Inventory and Control of Software Assets

Issue/Question

What is the USD security policy on the Inventory and Control of Software Assets

Environment

  • CIS Control 2

Cause

Protect against cybersecurity threats, establish cybersecurity norms, enhance cybersecurity maturity 

Resolution

Inventory and Control of Software Assets

Policy Statement: The University recognizes the importance of effectively managing software assets to mitigate security risks, ensure compliance with licensing agreements, and optimize resource utilization. This policy establishes guidelines for inventorying and controlling software assets to enhance the University's security posture and operational efficiency.

Policy Implementation:

  1. Software Inventory:

    • The University will maintain an accurate inventory of all software assets deployed within its environment, including commercial software, open-source applications, and internally developed software.
    • The software inventory will include details such as software name, version, license type, installation location, and associated hardware.

  2. Licensing Compliance:

    • The University will ensure compliance with software licensing agreements by maintaining records of software licenses, entitlements, and usage rights.
    • Regular audits and reviews will be conducted to verify license compliance and identify any instances of unauthorized software usage.

  3. Software Deployment Controls:

    • Software deployment procedures will be established and documented to ensure that only authorized software is installed on University-owned devices.
    • Installation of software by end-users will be restricted, and requests for new software installations will be routed through formal approval processes.
    • Allowlists for software, libraries, and scripts will be used in the environment.

  4. Patch and Update Management:

    • The University will implement patch and update management processes to ensure that software applications are kept up-to-date with the latest security patches and enhancements.
    • Critical patches will be prioritized for immediate deployment to mitigate the risk of exploitation by attackers.

  5. Software Retirement and Removal:

    • Outdated or unused software will be identified and retired from the University's software inventory to reduce security risks and streamline resource utilization.
    • Software removal procedures will be followed to uninstall obsolete or unauthorized software from University-owned devices.

Compliance and Enforcement: All members of the University community are responsible for adhering to this policy and actively participating in software asset management activities.

Policy Review: This policy will be reviewed annually to ensure alignment with emerging threats, changes in technology, and regulatory requirements. Updates will be made as necessary to maintain the effectiveness and relevance of software asset management practices.

This policy provides a framework for implementing CIS Control 2 within a university environment, focusing on inventorying and controlling software assets to mitigate security risks, ensure licensing compliance, and optimize resource utilization.

Please contact the Service Desk if you need further assistance

Print Article