The following Software Catalog has been vetted by the DIT Compliance team to ensure they meet the USM IT Standards. Vetting by the DIT Compliance team does not mean that UMD has an enterprise-level contract in place for these third-party tools and apps.
A comprehensive review requires a product to be vetted for Privacy, FERPA, ADA and Procurement. Send an email to it-compliance@umd.edu to initiate or follow up on the review status.
The IT-Compliance team would will conduct risk assessments on cloud service providers and if the data elements used are classified as High or Restricted or if the third party application is connecting or integrated to a system that houses High or Restricted data for example (SIS or Canvas) Units or Departments that choose to outsource technology services to third-party cloud providers. Institutions must assess, and take steps to mitigate, the risk of unauthorized access, use, disclosure, modification, or destruction of confidential institutional information. This USM IT Security standard only applies to third-party cloud technology service agreements for mission critical systems as well as where confidential information will be transmitted, collected, processed, stored, or exchanged with the cloud service provider.
Commensurate with the risk, request and, if available, obtain, review, and document control assessment reports performed by a recognized independent audit organization. Examples of acceptable control assessment reports include (but are not limited to): AICPA SOC2/Type2, PCI Security Standards, ISO 27001/2 Certification or FedRAMP.
Both the Office of General Counsel and the Department of Procurement and Strategic Sourcing advise against accepting click
Click-through and similar agreements are binding legal contracts. Only University of Maryland (UMD) personnel with delegated signature authority (not delegated purchasing authority) are permitted to sign legal agreements on UMD's behalf. Also, most click-through agreements contain terms and conditions that UMD is prohibited by law from accepting. Instead, UMD personnel should work with their business office or Procurement team to obtain appropriate contract terms, even for free software and apps.
Extensive reviews by DIT Security have found that most free software and applications do not come with security features associated with the enterprise version. Additionally, free software is rarely free. The absence of a monetary cost is typically substituted by the vendor mining the user's data. This data may be protected by federal and state laws and regulations, USM and UMD policies, or the terms of UMD's legal agreements or both.
Check with your local IT contact to learn about existing options UMD already offers or the appropriate steps to implement new technology. Some applications have already been approved for ELMS-Canvas integration (You need to be logged in to view this article).
Please see UMD Software Catalog for more information.