This is the final post in my series on IT security policies. The other two posts examined good e-mail and Internet policies. Today, I look at the software policy, which I call "the forgotten policy" because every time I have had to talk to an employee about downloading unapproved software, I hear, "Oh, I forgot." Every policy I have read has said something about not loading unapproved software. But, most employees consider this to mean only software that they download from the Web. This also includes an employee's personal software and any beta software.
Also, there is the whole open source issue. Employees download and agree to open source licenses. So in effect, they agree to the license, and then load it on their company's computer, putting the company in the middle.
A good software policy should at least do these five things:
1. Clearly make it understood that software not owned by the company cannot be used on company-owned computers. This includes personal and open source software.
2. State that if open source software is needed, then the company's counsel should review all licenses.
3. Clearly state what will happen if unauthorized software is downloaded onto company equipment.
4. If desktops are going to be monitored, it should state how and who will view the logs.
5. If systems are given out for take home use, then the same rules apply.
If software does need to be downloaded, and it will be, then there must be a clear procedure that needs to be followed. For example, a request should be given to the IT department. The software will be downloaded and put into a test environment, and it should obviously be checked for malware. In addition, it should be checked for interoperability with other desktop software to see if there are conflicts.
In closing my series, keep in mind that policies should not be created just to meet a lawyer's requirement to have them. They need to be usable. IT security policies should not be an impediment to doing business. That being said, as security professionals, we are paid to protect company assets and this comes before anything else.