Skip to content
Home » IT Policies » Software Installation Policy

Software Installation Policy

Document ID: SIP-001
Version: 1.0
Effective Date: ____________________
Approved By: ____________________
Last Review Date: ____________________
Next Review Date: ____________________

1. Purpose

The purpose of this Software Installation Policy is to establish requirements for the secure acquisition, approval, installation, configuration, maintenance, and removal of software used within the organization.

This policy helps reduce cybersecurity risks associated with unauthorized software, malware, licensing violations, insecure applications, and unsupported software while ensuring software supports legitimate business needs.

2. Scope

This policy applies to:

  • Employees
  • Contractors
  • Consultants
  • Temporary workers
  • Interns
  • Volunteers
  • Board members
  • Vendors
  • Third-party service providers
  • Managed Service Providers (MSPs)
  • Any individual authorized to install or manage software

This policy applies to software installed on:

  • Desktop computers
  • Laptop computers
  • Servers
  • Virtual machines
  • Cloud workloads
  • Mobile devices
  • Tablets
  • Thin clients
  • Engineering workstations
  • Kiosk systems

This includes:

  • Commercial software
  • Open-source software
  • Freeware
  • Shareware
  • Browser extensions
  • Mobile applications
  • Drivers
  • Utilities
  • Scripts
  • Software agents
  • Plugins
  • Command-line tools

3. Policy Statement

Only approved software that has been authorized through the organization’s software approval process may be installed on organizational systems.

Software installations shall support legitimate business requirements, comply with licensing obligations, and meet organizational cybersecurity standards.

4. Guiding Principles

The organization follows these principles:

  • Least Privilege
  • Security by Default
  • Approved Software Only
  • License Compliance
  • Risk-Based Decision Making
  • Change Management
  • Software Accountability
  • Continuous Maintenance

5. Software Approval

Software shall be evaluated before installation.

Approval considerations may include:

  • Business justification
  • Security risks
  • Licensing requirements
  • Vendor reputation
  • Compatibility
  • Supportability
  • Privacy implications
  • Regulatory requirements
  • Operational impact

Approval shall be documented.

6. Authorized Software Sources

Software shall be obtained only from trusted and authorized sources, including:

  • Official vendor websites
  • Approved application stores
  • Authorized distributors
  • Approved software repositories
  • Internal software deployment systems

Software shall not be downloaded from unauthorized or untrusted sources.

7. Installation Authorization

Software installation privileges shall be limited to authorized personnel.

Users shall not:

  • Install software without approval
  • Circumvent administrative controls
  • Use unauthorized installation methods
  • Disable security controls to install software

Administrative rights shall follow the Least Privilege Policy.

8. Software Licensing

All software shall comply with applicable licensing agreements.

The organization shall:

  • Maintain proof of licensing where applicable
  • Prevent unauthorized software copying
  • Remove unused licensed software when appropriate
  • Periodically review software licensing compliance

Users shall not install pirated or illegally obtained software.

9. Open-Source Software

Open-source software may be used when:

  • Business justification exists
  • Security risks have been evaluated
  • Licensing obligations have been reviewed
  • Ongoing maintenance is feasible
  • The software has been approved

Where appropriate, known vulnerabilities shall be assessed before deployment.

10. Browser Extensions and Plugins

Browser extensions, plugins, and add-ons shall:

  • Be approved before installation
  • Support legitimate business purposes
  • Be obtained from trusted sources
  • Be periodically reviewed
  • Be removed when no longer required

Unapproved extensions shall not be installed.

11. Mobile Applications

Applications installed on organization-managed mobile devices shall:

  • Be approved
  • Support business requirements
  • Be obtained from trusted application stores
  • Be managed through approved device management solutions where applicable

12. Security Evaluation

Software should be evaluated for:

  • Malware
  • Known vulnerabilities
  • Vendor support
  • Security history
  • Privacy implications
  • Required permissions
  • Network communications
  • Data collection practices

Higher-risk software may require additional review.

