Educause Security Discussion mailing list archives

Re: Exchange Online

From: "Everett, Alex D" <alex.everett () UNC EDU>
Date: Thu, 13 Aug 2015 17:53:45 +0000

Thanks Jeff and Tina, the BAA is a good point and I recall that was worked on by our legal council also.
That certainly would need to be in place to address much of the risk.
However, I have some other concerns about risks not related to Microsoft’s storage of the data.
Also what controls or policies your institutions have considered for the risks that Microsoft will not have liability 
for.
I will follow up with you both.

Sincerely,

Alex

From: The EDUCAUSE Security Constituent Group Listserv on behalf of Jeff Choo
Reply-To: The EDUCAUSE Security Constituent Group Listserv
Date: Thursday, August 13, 2015 at 1:00 PM
To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>"
Subject: Re: [SECURITY] Exchange Online

Hi Alex,

We are evaluating it right now.  I am also love to see how everyone else does it.  Office 365 does offer a signed BA – 
but it seems there will be some configuration changes needed on archiving end + email policy change + training on our 
end to make it work.  We are currently using office 365 but have a policy that bans its use for PII/PHI.

Regards

Jeff Choo - Director, Information Technology | Information Security Officer
William James College
T - 617-327-6777 Ext. 1202
F - 617-477-2002
W - www.williamjames.edu
Jeff_Choo () williamjames edu<mailto:Jeff_Choo () williamjames edu>

For support, please send your request to:
Email: support () williamjames edu<mailto:support () williamjames edu>
Web: http://support.williamjames.edu
Phone: 617-327-6777 x1600

Meeting the Needs... Making a Difference



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Everett, 
Alex D
Sent: Thursday, August 13, 2015 11:21 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Exchange Online

I am wondering if any of your organizations have sanctioned the exchange of PII or PHI via e-mail in Office 365 or are 
evaluating this.
Over time, we are seeing more security controls and features added to Office 365 and wondered if any other 
organizations had made this decision.
We have not yet made this decision and are not presently using Exchange Online/Outlook in Office365.
If you have or have not, or if you have a policy that you could point me to I would appreciate it.
Feel free to e-mail me directly if you don’t want to respond to all.

Sincerely,

Alex Everett, CISSP
IT Security Engineer
University of North Carolina at Chapel Hill

Current thread:

Exchange Online Everett, Alex D (Aug 13)
- Re: Exchange Online Meier, Tina (Aug 13)
- Re: Exchange Online Jeff Choo (Aug 13)
- Re: Exchange Online Jones, Mark B (Aug 14)
  - Re: Exchange Online Tevlin, Dave (Aug 14)
  - Re: Exchange Online Evans, Edward (Aug 14)
    - Re: Exchange Online Jones, Mark B (Aug 16)
    - Re: Exchange Online Jeff Choo (Aug 17)
- <Possible follow-ups>
- Re: Exchange Online Everett, Alex D (Aug 13)
  - Re: Exchange Online Everett, Alex D (Aug 13)