UIS.202.1 Software Applications Management Guidelines
In support of UIS.202 Software Applications Management Policy
Georgetown University has adopted the security audit and accountability principles established in NIST SP 1800-5 “IT Asset Management” control guidelines as the official policy for this security domain. Each application administrator and system owner must adhere to the guidelines and procedures associated with this policy in order to support and be compliant with the University information security framework.
Software Management Requirements
UIS will maintain an up-to-date list of all authorized software that is required for university business purpose on any university-managed system. UIS will utilize software inventory tools throughout the university to automate the documentation of all software on university-managed systems.
UIS will ensure that software inventory system tracks the following information at minimum
Install date for all software
Authorized operating systems
UIS will ensure that only software applications or operating systems currently supported and receiving vendor updates are added to the university’s authorized software inventory. Unsupported and unauthorized software will be tagged as unauthorized in the inventory system.
UISO will ensure that unauthorized applications are identified and prevented from accessing University systems and/or data or are provided limited access to University resources.
Software patches that address significant security vulnerabilities are prioritized, evaluated, tested, documented, approved and applied promptly to minimize the exposure of unpatched resources.
Ensure currently-supported and patched software is installed to mitigate vulnerabilities and to reduce the risk of malicious activity.
Perform periodic scans of the information system weekly and real-time scans of files from external sources at endpoint and network entry/exit points as the files are downloaded, opened, or executed in accordance with UIS security policy.
Either block or quarantine malicious code and send an alert to the administrator in response to malicious code detection.
Allow users to manually perform scans on their workstation and removable media.