DropBox

[Mando]

Of course I mean sftp....wouldn't have it any other way with a ftp for corp. Cloud storage just transfers the endpoint from something that I can wrap my hands around to the cloud of which I have 0 control over. Some things can go to the cloud, a lot that is here can't. FDA is a bitch.

I hear you re: FDA they are a nightmare to comply with, I have the exact issue in my position, Biomed research where 90% of our business is in the USA and FDA compliance is a must.

Try telling our MD that he shouldn't be using his "free" dropbox account for sensitive info between a closed network system such as ours and his sodding Ipad. Ive spoken to him at length about the perceived risks (esp as we have VPN & sharepoint!) yet he still insists its not an issue.

Ive asked for it in writing from him. For justification for data compliance audits, FDA audits and even worse Deloittes security audits. If that doesn't make him think, perhaps our new CIO can force his hand and head out of his corporate ass!

im just waiting for us to fail an FDA audit or worse due to him "thinking" we have no trade secrets, heh im sure our competitors would LOVE to know our research programs on new markers for worldwide markets.

[Dashel]

https://www.microsof...36&langid=en-us

The Trust Center does not apply to these Office 365-branded Microsoft online services:

Office 365 ProPlus enables access to certain cloud features, like roaming settings and consumer cloud services like SkyDrive, to which the Trust Center does not apply.

And talk about burying it deep, they sound all yeah we are HIPAA, aren't we the greatest -- when it comes down to it, there is a LONG list of stuff that does not comply and read the above link of stuff that does not fall under their "trust center"

When you allow the ability for user to share something, I don't think its possible to be HIPAA.. Since you have no control of who they share what with, etc.

SkyDrive Pro (business - quite a supported list) was the distinction, Office365Pro doesn't get that edition since its not a business plan (necessarily), only the consumer SharePoint with the typical limitations. MS is ahead in the security game comparatively - and they are the only ones that provide not only on premise, but hybrid.

HIPAA doesn't care about sharing as much as data at rest. The user, as xeno noted, is already under multiple agreements to protect said info.

Mando, maybe if you remind him its up to what, 250K per incident, he might take it a wee bit more seriously. Especially after the fine they levied on that non-profit in Idaho earlier this year.

[moloko]

Every job I have had since DB was big has blocked it. Really a pain the in @ss but that is the way it is.

[sc302 Veteran]

SkyDrive Pro (business - quite a supported list) was the distinction, Office365Pro doesn't get that edition since its not a business plan (necessarily), only the consumer SharePoint with the typical limitations. MS is ahead in the security game comparatively - and they are the only ones that provide not only on premise, but hybrid.

HIPAA doesn't care about sharing as much as data at rest. The user, as xeno noted, is already under multiple agreements to protect said info.

Mando, maybe if you remind him its up to what, 250K per incident, he might take it a wee bit more seriously. Especially after the fine they levied on that non-profit in Idaho earlier this year.

Maybe you don't know...dealing with FDA and the DEA, they can shut you down forget being fined how about no longer working and no job for anyone. Comparing HIPPA regs to FDA and DEA regs, is like comparing Kindergarden to College. How would you like to be surrounded by feds in black suits evacuating everyone and putting a pad lock on the doors. Go tell the president of the company what is going on and have his signature, not the doctors, then you will not be held liable for what that doctor is doing. The doctor is a peon, a normal user, doesn't matter how many phd's the guy has....this is how it has been explained to me, you don't go in his lab mucking things up don't let him go to your lab to muck things up. Anything that goes against CFR part 11 will get scrutinized. Below is just one part, although vague, basically it says anyone using a system to do anything with electronic records needs to be able to maintain integrity, authenticity, and confidentiality. When you don't know where something is you cannot control this, if you do not have stringent rules in place you cannot control this, and if you put this on a system that you do not control or have the ability to control the entire life cycle of the document you cannot control this. Although vauge, you cannot go outside the defined rules and regulations stipulated here. I am no expert, I am still learning what can and can't be done. I have a copy of the 400 page CFR part 11 rules on my desk at all times to remind me that we are governed. Don't screw with the rules and you won't get burned.

Sec. 11.30 Controls for open systems.

Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified in 11.10, as appropriate, and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality.

[+BudMan MVC]

"SkyDrive Pro (business - quite a supported list)"

Where is that on the trust center list?? I do see anything about skydrive "pro" And only thing I see is that skydrive is NOT part of trust center.

Any other Microsoft service that we do not list above as being covered by the Trust Center, such as Windows Azure Services Platform, Windows Intune, SkyDrive, Skype, Outlook.com, MSN, MarketingPilot, Microsoft Dynamics Marketing, CustomerSource, or Xbox. Your use of such services is governed by a separate privacy statement. The Trust Center does not apply to any aspect of these other Microsoft services.

[Dashel]

SC, clearly those requirements fall under the more institutional control category which I did disclaim. You are right though, HIPAA is a mid-range requirement in comparison.

BudMan, any business\enterprise package falls under the Trust Center, including Sharepoint13/SkyDPro.

Office 365 Enterprise plans, except for Office 365 ProPlus see more detail)

o Office 365 Enterprise Plans are E1, E2, E3, E4, K1, and K2

? Office 365 Education Plans, except for Office 365 ProPlus (see more detail)

o Office 365 Education plans are A2, A3, and A4

? Office 365 Government Plans, except for Office 365 ProPlus (see more detail)

o Office 365 Government Plans are G1, G2, G3, G4, K1, and K2

? Office 365 Midsize Business, except for Office 365 ProPlus (see more detail)

? Office 365 Small Business

? Office 365 Small Business Premium, except for Office 365 ProPlus (see more detail)

The Trust Center also applies to the following Microsoft online services:

? Microsoft Dynamics CRM Online

? Exchange Online Plans

o Exchange Online Plans are 1, 2, Basic, and Kiosk

? SharePoint Online Plans

o SharePoint Online Plans are 1, 2, and Kiosk

? Lync Online Plans

o Lync Online Plans are 1, 2, and 3

? Office Web Apps Plans

o Office Web Apps Plans are with SharePoint Online (Plan 1) and with SharePoint Online (Plan 2)

? Project Online

? Exchange Online Protection

[+BudMan MVC]

^ skydrive is NOT mentioned in what you listed. But it is clearly listed at least twice saying its NOT under trust center.

They could clearly word that better, from what I can tell skydrive pro gives you access to your professional library that is stored on sharepoint, be it company server or cloud. But that is not spelled out very well in their listing of trust center products.

If you ask me its very amateurish of them in how they document their products ;) hehehehehe

[Dashel]

SkyDrive Pro is Sharepoint ;) I agree, their packaging and docs don't help matters.