PURPOSE:
This Software Management Policy outlines the standards and procedures for acquiring, deploying, managing, and retiring software within Idaho College of Osteopathic Medicine (ICOM) (the “Institution”). The purpose of this policy is to ensure that software is acquired and used in a secure, compliant, cost-effective, and efficient manner, supporting the Institution’s mission while mitigating risks associated with software vulnerabilities, licensing violations, and inefficient software management practices. Effective software management is crucial for maintaining system security, data integrity, regulatory compliance, and responsible resource utilization. This policy applies to all software used within the institutional environment, including on-premises software and cloud-based Software as a Service (SaaS) applications.
SCOPE:
This policy applies to all software used to support the operations, academic mission, research, and administrative functions of ICOM, including but not limited to:
- Operating systems
- Productivity applications (e.g., office suites, collaboration tools)
- Academic and research software
- Administrative and business applications
- Security software (e.g., anti-malware, firewalls)
- Utility software
- Software as a Service (SaaS) applications
- Mobile applications used for institutional purposes
- Software installed on institutionally owned devices and, where applicable, personally owned devices used for institutional purposes (BYOD).
This policy applies to all individuals who acquire, deploy, manage, use, or support software within the Institution, including but not limited to:
- Faculty
- Staff
- Administrators
- Students (regarding software use and limited acquisition in specific contexts)
- IT Department
- Departmental IT Support Staff
- Software Administrators
- System Administrators
- Researchers
- Contractors and Vendors providing software or software-related services.
DEFINITIONS:
- Freeware: Software that is made available free of charge, but may have restrictions on usage, distribution, or modification. Freeware licenses may vary and should be reviewed carefully.
- License (Software License): A legal agreement that specifies the terms and conditions under which software can be used, including permitted uses, restrictions, and fees.
- Open Source Software: Software with source code that is made available to the public for use, modification, and distribution under a specific open-source license. Open-source licenses vary and should be reviewed to understand usage rights and obligations.
- SaaS Application (Software as a Service): A software delivery model in which software is hosted by a vendor and made available to customers over a network, typically the internet, usually on a subscription basis.
- Shadow IT (Shadow Information Technology): Information technology systems and solutions built and used within organizations without explicit organizational approval or IT department oversight. This often includes unauthorized SaaS application adoption or software installations.
- Software (Software Application): A set of instructions or programs that tell a computer what to do. This includes operating systems, applications, utilities, and other types of executable code.
- Software Asset Management (SAM): The systematic process of managing, controlling, and protecting software assets throughout their lifecycle, including acquisition, deployment, usage, maintenance, compliance, and retirement.
- Software Inventory: A comprehensive list of all software installed and used within the institution, including details such as software titles, versions, licenses, installation locations, and vendor information.
- Unsupported Software: Software versions that the vendor no longer provides security updates, patches, or technical support for. Using unsupported software can pose significant security risks.
- Unauthorized Software: Software that has not been approved by the ICOM IT Department or designated authority for use on institutional systems or networks, or software that violates licensing agreements.
- Volume Licensing: A type of software licensing that allows organizations to purchase multiple licenses for software at a discounted price.
POLICY:
Software Acquisition and Approval:
- Centralized Software Acquisition (Preferred): Whenever feasible, software acquisition should be centrally managed and coordinated by the IT Department to ensure compliance, security, and cost-effectiveness.
- Approval Process: All software acquisitions, including new software, upgrades, and SaaS subscriptions, must be reviewed and approved by the IT Department prior to purchase or deployment. Approval processes will consider:
- Business need and justification.
- Security requirements and vulnerability assessments.
- Compliance with licensing agreements and relevant regulations.
- Compatibility with existing institutional systems and infrastructure.
- Total cost of ownership (including licensing, implementation, support, maintenance, and
potential infrastructure costs). - Data privacy implications and data security controls.
- SaaS Application Acquisition: Acquisition of SaaS applications must follow the same approval process, with additional emphasis on:
- Vendor security posture and security certifications (e.g., SOC 2, ISO 27001).
- Data privacy and security controls implemented by the SaaS vendor.
- Service Level Agreements (SLAs) and vendor support terms.
- Data export and migration capabilities.
- Freeware and Open Source Software: While freeware and open-source software may offer cost savings, their use must still be reviewed and approved to ensure security, licensing compliance, and suitability for institutional use.
- Prohibited Software Acquisition: Acquisition of software from untrusted or unauthorized sources, or software that violates institutional policies or legal requirements (e.g., pirated software, software with known security risks), is strictly prohibited.
Software Installation and Deployment:
- Standardized Deployment Methods: Software deployment should utilize standardized and secure methods to ensure consistency, reduce errors, and facilitate management. Approved deployment methods may include:
- Centralized software deployment tools (e.g., Mobile Device Management (MDM) tools, endpoint management solutions).
