Skip to main content

University Policy #119

Software Life Cycle Policy

Initially approved: August 24, 2015
Revised and Renamed: September 24, 2024

Policy Topic: Information Technology
Administering Office: Division of Information Technology/Office of the CIO

I. POLICY STATEMENT 

It is the policy of Western Carolina University (“WCU” or the “University”) to ensure that its software assets are developed, used, and maintained in compliance with all applicable software licensing laws and agreements, and that these technology resources are used effectively to further the University's mission. 

II. SCOPE AND APPLICATION

This policy shall apply to all software utilized by the WCU community[HB1]  including, but not limited to the acquisition and/or adoption of software under any one or more of the following circumstances:

  1. software that is installed on any endpoint device.
  2. software that is used via the network local to WCU or the Internet.
  3. software that makes use of sensitive, confidential, or privileged data or information. 

III. DEFINITIONS

 “Acquisition” or “adoption” means a software asset that is purchased or obtained (including software that is free), by either WCU or individuals, to be used academically, administratively, or for the purposes of research, scholarship, or creative works. 

Application” - See also “software

 “License” means a legal instrument which governs the use or redistribution of software.

 “Software”, “Software Asset”, “Application” means a computer program, add-on, or collection (suite) of programs that can be accessed through a website, installed on laptop/desktop computers, on mobile devices (such as tablets or smartphones), or on a server environment (either within WCU or hosted elsewhere). 

IV. ACQUISITION/ADOPTION LIFECYCLE 

  1. Per ISO 27002, WCU’s adopted information security framework, all software assets should be inventoried to support risk management, audit activities, vulnerability management, incident response and recovery planning. Therefore: 
    1. WCU Division of Information Technology (DoIT) shall maintain an inventory of all software assets installed on WCU-owned endpoint devices.
    2. WCU DoIT shall maintain an inventory of contracts for all IT services and software assets.
    3. If software is identified on a WCU-owned endpoint device that is not in the inventory, then the software must be removed from the device, or go through the software review process to be added to the inventory.
    4. If security vulnerabilities are detected in software, or if known deprecated versions of software are identified on WCU-owned endpoint devices, then it is the user’s responsibility to update the software to a non-vulnerable/secure state or remove the software from the device.
    5. Given the item above, software asset owners must maintain a contract or license agreement that allows for the software asset to be updated to the latest secure version or remove the software from the device. 
  2. In order to maintain the required inventory as described above, the following process must be followed for adoption and approval of all software.
    1. Employees or University administrative units (i.e., divisions, departments, offices) who are acquiring software must submit a request at http://go.wcu.edu/itsoftwarereview or contact the WCU IT Help Desk at (828) 227-7487[KC2]  prior to acquiring the software.
    2. In recognition of the diverse uses of software on campus, the Division of Information Technology agrees to the timely facilitation of a customized intake process that indicates appropriate steps for software acquisition, adoption, and approval.
    3. Oversight of the software acquisition process will be managed by the appropriate unit within the Division of Information Technology, as designated by the Chief Information Officer.
    4. The employee or administrative unit acquiring or adopting software must adhere to the licensing agreements provided by the vendor and other governing bodies.
    5. Employees acquiring or adopting software must adhere to all applicable WCU and UNC policies.

V. POLICY REVIEW 

 This policy will be reviewed by the Information Technology Leadership every three years. 

VI. PENALTIES

The University will take appropriate action in response to user abuse or misuse of information technology resources. Action may include, but not necessarily be limited to, suspension or revocation of access to information technology resources; referral to the appropriate office(s) for disciplinary action; or referral to law enforcement. 

VII. RELATED POLICIES AND RESOURCES

University Policy #52: Responsible Use of Information Technology Resources

University Policy #62: Contract Review and Execution

University Policy #97: Information Security and Privacy Governance

University Policy #117: Information Security Policy

Board of Governors Policy #1400.1

International Standards Organization (ISO/IEC 27002:2022, Clause 5 Organizational Controls)

Office of Web Services