Information Security

 View Only
  • 1.  Managing Free Software Downloads

    Posted 02-22-2021 02:55 PM
    Hello Think Tank Community, 

    Do you have any suggestions for managing free software downloads and cloud applications that individual employees can access/ use?  How is access to free software / cloud applications handled in your environment? What controls do you have in place? Do you perform any type of due diligence risk review or legal review of the online terms & conditions?  Thanks in advance for your support on this topic. ~Melissa

  • 2.  RE: Managing Free Software Downloads

    Posted 02-22-2021 05:26 PM
    I am interested in this as well.  It's difficult to get any kind of due diligence documentation on free software and/or open-source software.  Would love to hear how others handle it.

  • 3.  RE: Managing Free Software Downloads

    This message was posted by a user wishing to remain anonymous
    Posted 02-23-2021 02:37 PM
    This message was posted by a user wishing to remain anonymous

    I would love to hear how others are doing this also. 

    We are currently trying to cut down on shadow IT and pushing all employees to only used "Company Approved" tools. In line with that push, we're instructing employees to submit a VMO request (which includes third party risk management and contract review) for ALL software/online tools, whether there is a fee associated with use or otherwise.

    The request is handled jointly with our enterprise architecture team taking the first pass and we do our best to guide employees to already approved tools. If the free tool is a necessity or the request is moving forward, the VMO uses what is publicly available to conduct due diligence (usually from the website or a wiki page), and we often reach out directly to the proposed third party for additional security information if there are confidentiality or privacy concerns.

    VMO-Legal also reviews the terms and conditions, terms of use, etc. to ensure the proposed use would not violate license terms and/or that a paid version of the software, often with more features and admin capabilities, would not bet the better option for the intended users. In my opinion this should be required on free/cloud software because the lack of fee does not change the risk associated with using the product-- in fact we tell our employees "free" is never free and our company often "pays" for its use with the data we input into the system.

    • An example of this is SurveyMonkey, which we learned from AP records that many employees were using/expensing fees for but didn't know how or why. The VMO contacted SurveyMonkey for a usage report based on company domain and learned several hundred employees had signed up for personal accounts with their work email and sometimes corporate card as payment. Using that list, we sent an email to the leaders of the primary users and determined that SurveyMonkey was primarily being used in furtherance of their job responsibilities--which did not align with the terms of a personal account and exposed our organization to unnecessary risk as we had zero access to data from personal accounts and did not have an admin portal to apply standard controls or appropriate oversight.  Additionally, we were unknowingly paying several personal use fees or reimbursing employees for personal use fees. The VMO worked with SurveyMonkey to obtain a corporate account, forced "personal accounts" with our corporate domain into the new corporate bucket on next log in, got access to all of our data and many additional features specific to business accounts that made the tool much more useful and are now able to control costs.

    We also separate out requests for trials, betas and demos of software products and provide the following general guidance: 
    Dummy Data; Not Our Environment: No License Agreement, Trial or otherwise, required. NDA is Required.
    Our Data; Not Our Environment: Company should annonymize any confidential and/or protected data prior to providing to the third party, all data sets should be reviewed by the VMO prior to providing to the applicable third party. NDA is required. License or Trial Agreement may be required, please contact the VMO for additional information.
    Our Data and/or Our Environment: If our Data cannot be annonymized or the software will be used in our environment (downloaded, installed, user/our domain email registration, etc), License Agreement will be required, in addition to an NDA. License Agreement needs to address IP Infringement and Data/Privacy Issues, destruction of data, and termination or move to production procedures, as applicable.
    Trial of enhancement or additional product with existing vendor: If trial product use is not addressed in the MSA, Trial License Agreement is required. 

  • 4.  RE: Managing Free Software Downloads

    Posted 02-23-2021 03:26 PM
    Really great information.  Thank you for sharing.

  • 5.  RE: Managing Free Software Downloads

    This message was posted by a user wishing to remain anonymous
    Posted 02-24-2021 01:32 PM
    This message was posted by a user wishing to remain anonymous

    We do a few things, 

    1. User (non Admin) accounts are unable to install software
    2. Software that is used/downloaded must have a license OR freeware ( no personal license)
    3. We have two tools to audit installed software - this is reviewed ( bi- annually I think). Basically look for anything that stands out
    4. In general , we try to avoid software that can't be vetted( either by a google search or firing it up on non-domain/sanboxed PC)

    That's just about it!