Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Microsoft Plug-ins

    This message was posted by a user wishing to remain anonymous
    Posted 08-03-2022 08:37 AM
    This message was posted by a user wishing to remain anonymous

    Does anyone have any suggestions on review processes and/or protocols for plug-ins and add-ons within Microsoft?


  • 2.  RE: Microsoft Plug-ins

    Posted 08-15-2022 11:49 AM
    For the most part, public-facing add-ins are offered by Microsoft via AppSource and according to this: Privacy and security for Office Add-ins - Office Add-ins | Microsoft Docs they pose little threat. However, you should always review any permissions the add-in requires to function, and that also really depends on the development of the add-in. For instance, if a company needed an Outlook add-in that was not offered through AppSource, it would fall back to performing DD on the vendor you are working with. You also need to consider privacy risks posed by the service the add-in is providing. For example, there are many add-in's for Outlook, which could be reviewing email message content, calendars, and contact lists.

    I'm always interested in hearing what others are doing for due diligence and ongoing monitoring for these types of vendors.