Assurance

[Etan Weintraub <>]

Thanks Steve. This actually makes sense now. I'm going to pass this info 
along up the tree and see what comes of it.

-Etan E. Weintraub
Sr. Systems Engineer
Directory Architecture
IT@Johns
 Hopkins
Johns Hopkins at Mt. Washington
5801 Smith Ave.
Suite 3110B
Baltimore, MD 21209
Phone: 410-735-7945
E-mail: 



-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Steven Carmody
Sent: Thursday, March 07, 2013 10:51 AM
To: 

Subject: Re: [Assurance] RE: Passwords and Office365

On 3/6/13 3:01 PM, Etan Weintraub wrote:
> So, if my understanding is correct, then it is not something that would
> eliminate the possibility of Silver, but we must implement some type of
> policy and procedure for if it is compromised at the foreign system.
> I.e. knowing every account that is on that system, and have a policy
> that if that system is compromised, they would need to notify us, and
> then we would require all accounts in that population to change/reset
> their passwords?
>

Our Auditor and Security Officer have suggested that in cases like this 
(ie an enterprise password potentially passing thru a data 
center/machine outside the control of the campus enterprise) that we 
should ask both the data center operator and the application owner (if 
different) for the results of an audit using the SOC2 framework.

It is their opinion that SOC2 is much more detailed than previous 
frameworks (eg SAS-70), and that any "situation" that can prove a 
successful audit against SOC2 would be "more than compliant with 
Silver". They tell me that Google has already supplied us with a SOC2 
audit, for instance.

Has anyone else thought of using this approach ?