1. Purpose
Establish requirements for maintaining a comprehensive inventory of all software assets and ensuring only authorized, supported software is installed on [ORGANIZATION]'s enterprise assets.
2. Scope
This policy applies to all software installed on or used by [ORGANIZATION]-managed assets, including operating systems, applications, browser extensions, cloud services, SaaS applications, and scripts.
3. Policy
3.1 Software Inventory Requirements
[ORGANIZATION] shall maintain a detailed inventory of all licensed and authorized software, updated no less frequently than [CUSTOMIZE: bi-annually/quarterly].
The software inventory shall record, at minimum: software title, publisher, version, installation date, business purpose, license type and count, deployment mechanism, and designated owner.
Automated software inventory tools shall be deployed to discover and document installed software across all enterprise assets where technically feasible.
The software inventory shall include both locally installed applications and authorized cloud/SaaS services.
3.2 Software Authorization
Only software that has been reviewed and authorized by [CUSTOMIZE: IT Department/Change Advisory Board] may be installed on [ORGANIZATION]-managed assets.
[ORGANIZATION] shall maintain an allowlist of authorized software. Software not on the allowlist shall be considered unauthorized unless a documented exception exists.
Application allowlisting technology shall be deployed on all [CUSTOMIZE: critical/high-risk] assets to prevent execution of unauthorized software.
For IG2/IG3 environments: Automated application allowlisting shall be configured to block unauthorized software libraries, scripts, and installers in addition to executable files.
3.3 Software Support and Currency
Only currently supported software (receiving security updates from the vendor) shall be authorized for use on enterprise assets.
Unsupported software that is necessary for business operations shall require a documented exception approved by [CUSTOMIZE: CISO/IT Director] that includes: business justification, compensating controls, risk acceptance, and review date not to exceed [CUSTOMIZE: 6 months/1 year].
Software support status shall be reviewed at least monthly to identify end-of-life or end-of-support software.
A migration plan shall be developed at least [CUSTOMIZE: 6/12] months before any critical software reaches end of support.
3.4 Unauthorized Software Response
Unauthorized software discovered on enterprise assets shall be removed or receive a documented exception within [CUSTOMIZE: 5/10/30] business days of discovery.
Repeated unauthorized software installations by the same user shall be escalated to [CUSTOMIZE: management/HR] for disciplinary review.
Monthly reviews shall be conducted to identify unauthorized software on enterprise assets.
4. Compliance
Compliance with this policy is mandatory for all personnel within its scope. Compliance will be monitored through periodic audits, automated controls, and management review.
Exceptions to this policy must be documented with a business justification, approved by [CUSTOMIZE: CISO/Security Team], and reviewed at least annually.
5. Enforcement
Violations of this policy may result in disciplinary action up to and including termination of employment or contract, and may result in civil or criminal penalties where applicable law has been violated.
[ORGANIZATION] reserves the right to audit compliance with this policy at any time, with or without notice.
6. Review and Revision
This policy shall be reviewed at least annually by [CUSTOMIZE: CISO/Policy Owner] and updated as necessary to reflect changes in the threat landscape, regulatory requirements, or organizational structure.
All revisions shall be documented with version number, date, author, and description of changes.
Policy Approval
Approved By
Title
Date
Document Control