Educause Security Discussion mailing list archives
Re: Microsoft 365 App Approval
From: "Ullman, Catherine" <cende () BUFFALO EDU>
Date: Wed, 18 Nov 2020 21:47:43 +0000
Hi Ryan, We’re actually in the process of creating something for this purpose. It’s particularly problematic because we’re a NYS institution, which means that we have to have purchasing/legal buy-in before we can even consider installing the app. Even though the apps are generally free, we have to get an OK from them, because installing these apps, requires you to accept a license agreement for the University as a whole, which we are not allowed to do by law. (Only certain people can do that for a NYS entity.) What we’re building is essentially a mini-version of our cloud vendor questionnaire limited to the kinds of things we want to know and that might be available/described on the web page of the app (i.e. data security, retention, storage, etc.) before making the decision whether to allow the app to be added. Our expectation is that this request will be filled out by the head of IT for the area requesting the app and then pushed through some form of purchasing process, which would include a review of that questionnaire by security and operational departments before actually going onto purchasing. I know that’s somewhat vague, but I hope it’s still helpful. Feel free to email me off-list if you have other questions. Best, Cathy Dr. Catherine J Ullman Senior Information Security Forensic Analyst Information Security Office University at Buffalo cende () buffalo edu<mailto:cende () buffalo edu> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Ryan Cook Sent: Wednesday, November 18, 2020 2:24 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Microsoft 365 App Approval [Forgive the crossposting if you have seen this in other forums.] As we are getting more and more requests, we are wondering what other institutions are doing for Microsoft 365 app approval. Do you have a process in place? If so what does it look like? Do you just check for a Publisher Attestation or do something more? Have you ever said "no" to an app? If so why? Thanks, Ryan Cook -- Massachusetts Institute of Technology Information Systems & Technology (IS&T) Information Security https://ist.mit.edu/secure ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Microsoft 365 App Approval Ryan Cook (Nov 18)
- Re: Microsoft 365 App Approval Ullman, Catherine (Nov 18)