Software Life Cycle Policy
Initially approved: August 24, 2015
Revised and Renamed: September 24, 2024
Policy Topic: Information Technology
Administering Office: Division of Information Technology/Office of the CIO
I. POLICY STATEMENT
It is the policy of Western Carolina University (“WCU” or the “University”) to ensure
that its software assets are developed, used, and maintained in compliance with all
applicable software licensing laws and agreements, and that these technology resources
are used effectively to further the University's mission.
II. SCOPE AND APPLICATION
This policy shall apply to all software utilized by the WCU community[HB1] including,
but not limited to the acquisition and/or adoption of software under any one or more
of the following circumstances:
- software that is installed on any endpoint device.
- software that is used via the network local to WCU or the Internet.
- software that makes use of sensitive, confidential, or privileged data or information.
III. DEFINITIONS
“Acquisition” or “adoption” means a software asset that is purchased or obtained (including software
that is free), by either WCU or individuals, to be used academically, administratively,
or for the purposes of research, scholarship, or creative works.
“Application” - See also “software”
“License” means a legal instrument which governs the use or redistribution of software.
“Software”, “Software Asset”, “Application” means a computer program, add-on, or collection (suite) of programs that can be
accessed through a website, installed on laptop/desktop computers, on mobile devices
(such as tablets or smartphones), or on a server environment (either within WCU or
hosted elsewhere).
IV. ACQUISITION/ADOPTION LIFECYCLE
- Per ISO 27002, WCU’s adopted information security framework, all software assets should
be inventoried to support risk management, audit activities, vulnerability management,
incident response and recovery planning. Therefore:
- WCU Division of Information Technology (DoIT) shall maintain an inventory of all software
assets installed on WCU-owned endpoint devices.
- WCU DoIT shall maintain an inventory of contracts for all IT services and software
assets.
- If software is identified on a WCU-owned endpoint device that is not in the inventory,
then the software must be removed from the device, or go through the software review
process to be added to the inventory.
- If security vulnerabilities are detected in software, or if known deprecated versions
of software are identified on WCU-owned endpoint devices, then it is the user’s responsibility
to update the software to a non-vulnerable/secure state or remove the software from
the device.
- Given the item above, software asset owners must maintain a contract or license agreement
that allows for the software asset to be updated to the latest secure version or remove
the software from the device.
- In order to maintain the required inventory as described above, the following process
must be followed for adoption and approval of all software.
- Employees or University administrative units (i.e., divisions, departments, offices)
who are acquiring software must submit a request at http://go.wcu.edu/itsoftwarereview or contact the WCU IT Help Desk at (828) 227-7487[KC2] prior to acquiring the software.
- In recognition of the diverse uses of software on campus, the Division of Information
Technology agrees to the timely facilitation of a customized intake process that indicates
appropriate steps for software acquisition, adoption, and approval.
- Oversight of the software acquisition process will be managed by the appropriate unit
within the Division of Information Technology, as designated by the Chief Information
Officer.
- The employee or administrative unit acquiring or adopting software must adhere to
the licensing agreements provided by the vendor and other governing bodies.
- Employees acquiring or adopting software must adhere to all applicable WCU and UNC
policies.
V. POLICY REVIEW
This policy will be reviewed by the Information Technology Leadership every three
years.
VI. PENALTIES
The University will take appropriate action in response to user abuse or misuse of
information technology resources. Action may include, but not necessarily be limited
to, suspension or revocation of access to information technology resources; referral
to the appropriate office(s) for disciplinary action; or referral to law enforcement.
VII. RELATED POLICIES AND RESOURCES
University Policy #52: Responsible Use of Information Technology Resources
University Policy #62: Contract Review and Execution
University Policy #97: Information Security and Privacy Governance
University Policy #117: Information Security Policy
Board of Governors Policy #1400.1
International Standards Organization (ISO/IEC 27002:2022, Clause 5 Organizational
Controls)