Security and Privacy Risk Assessment Summary

 

OIT has performed a thorough risk assessment of Office 365 compared with the OIT hosted local Exchange service.  This chart is a summary of security and privacy risk categories.  Additional documentation is available with analysis details.

Key

  • Pass = No major issues
  • Discuss = Enough concern to warrant additional review or mitigations
  • Fail = Serious concerns that cannot be mitigated
Risk Category On-Premise Office 365 Analysis
Data Management and Ownership Pass Pass Even
Security Discuss Pass Office 365
Privacy Pass Discuss On-premise
Compliance Discuss Pass Office 365
Incident Management Discuss Discuss Mixed, with advantage to Office 365
Data Recovery Discuss Pass Office 365

Highlights of risk assessment for Office 365:

  • Microsoft may be required to produce data under legal demand and UCI may not be informed. Legal demand for data is a risk that should be clearly articulated.
  • Included in the no-cost package are e-Discovery tools for email, calendar, and Lync.  These are better than our current e-Discovery capabilities.
  • For-fee optional features: e-Discovery tools are also available for SharePoint and file storage.   Office 365 offers encryption options for increased security over the on-premise solution for at-rest and email transmission security.  These services are offered for a cost and should be considered on a case-by-case basis.
  • Microsoft has signed a Business Associate Agreement (BAA) with UCOP and is designated as a “School Official” for FERPA.
  • Microsoft will store data in the continental U.S., but data may be transported through anti-virus or anti-spam systems in other countries and some support access may be from non-U.S. regions.  Not appropriate for export-controlled data.
  • Email and access logs are a critical component to UCI incident response, and UCI will likely see a reduction in ability to respond, especially to detecting/responding to phishing and compromised accounts.
  • Office 365 is not suitable for all data types, see Allowable Data Use.  Email is never appropriate for restricted or highly sensitive data.
  • Unauthorized data exposure is still possible through inappropriate data storage or user activity.