student developed apps going commercial ...
whcurry at ufl.edu
Thu Apr 24 15:03:59 EDT 2014
We have had a few of these cases come up.. Generally, we have allowed an on campus presence with the oversight of the CISO and CIO office and a risk review of the application. IF they choose to proceed with an on campus situation they must submit to UFIT oversight. If they go beyond that (there are a couple I am aware of) then they become a vendor and go through those external vendor process and agreement for risk, privacy etc. just like any other vendor off campus application. As for attributes... The level of risk is determined by the attributes required. If Hipaa, FERPA or the like become involved scrutiny goes up, agreements for usage and or BAA goes into place depending on the case our standard procedures apply.
Lastly, a slightly different category exists where the work is not on UF machines. They do not get data from the UF. The user / student voluntarily provide their info to the app. In general this is out of UF concern. In a couple cases, they provided feature which effectively were phishing the credential presumably in an innocent yet unacceptable manner. We in this case had the CISO address this with the student author and communicated to the population. Essentially a cease doing this activity. This meant change words and do not ask for the UF credential go completely independent... This has not been a big problem but has come up a couple time in the not distant past.
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Steven Carmody
Sent: Thursday, April 24, 2014 2:47 PM
To: users at shibboleth.net
Subject: student developed apps going commercial ...
I'm guessing we're not the only campus facing this situation ...
students develop web based apps for the community. Initially these apps run on campus-owned machines, and we agree to release to them the set of attributes our policy allows us to release to on-campus apps.
The app sees some success, and the students decide to take it commercial. They'll make it available to multiple campuses.
Interestingly, tho, their business model doesn't have them signing contracts with each campus, or any campus; they make their money some other way.
As part of that transition, tho, they lose the "on-campus app" tag that we've applied. That means we won't release attributes to them.
But, we don't have a standard commercial contract with them. But, to allow them in our metadata, we have some leverage, and could require that they sign some form of agreement. Could be a contract, could be as simple as an NDA referring to the attribute values we release.
We would also probably require that they provide answers to our standard cloud-based vendor form -- that's not a full-blown audit, but we do want to know something about their operational practices.
Finally -- the question -- how are other campuses handling this situation ?
Thanks for any info you can share !
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users