- Managed application stores or self-service portals (for approved software).
- Scripted installations and automated configuration management.
- Software Inventory Management: The IT Department will maintain an inventory of all institutionally managed software. This inventory will include both on-premises software and SaaS subscriptions.
- SaaS Application Deployment and Access Management: Deployment of SaaS applications involves managing user access and provisioning. The IT Department will manage user accounts, roles, and access permissions within SaaS applications, with support from the appropriate Data Custodian, and integrate SaaS application access with institutional identity management systems (Single Sign-On) where possible.
Software Usage and Acceptable Use:
- Compliance with Licensing Agreements: All software must be used in compliance with its associated license agreements. Software licensing will be actively managed to ensure compliance and avoid legal or financial penalties.
- Acceptable Use Policy Adherence: Software must be used in accordance with the ICOM’s Acceptable Use Policy and all other relevant institutional policies and procedures.
- Prohibited Software Usage: The use of software that violates institutional policies, legal requirements, or ethical standards is prohibited. This includes, but is not limited to:
- Pirated or unlicensed software.
- Software used for illegal activities (e.g., copyright infringement, hacking).
- Software that violates data privacy regulations (e.g., unauthorized data collection or sharing).
- Software that poses a security risk to institutional systems or data (e.g., known malware distributors, unvetted software).
- Software for Personal Use on Institutional Devices: Installation and use of personal software on institutionally owned devices may be restricted or subject to approval to maintain security and system performance.
Software Maintenance and Updates:
- Patch Management Policy Compliance: Software patching and updates will be managed in accordance with the Institution’s Patch Management Policy. Timely patching of software vulnerabilities is critical for security.
- Software Version Management: Maintain current and supported versions of software whenever possible. Plan for upgrades and migration from end-of-life or unsupported software versions to mitigate security risks and compatibility issues.
- SaaS Application Updates: Recognize that SaaS application updates are typically managed by the vendor. Monitor vendor communications regarding updates and planned maintenance windows. Verify that SaaS vendors maintain current and secure software versions.
Software Retirement and Removal:
- Software Retirement Planning: Plan for the retirement and decommissioning of software that is no longer needed, is outdated, or poses security risks. Retirement planning should include:
- Identifying replacement software (if needed).
- Migrating data from the retiring software to replacement systems or secure archives.
- Decommissioning software licenses and subscriptions.
- Properly uninstalling software from systems.
- Securely disposing of any data associated with the retired software in accordance with Data Retention and Destruction Policy.
- Software Removal Procedures: Establish procedures for the proper removal and uninstallation of software from systems, ensuring complete removal and preventing residual security vulnerabilities or licensing compliance issues. Use automated uninstall tools where possible.
- SaaS Subscription Termination: When terminating SaaS subscriptions, ensure proper procedures are followed to:
- Export and securely archive any institutional data stored within the SaaS application, if needed, and in compliance with data retention policies.
- Properly terminate user accounts and access permissions within the SaaS application.
- Confirm subscription cancellation and avoid continued billing.
Software License Management:
- Centralized License Management: Maintain a centralized system or process for tracking software licenses, subscriptions, and usage. This includes licenses for on-premises software and SaaS subscriptions.
- License Compliance Audits: Conduct periodic software license audits to ensure compliance with license agreements and identify any potential licensing gaps or overspending.
- License Optimization: Optimize software license utilization by reclaiming unused licenses, consolidating licenses where possible, and leveraging volume licensing agreements.
- SaaS Subscription Management: Actively manage SaaS subscriptions, track user licenses, monitor usage, and optimize subscription levels to align with actual needs and avoid unnecessary costs.
ENFORCEMENT:
Enforcement of this Software Management Policy is the responsibility of all managers, supervisors, IT administrators, software administrators, system administrators, department heads, and software users, under the overall direction of the Chief Information Officer. Acquisition or use of unauthorized software, violation of licensing agreements, failure to follow software management procedures, or other policy violations may result in disciplinary actions, up to and including warnings, revocation of software privileges, suspension of system access, and termination of employment or access privileges, and potential legal or financial consequences for the Institution and individuals. The IT Department will monitor compliance with this policy, track software inventory and licensing, and investigate reported violations or software management deficiencies.
POLICY REVIEW AND UPDATES:
This Software Management Policy and associated procedures will be reviewed and updated at least annually, or as needed to reflect changes in software technologies, licensing models, security threats, regulations, institutional risk assessments, business needs, or best practices in software asset management. The IT Department is responsible for coordinating policy reviews and updates, in consultation with relevant stakeholders.
PRIMARY POLICY OWNER:
Chief Information Officer
APPROVAL:
Effective: 7/8/25
Last Reviewed: 7/8/25
Review Requirement: Annual