Cambridge Publisher

Security Note

The following third-party tools and apps have been vetted by the DIT Security team to ensure they meet the USM IT Standards. Vetting by the DIT Security team does not mean that UMD has an enterprise-level contract in place for these third-party tools and apps.

This list is solely for products that have been assessed by the DIT Security team. A comprehensive review requires a product to be vetted for Privacy, FERPA, ADA and Procurement. Please contact the DIT Security team to initiate or follow up on the review status. 

The DIT Security team would will conduct risk assessments on cloud service providers and if the data elements used are classified as High or Restricted or if the third party application is connecting or integrated to a system that houses High or Restricted data for example (SIS or Canvas) Units or Departments  that choose to outsource technology services to third-party cloud providers. Institutions must assess, and take steps to mitigate, the risk of unauthorized access, use, disclosure, modification, or destruction of confidential institutional information. This USM IT Security standard only applies to third-party cloud technology service agreements for mission critical systems as well as where confidential information will be transmitted, collected, processed, stored, or exchanged with the cloud service provider. 

Commensurate with the risk, request and, if available, obtain, review, and document control assessment reports performed by a recognized independent audit organization. Examples of acceptable control assessment reports include (but are not limited to): AICPA SOC2/Type2, PCI Security Standards, ISO 27001/2 Certification or FedRAMP

Both the Office of General Counsel and the Department of Procurement and Strategic Sourcing advise against accepting click-through, click wrap and similar agreements to download software and apps.

Click-through and similar agreements are binding legal contracts. Only University of Maryland (UMD) personnel with delegated signature authority (not delegated purchasing authority) are permitted to sign legal agreements on UMD's behalf. Also, most click-through agreements contain terms and conditions that UMD is prohibited by law from accepting. Instead, UMD personnel should work with their business office or Procurement team to obtain appropriate contract terms, even for free software and apps.

Extensive reviews by DIT Security have found that most free software and applications do not come with security features associated with the enterprise version. Additionally, free software is rarely free. The absence of a monetary cost is typically substituted by the vendor mining the user's data. This data may be protected by federal and state laws and regulations, USM and UMD policies, or the terms of UMD's legal agreements or both.

Refer to this list of software not recommended for use by DIT Security.