ISP-13 Software management policy
This is a sub-policy of the ISP-01 Information security policy.
Summary
This policy sets out the University’s approach to ensuring the security and management of software. It covers procurement, installation, regulation, maintenance, and removal of software to protect University data and assets. The policy seeks to ensure compliance with legal and contractual obligations, and licensing agreements, including requirements to address security vulnerabilities and prevent the use of unlicensed or malicious software.
| Control information | Control detail |
|---|---|
| Owner | Chief Digital Information Officer, IT Services |
| Author | Information Security Manager, IT Services |
| Sponsor | Chief Digital Information Officer, IT Services |
| Consulted | Digital Spaces Manager, Head of Digital Services, Digital Platforms and Network Manager, Information Governance and Security Advisory Board (IGSAB) |
| Approved by | Information Governance and Security Advisory Board (IGSAB) |
| Responsible area | IT Services |
| Version | 5 |
| Approval date | 15 November 2025 |
| Effective date | 15 November 2025 |
| Interim review effective date | Not applicable |
| Full review period | 1 year |
| Date of next full review | 30 September 2026 |
| EIA completion date | Not applicable |
| DPIA completion date | Not applicable |
| SIA completion date | Not applicable |
| Reporting requirements |
|
| Applicable statutory, legal or best practice requirements |
|
| Keywords | acceptable use, best practices, cybersecurity, data confidentiality, data protection, GDPR, information security, intellectual property, ISO/IEC 27001, IT governance, IT services, licensing compliance, NIST, risk management, software installation, software licensing, software maintenance, software management, software procurement, software regulation, software removal, software vulnerabilities |
On this page
1. Updates to this policy
1.1. This policy has been updated to align to the new University of Bristol policy management framework.
2. Introduction
2.1. This Software management policy is a sub-policy of the ISP-01 Information security policy and sets out the principles and expectations for the security aspects of managing software.
3. Scope
3.1. This policy applies to all University-owned systems and any third party systems managed on behalf of the University. It covers individuals responsible for installing, managing, or using software on these systems, including anyone who installs software from non-University managed repositories. The policy extends to all devices capable of running software, such as laptops, desktops, tablets, smartphones, servers, and network infrastructure, both on and off premises.
4. Definitions
4.1. A member of the University: This is defined in University Constitution: Ordinance 9, section 7.
4.2. Software asset: All software, software licences, support and maintenance agreements used within the University.
4.3. Software management: Any procurement, development, installation, regulation, maintenance or removal of software that takes place on systems owned by, managed by or for the University.
4.4. Software manager: Any individual installing software on University systems is considered a Software Manager.
4.5. University systems: Includes all University-owned devices that are able to be programmed to run logical operations or arithmetic. This includes but is not limited to laptops, desktops, tablets, smartphones, wearables, physical and virtual servers and network infrastructure, on or off premises.
5. Responsibilities
5.1. Software Managers: Are responsible for understanding and complying with University policies regarding information security. They are also responsible for managing and maintaining software, ensuring the ongoing security of the software by applying the latest security patches and adhering to licensing requirements.
5.2. IT Services: Monitor software installed on University devices, ensuring compliance with licensing and legislation, addressing security issues, and supporting the software lifecycle. They also maintain a catalogue of centrally managed software including due diligence processes for onboarding new software.
5.3. Supervisors and Line Management: Are responsible for overseeing that software installed within their teams is properly assessed, managed, and resourced for ongoing support, ensuring the ongoing security of the software by applying the latest security patches and adhering to licensing requirements.
5.4. University Members: Must ensure they only use licensed software, reporting any issues, and adhering to any conditions of software use or restrictions placed by the University.
5.5. Procurement Teams: Ensure that due diligence is conducted when purchasing software, confirming future support, and ensuring products align with University requirements and security standards.
6. General software management principles
6.1. All software, including operating systems and applications, must be actively managed.
6.2. There must be an identifiable individual and deputy, or organisational unit, taking current responsibility for every item of software formally deployed.
6.3. Individuals installing software from non-University managed software repositories are responsible for the active management of that software instance.
6.4. Those responsible for software must monitor relevant sources of information that may alert them to a need to act in relation to new security vulnerabilities. This may include instruction from IT Services. Failure to act may result in removal of the software, isolation of the device or removal of privileged access.
6.5. Software managers are responsible for ensuring software remains compliant with University standards and relevant security frameworks.
6.6. Installation, maintenance and removal of software should follow IT Service Management processes (staff access only)
7. Software procurement
7.1. Due diligence for software procurement should be conducted in accordance with the ISP-04 Outsourcing and third party compliance policy.
7.2. At the time of software procurement, the basis of future support and the expected supported lifetime of the product should be established. It is important to have the assurance that manufacturers will provide updates to correct any serious security vulnerabilities discovered in future.
8. Software installation
8.1. Checks should always be made that there is a valid licence before installing software and users advised of any special conditions regarding its usage. All software licenses must be notified to the IT Software Licensing Team.
8.2. Managed installs should be used wherever possible - in line with current procedures to ensure software is maintained and use of individual administrative privilege is limited.
8.3. Software assets and other software files must be stored securely and managed effectively.
8.4. Software must not be put into active use on University systems unless a department or group has assessed and committed to providing sufficient resourcing for its ongoing management. Appropriate assessments or tests should be made to avoid new software causing operational problems to other systems on the network.
9. Software regulation
9.1. Use or installation of unlicensed software or using software for illegal activities constitutes a disciplinary offence as detailed in the ISP-09 Acceptable use policy section 13, ‘Penalties for Misuse’.
9.2. Use of software that tests or attempts to compromise University system or network security is prohibited unless authorised by the Chief Information Security Officer for the duration of those tests.
9.3. Use of software that causes operational problems that inconvenience others, or that makes demands on resources that are excessive or cannot be justified, may be prohibited or regulated.
9.4. Software found on University systems that incorporates malware of any type, or that does not conform to the restrictions outlined in this policy, is liable to automated or manual removal or deactivation.
9.5. The installation and use of software will be monitored by IT Services to ensure we are fulfilling our licensing obligations. The University needs to ensure it is maximising the value of its software assets.
9.6. For further guidance on the use of University software and other facilities, refer to the ISP-09 Acceptable use policy and the ISP-03 Compliance policy.
10. Software maintenance
10.1. Software managers are responsible for maintaining the integrity of software by applying security patches in a time period proportionate to the criticality of those patches. If patches cannot be applied for whatever reason, other compensatory control measures must be taken to mitigate the risk.
10.2. Systems running software, including the operating system, which are not being maintained adequately and which may be presenting a wider risk to University networks and data, are liable to have their connectivity restricted.
11. Software removal
11.1. Software that cannot be made compliant (for example software for which security patches cannot be applied and any unlicensed or incorrectly licensed software) must be removed from service or the host device moved to an autonomous or isolated network. The IT Service Management process must be followed.
11.2. When decommissioning a University system, or a system managed on behalf of the University, licensed software must be removed to prevent any breach of licensing conditions.
12. Permitted, regulated and prohibited use of software
12.1. The University must comply with its overriding legal and contractual obligations. Some of these obligations affect software and the uses to which it may be put. The Chief Digital Information Officer has overall accountability for IT at the University and has the authority to prohibit use of software. This may include, but is not limited to software that poses a risk to confidentiality, integrity or availability of University data.
13. Further guidance
Request this policy in an alternative format
If you need this policy in a different format, email uob-policymanager@bristol.ac.uk. In your message, include the format you need, for example: plain text, braille, BSL, large print or audio.