For us, it would depend almost entirely on the data access (and classification) involved with each app or tool.
The process might look something like this:
- request is made to add app/sub/extention/etc. to IT team, which is then shared with security team for review.
- security team to review access, and according to policy , what should be trigged next in terms of due diligence process.
- if required, vendor security review preformed on vendor and risks documented and / or gaps identified for further actions and approvals (for acceptance or exceptions).
- once approved (or disqualified) , next steps are on IT to deploy or not, etc.
Just kind of the overview for us, hope it helps.
Original Message:
Sent: 02-26-2025 08:02 AM
From: Anonymous Member
Subject: Unique Third-Party: Enterprise Apps, Extensions, Professional Services
This message was posted by a user wishing to remain anonymous
How are each of you handling the due diligence for requests for enterprise apps, extensions or subscriptions? These may access things like email, calendars, etc which puts data privacy at risk.