Due Diligence and Ongoing Monitoring

 View Only

  • 1.  Unique Third-Party: Enterprise Apps, Extensions, Professional Services

    This message was posted by a user wishing to remain anonymous
    Posted 02-26-2025 10:34 AM
    This message was posted by a user wishing to remain anonymous

    How are each of you handling the due diligence for requests for enterprise apps, extensions or subscriptions? These may access things like email, calendars, etc which puts data privacy at risk.  



  • 2.  RE: Unique Third-Party: Enterprise Apps, Extensions, Professional Services

    Posted 02-27-2025 11:55 AM

    For us, it would depend almost entirely on the data access (and classification) involved with each app or tool. 
    The process might look something like this:
    - request is made to add app/sub/extention/etc. to IT team, which is then shared with security team for review.  
    - security team to review access, and according to policy , what should be trigged next in terms of due diligence process. 
    - if required, vendor security review preformed on vendor and risks documented and / or gaps identified for further actions and approvals (for acceptance or exceptions). 
    - once approved (or disqualified) , next steps are on IT to deploy or not, etc.  

    Just kind of the overview for us, hope it helps. 




  • 3.  RE: Unique Third-Party: Enterprise Apps, Extensions, Professional Services

    Posted 03-28-2025 03:08 PM

    We have them vetted through or contract approval process which includes getting Information Security and Technology to sign off on this.