Re: Microsoft 365 App Approval

["Ullman, Catherine" <cende () BUFFALO EDU>]

Hi Ryan,

We’re actually in the process of creating something for this purpose.  It’s particularly problematic because we’re a 
NYS institution, which means that we have to have purchasing/legal buy-in before we can even consider installing the 
app.  Even though the apps are generally free, we have to get an OK from them,  because installing these apps, requires 
you to accept a license agreement for the University as a whole, which we are not allowed to do by law.  (Only certain 
people can do that for a NYS entity.)

What we’re building is essentially a mini-version of our cloud vendor questionnaire limited to the kinds of things we 
want to know and that might be available/described on the web page of the app (i.e. data security, retention, storage, 
etc.) before making the decision whether to allow the app to be added.  Our expectation is that this request will be 
filled out by the head of IT for the area requesting the app and then pushed through some form of purchasing process, 
which would include a review of that questionnaire by security and operational departments before actually going onto 
purchasing.

I know that’s somewhat vague, but I hope it’s still helpful.  Feel free to email me off-list if you have other 
questions.

Best,
Cathy


Dr. Catherine J Ullman
Senior Information Security Forensic Analyst
Information Security Office
University at Buffalo
cende () buffalo edu<mailto:cende () buffalo edu>



From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Ryan Cook
Sent: Wednesday, November 18, 2020 2:24 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Microsoft 365 App Approval

[Forgive the crossposting if you have seen this in other forums.]

As we are getting more and more requests, we are wondering what other institutions are doing for Microsoft 365 app 
approval.

Do you have a process in place? If so what does it look like?

Do you just check for a Publisher Attestation or do something more?

Have you ever said "no" to an app? If so why?


Thanks,
Ryan Cook
--
Massachusetts Institute of Technology
Information Systems & Technology (IS&T)
Information Security
https://ist.mit.edu/secure



**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community