OIT has performed a thorough risk assessment of Office 365 compared with the OIT hosted local Exchange service. This chart is a summary of security and privacy risk categories. Additional documentation is available with analysis details.
- Pass = No major issues
- Discuss = Enough concern to warrant additional review or mitigations
- Fail = Serious concerns that cannot be mitigated
|Risk Category||On-Premise||Office 365||Analysis|
|Data Management and Ownership||Pass||Pass||Even|
|Incident Management||Discuss||Discuss||Mixed, with advantage to Office 365|
|Data Recovery||Discuss||Pass||Office 365|
Highlights of risk assessment for Office 365:
- Microsoft may be required to produce data under legal demand and UCI may not be informed. Legal demand for data is a risk that should be clearly articulated.
- Included in the no-cost package are e-Discovery tools for email, calendar, and Lync. These are better than our current e-Discovery capabilities.
- For-fee optional features: e-Discovery tools are also available for SharePoint and file storage. Office 365 offers encryption options for increased security over the on-premise solution for at-rest and email transmission security. These services are offered for a cost and should be considered on a case-by-case basis.
- Microsoft has signed a Business Associate Agreement (BAA) with UCOP and is designated as a “School Official” for FERPA.
- Microsoft will store data in the continental U.S., but data may be transported through anti-virus or anti-spam systems in other countries and some support access may be from non-U.S. regions. Not appropriate for export-controlled data.
- Email and access logs are a critical component to UCI incident response, and UCI will likely see a reduction in ability to respond, especially to detecting/responding to phishing and compromised accounts.
- Office 365 is not suitable for all data types, see Allowable Data Use. Email is never appropriate for restricted or highly sensitive data.
- Unauthorized data exposure is still possible through inappropriate data storage or user activity.