Educause Security Discussion mailing list archives

Re: In search of SOC-1/SSAE report for Blackboard


From: "Jim A. Bole" <jbole () STEVENSON EDU>
Date: Mon, 2 Mar 2020 20:02:20 +0000

Well, I received an interesting reply from Blackboard:

Since you are deployed on our SaaS platform with AWS, you can request a SOC2 report available via AWS Artifact from the 
account console.

To be clear this was for a general AWS SOC2. I then asked for any sort of responsibility matrix or any sort of formal 
documentation that would serve as supporting evidence/attestation that Blackboard SaaS relies solely on AWS:

Our compliance team has responded to my request, and beyond our attestation that we do use AWS exclusively for SaaS 
deployments, we don't have additional documentation to share. We are not subject to PCI compliance standards by nature 
of our business. I hope that is sufficient to satisfy your requirements.

Curious to see if others find this less than satisfying...

Jim Bole




From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Jim A. Bole
Sent: Thursday, January 30, 2020 10:34 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: In search of SOC-1/SSAE report for Blackboard

This email originated from outside of Stevenson University. Use caution with links or attachments unless you know the 
content is safe.
Thanks Mike. The term "SOC" report is often used loosely. I'm reaching out to our BB rep to see what they have.

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Mike Nowakowski
Sent: Thursday, January 30, 2020 9:12 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: In search of SOC-1/SSAE report for Blackboard

This email originated from outside of Stevenson University. Use caution with links or attachments unless you know the 
content is safe.
Hi Jim,

SOC reports typically require an NDA to be signed, unless you looking for a SOC 3 summary those are typically available 
without an NDA.

If you don't have the documents requested by the auditors, you should let them know you don't have them...taking it as 
a lesson learned, the point of the audit is to see how well your organization performed its due diligence of blackboard.

Thanks,
Mike


Mike Nowakowski
Manager, Information Systems Security
Faculty of Kinesiology & Physical Education
University of Toronto
55 Harbord Street
416-978-5034
https://www.kpe.utoronto.ca<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.kpe.utoronto.ca%2F&data=02%7C01%7Cjbole%40STEVENSON.EDU%7Ce3bcf68b7ae844e6bb0108d7a599d234%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637159952386696299&sdata=RwQM2QOjxfxFkDzG90k4JljS5Hm2mkzRPXq%2FG8UaBsw%3D&reserved=0>
https://securitymatters.utoronto.ca<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsecuritymatters.utoronto.ca%2F&data=02%7C01%7Cjbole%40STEVENSON.EDU%7Ce3bcf68b7ae844e6bb0108d7a599d234%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637159952386706296&sdata=AEYeW5yVhM5n5Pg5%2B50zjzof3OmWMQSI%2F%2FqVNeBAyLY%3D&reserved=0>

This email may contain information that is private, confidential, and / or legally privileged. It is intended for the 
sole use of the intended recipient(s). You must not distribute to others or allow others to review this message without 
the specific consent of the sender. If you are not an intended recipient, you must not review, copy or distribute this 
email, and you are asked to immediately notify the sender and delete this email.










From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Jim A. Bole
Sent: Thursday, January 30, 2020 9:03 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] In search of SOC-1/SSAE report for Blackboard

Colleagues,

Appreciate any help. Auditors in the house today :)

Jim Bole
Director of Information Security
Stevenson University
1525 Greenspring Valley Road
Stevenson, MD, 21153-0641
jbole () stevenson edu<mailto:jbole () stevenson edu> | O: 443-334-2696



**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjbole%40STEVENSON.EDU%7Ce3bcf68b7ae844e6bb0108d7a599d234%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637159952386706296&sdata=7afnsBXDZE61SWREo2qvEf6stuUHN838NmKBRcmNbx4%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjbole%40STEVENSON.EDU%7Ce3bcf68b7ae844e6bb0108d7a599d234%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637159952386716295&sdata=HBZZoC6m9X1WXb9vGI2rpAblP6EzME9r%2Bv5J3EDqGfY%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Current thread: