing thru a data
center/machine outside the control of the campus enterprise) that we
should ask both the data center operator and the application owner (if
different) for the results of an audit using the SOC2 framework.

It is their opinion that SOC2 is much more detailed than previous
frameworks (eg SAS-70), and that any "situation" that can prove a
successful audit against SOC2 would be "more than compliant with
Silver". They tell me that Google has already supplied us with a SOC2
audit, for instance.

Has anyone else thought of using this approach ?



Archive powered by MHonArc 2.6.16.

Top of Page