UIS.202 Software Applications Management Policy

200. Information Systems Security

Purpose 

Georgetown University Information Services has developed and implemented the Software Applications Management policy and procedures to protect critical resources and data from threats, intrusions, and misuse in order to ensure business continuity and to minimize risk to the University’s information systems, data, and its faculty, staff, and students. Directed by the Chief Information Security Officer (CISO), these policies set the information security standards for University applications, which include enterprise applications, workstation and server applications, and hosted and cloud-based applications. 

Scope 

The Software Applications Management policy and supporting requirements apply to all information technology assets, software applications, systems software, and software that are connected to the University network that are owned by, managed by and/or sponsored by Georgetown. This policy is also applicable to the faculty, staff, researchers, affiliates, suppliers, and students who own, operate, or maintain these software applications for University business, academia, and research.  

Policy 

Georgetown University has adopted the security audit and accountability principles established in NIST SP 1800-5 “IT Asset Management” control guidelines as the official policy for this security domain. Each application administrator and system owner must adhere to the guidelines and procedures associated with this policy in order to support and be compliant with the University information security framework.

This policy provides requirements for information systems application procurement, inventory, as well as vulnerability and compliance information, which are all required to assure that information systems applications meet the controls sufficient to protect the University’s information systems, its networks and the data associated with those applications.

Any University-purchased or University-sponsored applications that collect, process, transmit or store University protected data (academic, research, and operational) will be inventoried, managed ad monitored to ensure that it is not susceptible to unauthorized access, distribution, or misuse. The higher the value of the asset or data associated with that application or the more it is viewed to be susceptible to risk or exploit, the higher the level of protection required for its management. 

Only authorized applications are given access to the University network, its data, and its users. Unauthorized and unmanaged applications are detected and prevented from gaining access or granted limited access as defined by UIS.