Software Installation Policy

Allowing1.0 employeesPurpose

to

The installinstallation of unauthorized or improperly vetted software on companyorganizational computing devices opensintroduces thesignificant organizationrisks. upThese risks include, but are not limited to, software conflicts leading to unnecessarysystem exposure.  Conflicting file versionsinstability or DLLsloss whichof can prevent programs from running,functionality, the introduction of malware from(viruses, infectedspyware, ransomware), violations of software licensing agreements leading to legal liability, and the installation software,of unlicensedtools software whichthat could be discovered during audit, and programs which can be used to hack the organization’scompromise network aresecurity examplesor ofsensitive thedata. problems that can be introduced when employees install software on company equipment.

 

The purpose of this policy is to outlineestablish theclear requirements aroundand installationprocedures for requesting, approving, and installing software on <Companyall Owned>organization-owned computing devices.devices to Tomitigate minimizethese the risk of loss of program functionality, the exposure of sensitive information contained within <Company Name’s> computing network, the risk of introducing malware, and the legal exposure of running unlicensed software.risks.

2.0 Scope

This policy applies to all <Company Name> employees, contractors, vendorsconsultants, temporary staff, vendors, agents, and agentsany withother aindividuals <Companyusing Name>-computing devices owned mobileor devices.managed by the organization. This policyincludes coversdesktops, all computers,laptops, servers, smartphones, tabletstablets, and any other device capable of having software installed that connects to the organization's network or accesses organizational data.

3.0 Policy Statements

3.1 Prohibition of Unauthorized Installation

*   Users (employees, contractors, etc.) are strictly prohibited from installing any software onto organization-owned computing devices operatingthemselves. withinThis <Companyincludes Name>.downloading software from the internet, installing from removable media (USB drives, CDs/DVDs), or using personal software licenses on organizational assets.

3.2 Software Request and Approval Process

Employees*   mayAll notrequests installfor new software oninstallation <Companymust Name’s>follow computinga devicesformal operatedprocess:
 within   1.  The user requiring the <Company Name> network. 

Software requestssoftware must firstobtain bewritten approvedapproval by(email sufficient) from their direct manager, confirming the requester’sbusiness need for the requested software.
    2.  Once manager andapproval thenis beobtained, madethe user must submit a formal request to the designated IT authority (e.g., Information Technology department or IT Help Desk in writing orDesk) via email.approved channels (e.g., ticketing system, designated email).
    3.  The request should clearly state the business justification and the specific software needed.

3.3 Approved Software mustList

be

*   selectedThe designated IT authority (e.g., Information Technology department) will maintain a list of standard, approved software titles that have been vetted for security, compatibility, and licensing compliance.
*   Users should first attempt to select software from this approved list if it meets their business requirements.
*   Requests for software *not* on the approved list will require additional review and justification regarding the specific need that approved alternatives cannot meet.

3.4 IT Department Responsibilities

*   Upon receiving an approved software list, maintained byrequest, the designated IT authority (e.g., Information Technology department,department) unlessis noresponsible selectionfor:
 on   *   Verifying the listbusiness meetsneed and approvals.
    *   Reviewing non-standard software requests for security risks, compatibility issues, and supportability.
    *   Procuring the requester’snecessary need.software licenses through approved channels.
   

*  

TheTracking Informationall Technologysoftware Departmentlicenses willto obtainensure andcompliance.
 track   the*   licenses, testTesting new software for conflictconflicts and compatibility,compatibility and performwithin the installation.organization's standard operating environment where feasible.
    *   Performing the installation of the approved software onto the user's device(s).
    *   Maintaining records of installed software.

4.0 Compliance

4.1 Compliance Measurement

The designated IT authority (e.g., Precision Computer teamteam, Information Security, Internal Audit) will verify compliance towith this policy through various methods, including butsoftware notinventory limitedscans, to,audits periodicof walk-thrus,devices, videoreview monitoring,of businesshelp tooldesk reports, internalrequests and software licenses, internal/external audits, and feedbackinvestigation of security incidents potentially related to theunauthorized policy owner. software.

4.2 Exceptions

Any exception to thethis policy must(e.g., begranting approvedspecific byusers limited installation rights for development purposes under controlled conditions) requires formal, documented justification, risk assessment, and advance approval from the designated IT authority (e.g., Precision Computer team inor advance.Information Security).

An4.3 employeeEnforcement

*   Unauthorized software found on organizational devices will be removed.
*   Users found to have violated this policy by installing unauthorized software may be subject to disciplinary action, up to and including termination of employment.employment or contract. Access privileges may also be restricted.

5.0 Related Policies

*   Acceptable Use Policy (AUP)
*   Information Security Policy (Overall)
*   Change Management Policy
*   Procurement Policy
*   Workstation Security Policy / Standard