Policy Introduction and Purpose

This Software Management Policy is a sub-policy of the University’s Information Security Policy (IS01)

It sets out the principles and expectations for the security aspects of managing software by IT staff and end users where relevant.

Scope and Definitions

This Policy applies to everyone who has a contractual relationship with the University including all employees (both full-time and part-time across all grades) and those engaged via the Variable Monthly Staff (VAM) Payroll and Unitemps/other agency contracts. It also includes visiting professors, consultants/self-employed carrying out roles which if carried out by an employee would require disclosure. For purposes of this Policy we will refer to everyone covered as “staff”.

The scope of this policy is applicable to any software which is currently being used or is being planned to be used on any University device, network or systems.

Definitions

Software management - any procurement, development, installation, regulation, maintenance or removal of software that takes place on computers owned by, managed by or for the University.

Computers -includes all end user computing devices (including personal devices that connect to the Staff Network), including tablets and smartphones, as well as servers, whether or not they are on a University site.

A glossary of the further terms used throughout the Policy can be found in Document IM03 – Glossary of Terms for Information Management.

This policy sits within the Information Management Policy Framework and should be read in conjunction with the over-arching policies IM01 – Information Management Policy of Policies and IM02 – Information Management Training Policy.

Responsibilities

Principles of this Policy

General Software Management Principles

All software, including operating systems and applications must be actively managed.

There must be an identifiable individual and deputy taking responsibility for every item of software formally deployed.

Individuals installing software themselves are responsible for that installation.

Those responsible for software must monitor relevant sources of information which may alert them to a need to act in relation to new security vulnerabilities.

Software managers are responsible for ensuring the on-going security of their software and must apply security patches in a timely manner (depending on the criticality rating of the vulnerabilities addressed by the patches and the level of exposure to the vulnerabilities).

High priority patches should either be applied within 10 working days of release or other compensatory control measures taken to mitigate risk. Staff involved in managing or developing software must be suitably skilled and specifically tasked with these duties by the University.

Software Procurement

If the procurement of new software is required, then individuals should follow the standard IT procurement process. The use of this process will ensure:

• The business requirements for new systems or enhancements are being specified
• The need for any special or essential security controls are considered
• whether proposed new software or upgrades are known to have outstanding security vulnerabilities or issues
• the ability for the software to appropriately manage records and data lifecycle requirements to ensure compliance to our Data Protection Policy (IG02) and Information & Records Management Policy (IG03)
• the basis of future support and the expected supported lifetime of the product is established

Software Installation

Checks should always be made that there is a valid licence before installing software and users advised of any special conditions regarding its usage.

Automated installs should be used wherever possible -in line with current procedures

Media/files must be stored securely and managed

Software must not be put into user service on University systems unless a department or group has assessed and committed to providing sufficient resourcing for its ongoing management. Appropriate assessment / tests should be made to avoid new software causing operational problems to other systems on the network.

Individuals installing software onto their own computers are personally responsible for ensuring they comply with all aspects of the Software Management Policy.

Software Regulation

Use or installation of unlicensed software and using software for illegal activities is strictly prohibited. Such unauthorised operations will be treated as non-compliance as a disciplinary offence.

Use of software which tests or attempts to compromise University system or network security is prohibited unless authorised by the Chief Information & Transformation Officer (CITO).

Use of software which causes operational problems that inconvenience others, or which makes demands on resources which are excessive or cannot be justified, may be prohibited or regulated.

Software found on University systems which incorporates malware of any type is liable to automated or manual removal or deactivation.

The installation and use of all software will be monitored by IT Services, to ensure we are fulfilling our licencing obligations.

Software maintenance

All changes to computer systems are subject to IT Services' established change management processes and procedures

Software must be actively maintained to ensure that all fixes and patches, needed to avoid significant emerging security risks, are applied as promptly as possible -commensurate with the risk.

Systems running software, including the operating system, which are clearly not being maintained adequately and which may be presenting a wider risk to security will have their University network connectivity withdrawn.

Software Removal

It is not permitted to connect personally owned equipment to any network socket which has not been provided specifically for the purpose. It is permissible to connect personally owned equipment to the University’s wireless networks.

Any device connected to a University network must be managed effectively. Devices which appear not to be proactively or effectively managed (proportionate to their use and nature) or which appear to represent a security or operational risk will be subject to physical or logical disconnection from the network without notice.

All devices connected to the network, irrespective of ownership, are subject to monitoring and security testing, in accordance with normal operational practices.

Permitted, regulated and prohibited use of software

The University must comply with its overriding legal and contractual obligations. Some of these obligations affect software and the uses to which it may be put. The CITO has responsibility for IT at the University, and this may include the prohibition of particular software.

Network and IT Systems Monitoring

The University (through appropriately authorised measures), will carry out relevant monitoring and/or logging in order to ensure the integrity and security of the University network and associated systems. Details of the University policy on monitoring is contained within the Investigation of Computer Use Policy (IS12).

Where systems or software do not comply with this policy then they may be disabled or access to University resources blocked.

Exemptions

‘Exemption requests’ under this policy must be submitted to the CITO or their designate. Exemptions to this policy may only be granted by the CITO or their designate. Activities that have received prior approval by the Research Ethics Committee will be exempt, but the CITO must be notified.

This policy may have an impact on users of assistive technology or assistive software due to their disability. These individual cases will be considered on a case by case basis.

Compliance Monitoring

Compliance to this policy will be monitored on an ongoing basis. The compliance focus will be on:

• Auditing the monitoring of Patch updates on software systems
• Completed Procurement requests using standard, and those using non-standard, process
• Auditing of software licenses
• Exemption requests and granting of exemptions
• Breaches of this policy

Compliance performance will be reported monthly by the Information Asset Owners to the University Information Management Committee

A failure to comply with this policy will be deemed to be a disciplinary offence and may lead to proceedings being taken through the University Disciplinary Process.