13. Configuration

Installed software shall:

  • Follow approved security configurations
  • Disable unnecessary features where appropriate
  • Limit unnecessary privileges
  • Support logging where applicable
  • Comply with organizational security standards

Default configurations should be reviewed before production use.

14. Software Updates

Installed software shall receive:

  • Security updates
  • Bug fixes
  • Vendor-supported patches
  • Version updates where appropriate

Critical security updates should be applied in accordance with the organization’s Patch Management Policy.

Unsupported software shall be upgraded or removed.

15. Removal of Software

Software shall be removed when:

  • No longer required
  • Unsupported
  • Replaced
  • Identified as malicious
  • Creates unacceptable security risks
  • Licensing expires
  • Business needs change

Removal shall follow documented procedures where appropriate.

16. Artificial Intelligence (AI) Software

AI software and browser-based AI services shall be approved before use for business purposes.

Evaluation should consider:

  • Data privacy
  • Confidentiality
  • Vendor security
  • Regulatory compliance
  • Intellectual property
  • Data retention
  • Business necessity

Unapproved AI software shall not process confidential organizational information.

17. Monitoring

The organization may monitor software installations for:

  • Unauthorized software
  • License compliance
  • Security vulnerabilities
  • Software inventory
  • Configuration compliance
  • Malware detection
  • Operational support

Monitoring shall comply with applicable laws and organizational policies.

18. Reporting Security Concerns

Users shall immediately report:

  • Unauthorized software
  • Malware infections
  • Unexpected software behavior
  • Security vulnerabilities
  • License violations
  • Unauthorized installations
  • Software compromise

Security incidents shall be handled according to the Incident Response Policy.

19. Exceptions

Exceptions require:

  • Documented business justification
  • Risk assessment
  • Management approval
  • Information Security approval where applicable
  • Compensating security controls
  • Periodic review

20. Responsibilities

Executive Management

  • Support secure software management
  • Allocate appropriate resources
  • Promote policy compliance

Managers

  • Approve software requests where applicable
  • Ensure business justification
  • Support compliance

IT Department

  • Evaluate software requests
  • Install approved software
  • Maintain software inventory
  • Apply software updates
  • Remove unauthorized software
  • Monitor software compliance

Information Security

  • Define software security standards
  • Assess software risks
  • Review exceptions
  • Monitor software-related threats
  • Conduct compliance assessments

Procurement

  • Verify licensing requirements
  • Coordinate approved software acquisitions
  • Maintain procurement records

Users

  • Request software through approved processes
  • Use only authorized software
  • Report unauthorized software
  • Comply with this policy

21. Compliance

Compliance with this policy is mandatory.

Violations may result in:

  • Removal of unauthorized software
  • Restriction of installation privileges
  • Removal of system access
  • Disciplinary action
  • Contract termination
  • Legal action where applicable

22. Policy Review

This policy shall be reviewed at least annually or following:

  • Technology changes
  • Security incidents
  • Regulatory updates
  • Organizational restructuring
  • Audit findings

23. Related Policies

  • Information Security Policy
  • Acceptable Use Policy
  • Computer Use Policy
  • Endpoint Security Policy
  • Least Privilege Policy
  • Patch Management Policy
  • Vulnerability Management Policy
  • Change Management Policy
  • Mobile Device Policy
  • Bring Your Own Device (BYOD) Policy
  • Artificial Intelligence (AI) Acceptable Use Policy
  • Asset Management Policy
  • Incident Response Policy

Document Objective

This Software Installation Policy establishes the organization’s requirements for the secure approval, installation, maintenance, and removal of software across organizational systems. It provides a vendor-neutral framework for reducing cybersecurity risks, ensuring software licensing compliance, maintaining system integrity, and supporting secure business operations across on-premises, cloud, remote, and hybrid environments. This policy aligns with recognized security frameworks and standards, including NIST CSF, ISO/IEC 27001, CIS Controls, SOC 2, HIPAA, PCI DSS, CMMC, and the FTC Safeguards Rule.