Skip to Content.
Sympa Menu

assurance - RE: [Assurance] RE: Passwords and Office365

Subject: Assurance

List archive

RE: [Assurance] RE: Passwords and Office365


Chronological Thread 
  • From: Brian Arkills <>
  • To: "" <>
  • Subject: RE: [Assurance] RE: Passwords and Office365
  • Date: Thu, 7 Mar 2013 17:35:56 +0000
  • Accept-language: en-US
  • Authentication-results: sfpop-ironport05.merit.edu; dkim=neutral (message not signed) header.i=none

http://www.microsoft.com/online/legal/v2/en-us/MOS_PTC_Security_Audit.htm
lists the audit certifications Office 365 has been validated on. I don't see
SOC2 listed, but SOC1 Type 2 is.

I don't have enough background on these certifications to know how relevant
the ones Microsoft already has are.

If we wanted Microsoft to add an audit certification, I'd think leveraging
the internet2 NET+ channel might be a good idea since it'd be a broad
community request as opposed to us all asking individually.

> -----Original Message-----
> From:
>
> [
> ]
> On Behalf Of Etan Weintraub
> Sent: Thursday, March 07, 2013 8:48 AM
> To:
>
> Subject: RE: [Assurance] RE: Passwords and Office365
>
> Thanks Steve. This actually makes sense now. I'm going to pass this info
> along
> up the tree and see what comes of it.
>
> -Etan E. Weintraub
> Sr. Systems Engineer
> Directory Architecture
> IT@Johns
> Hopkins
> Johns Hopkins at Mt. Washington
> 5801 Smith Ave.
> Suite 3110B
> Baltimore, MD 21209
> Phone: 410-735-7945
> E-mail:
>
>
>
> -----Original Message-----
> From:
>
> [
> ]
> On Behalf Of Steven Carmody
> Sent: Thursday, March 07, 2013 10:51 AM
> To:
>
> Subject: Re: [Assurance] RE: Passwords and Office365
>
> On 3/6/13 3:01 PM, Etan Weintraub wrote:
> > So, if my understanding is correct, then it is not something that would
> > eliminate the possibility of Silver, but we must implement some type of
> > policy and procedure for if it is compromised at the foreign system.
> > I.e. knowing every account that is on that system, and have a policy
> > that if that system is compromised, they would need to notify us, and
> > then we would require all accounts in that population to change/reset
> > their passwords?
> >
>
> Our Auditor and Security Officer have suggested that in cases like this
> (ie an enterprise password potentially passing thru a data
> center/machine outside the control of the campus enterprise) that we
> should ask both the data center operator and the application owner (if
> different) for the results of an audit using the SOC2 framework.
>
> It is their opinion that SOC2 is much more detailed than previous
> frameworks (eg SAS-70), and that any "situation" that can prove a
> successful audit against SOC2 would be "more than compliant with
> Silver". They tell me that Google has already supplied us with a SOC2
> audit, for instance.
>
> Has anyone else thought of using this approach ?



Archive powered by MHonArc 2.6.16.

Top of Page