Approved Software

Many companies are now imposing software images for their desktop. They have a specific set of software that is allowed on a desktop and then, using software such as RAPID7 or some other vulnerability scanner, they then monitor the software on desktops and ensure that people do not load unapproved software on their systems. My question today is what is an appropriate way to approve exceptions. I work for such a company and they had not thought to have an alternate CD burning package approved or to have a hash generating package approved. I ran into a need for both of these. I check the MD5 hash on every update I load onto my equipment. My windows box did not come with a hash utility so I downloaded one. this seemed fair and reasonable. The problem I ran into was that the exception process for software exceptions to the approved exception list is not well defined. There is a form but it goes to my department. and is approved by who knows. My manager maybe? If you are going to have a policy limiting software on a system, should there not be a process, tracking changes and exceptions. Should there not be a list of qualifications and guidelines for what is a valid exception? How is a decision made? Is there a review process of competitive software?

In my case my product was free so the business justification was not a financial one. But it did have a strong security and performance implication. When you are providing a justification for something like software it needs to have financial, security and functional justifications. The entire reason for limiting software on a desktop boils down to support from the helpdesk and threats from a malicious download, and cost. A justification needs to address those issues. your process for an exception needs to address those issues as well. I do not see that happening at most locations. There focus seems to be on any one of the components. Either the focus in on the security and lose track of the support issue and financial issue or the lock in on the cost  and allow people to load anything under a certain cost. Their needs to be a balance of all three.

A colleague of mine pointed out to me the other day that Security is truly becoming the great facilitator of business. Our role is not just to protect the data but to protect the business processes. more and more it is our job to ensure that the systems our kept up to date which requires that the budget process stays on track which requires that the planning cycle is working correctly which requires that the core product development team is working together, and they need to work with us to protect their IP. It is all connected and it all is impacted in part by our gentile coaxing. We play a role in every department. We can come across as the brute squad or as the great ally. We manage access, connectivity, file sharing, policy, audits. We have access to more information than any user on the network. This gives us the ability to take a process such as an approved software list and expand it to a full business process. Help the Help desk to improve their support functionality. Build business functionality by supporting the budget process and reducing cost with a building comparison process in the justification process. and increase security by preventing erroneous downloads and rouge software. Build a process that leverages our cross business functionality and supports the entire organization.