Publication Summary¶
| Title | Software Policy |
|---|---|
| Author(s) | Alessandro Cardinali |
| Issued by | CEO |
Version doc. Review freq. |
0.1 Yearly |
| Date of issue | December 11, 2023 |
| Owner | CEO/Founder |
| Document status | Draft – Final Draft - Final |
| Approval Date | n/a |
| Classification | Internal |
Change Log
| Version | Date | Author | Comments |
|---|---|---|---|
| 0.1 | October 23, 2023 | Olaf Jacobson | First draft document |
Table of Contents
2.5 In-house software development 6
Introduction¶
Soon Technologies B.V. uses many types of computer software to perform its business operations and always relies upon the correct functioning and security of that software. It is imperative therefore that steps are taken to ensure that only approved software is used within the organization and that no classified information is put at risk.
This policy sets out how software will be acquired, registered, installed and developed within Soon Technologies B.V..
This control applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to Soon Technologies B.V. systems.
The following policies and procedures are relevant to this document:
Purpose of this document¶
This document defines the organization’s policy in respect of the use and management of computer software.
Areas of the standard addressed¶
The following areas of the ISO/IEC 27001 standard are addressed by this document:
-
A.5 Organizational controls
-
A.5.1 Policies for information security
-
A.8 Technological controls
-
A.8.19 Installation of software on operational systems
-
A.8.32 Change management
Software policy¶
Purchasing software¶
All computer software to be used within the organization must be purchased through [Service Provider]. This is necessary to ensure that:
-
Licensing requirements are addressed
-
The software works effectively with the standard corporate software image
-
Use of the software can be supported by the [IT Service Desk]
-
Best value for money is obtained in procurement
-
A record is kept of installed software within the organization
Under no circumstances will software be purchased using local departmental budgets.
Software registration¶
All software in use within Soon Technologies B.V. must be correctly licensed. This is a legal requirement and compliance is monitored by various industry bodies including FAST (Federation Against Software Theft).
All installed software programs will be registered in the name of the organization, not the individual. Purchased software is a corporate asset and licenses will frequently be reused as the shape of the organization changes.
Under no circumstances must corporate software be copied (other than for backups) or installed for use on non-corporate machines, such as at home.
[Service Provider] will maintain a register of all licensed software within the organization and licensed copies of media such as DVDs.
Asset and mobile device management software will be used to keep track of all installed instances of software titles and regular audits will be carried out. Any user with unlicensed software installed will be asked to remove it; it is the responsibility of users to ensure that all the software on their computer equipment is licensed.
Software installation¶
Where appropriate, users will be permitted to install software from approved app stores, such as Microsoft Store, or from an enterprise-specific store created for this purpose.
In some circumstances, licensed software may be installed by the [IT Service Desk] or appropriate technical team or supplier upon request and once any required licenses have been purchased.
Software will not be installed prior to a valid license being ordered.
The user must not attempt to install any software that is licensed to them personally, whether or not it is free, shareware or commercial. This includes evaluation versions of software programs.
Removal of software¶
If a software program is no longer required, the [IT Service Desk] must be informed. The software will then be removed from the device in question and where possible the license will be re-used elsewhere within the organization.
Users must not remove licensed software from their devices without informing the [IT Service Desk] as this potentially represents a waste of a corporate asset.
In-house software development¶
Soon Technologies B.V. develops its own software for particular purposes where a commercial package is not available or does not fulfil the identified requirements. In such cases a structured development method will be used to ensure that software is developed to organizational standards and is tested and implemented in a managed way.
Alterations to in-house developed software such as the addition of fields or screen changes may be requested through the change request process. This process is described in the document Change Management Process.
Changes to in-house developed software must not be made without following the change management process.
Modifications to software packages¶
Changes to Commercial Off the Shelf (COTS) software packages will not be made unless absolutely necessary, in which case they will be strictly managed and controlled. Where possible and commercially viable, changes will be made by the software vendor and supplied as standard updates.
Use of software in a cloud environment¶
Any applicable cloud-specific licensing requirements must be identified prior to installing software within a cloud environment. This is particularly relevant in circumstances where the cloud service provision is elastic i.e. the processing capacity increases and decreases with demand.