Extensions and Application Auxiliary Services Policy
Version 1.1
For Students, Faculty, Staff, Guests, Alumni
Purpose
This policy outlines Fordham University’s position on the use of browser extensions, add-ons, plug-ins, and other auxiliary application services that may interact with University-supported platforms. It aims to protect institutional data, uphold contractual obligations, and reduce the risk of unvetted third-party services compromising IT Resources.
Scope
This IT security policy, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.
Policy Statement
- Only software applications and auxiliary services that have been provisioned, licensed, or approved by the University, either through formal review or as part of established enterprise agreements, are authorized for use.
- The appearance of a tool within a platform’s interface or marketplace (e.g., Microsoft AppSource, Zoom App Marketplace, Google Workspace Marketplace) does not imply University approval.
- Users must consult Information Security and Assurance before enabling tools that have not been explicitly sanctioned.
- Users must:
- Confirm that a tool is included in the University’s sanctioned software list as defined in the Data Classification Guidelines2 or has been provisioned or reviewed by Information Security and Assurance.
- Not use third-party tools to access, store, or transmit Fordham Protected Data or Fordham Sensitive Data unless explicitly authorized for that purpose.
- Avoid enabling applications that request excessive permissions (e.g., file system access, identity credentials, email content) without formal review.
- Contact Information Security and Assurance if there is any uncertainty about a tool’s approval status or data compatibility.
- The University reserves the right to restrict, disable, or remove access to any auxiliary service or application that poses a risk to institutional security, privacy, compliance, or operational integrity.
- The University disclaims all responsibility and liability for consequences resulting from the use of extensions, plug-ins, or auxiliary services that are not formally approved.
- Users assume all risks, including but not limited to data loss, unauthorized disclosure, service disruption, or regulatory noncompliance.
- Policy violations, especially involving Fordham Protected Data or Fordham Sensitive Data, may result in disciplinary action and do not limit the University’s responsibility to investigate and respond to any resulting data incident.
Definitions
Extension / Add-on / Plug-in is a software module that adds functionality to an existing platform or application, typically distributed via app marketplaces or integrated stores.
IT Resources include computing, networking, communications, applications, and telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.
Related Policies and Procedures
- Acceptable Uses of IT Infrastructure and Resources
- Data Classification Guidelines
- Data Classification Policy
Implementation Information
| Review Frequency: | Triennial |
|---|---|
| Responsible Person: | Senior Director of IT Security and Assurance |
| Approved By: | CISO |
| Approval Date: | June 11, 2020 |
Revision History
| Version: | Date: | Description: |
|---|---|---|
| 1.0 | 06/11/2020 | Initial document |
| 1.1 | 07/23/2025 | Updated policy statement and definitions |
Policy Disclaimer Statement
Deviations from policies, procedures, or guidelines published and approved by Information Security and Assurance (ISA) will only be considered cooperatively between ISA and the requesting entity with sufficient notice to allow for conducting appropriate risk analysis, documentation, review, and notification to authorized University representatives where necessary. Failure to adhere to ISA written policies may be met with University sanctions up to and including dismissal.