Software policy
Software security
Purpose
This policy sets out the guidelines for the acquisition, installation, usage, management, and security of software across Agile Collective to ensure systems are secure, up-to-date, and protected against cyber threats.
Scope
This policy applies to:
- All employees, contractors, and third parties using company devices.
- All devices used to access company networks, systems, and data, which include Linux and macOS devices.
- All software used within the organisation, whether pre-installed, downloaded, or cloud-based.
Policy
Approved software
Only software that is authorised and approved by the Tech circle should be installed on company devices.
- The Tech circle will maintain a list of approved software, which is regularly reviewed and updated.
- Employees must submit requests for new software to the Tech circle for evaluation before installation.
- All software must be obtained from trusted and verified sources
- Ubuntu users should only install software from Canonical maintained repositories or trusted software provided in containerised formats (Snap, Flatpak, Appimage)
- MacOS users should only install software available from the App store
- Downloading software from untrusted or unauthorised websites is prohibited.
Software Installation and Removal
- Software installation is generally restricted to users with administrative privileges and approved by the Tech circle.
- Standard users (non-developers) must request new software installation through the Tech circle.
Installation by developers
Developers are granted controlled autonomy in installing additional software necessary for their work, provided that certain security checks are performed and documented. The following conditions apply:
- Supported Software: The software must be from an active, supported project. If the software is open source, it should be maintained and updated regularly.
- Latest Version: The developer must ensure that the latest stable version of the software is being installed. Where applicable, automatic updates should be enabled.
- Security Vulnerability Check: The developer must check the software for any known security vulnerabilities by consulting cve.mitre.org or another recognised CVE database.
- If any vulnerabilities are found, the software should not be installed until the issues are resolved or the Tech circle has reviewed and approved its use.
- Source Verification: The software must be downloaded from trusted, official sources (e.g., Linux package repositories, official websites, or verified Git repositories).
Software patching and updates
- Wherever feasible, automatic updates for operating systems (Linux/macOS) and software applications must be enabled.
- For Linux systems, package managers such as apt, dnf, or yum must be configured to install security updates automatically.
- Where automatic updates are not available, employees must ensure software is manually updated in accordance with Tech circle guidelines.
- Software that cannot be updated should be either isolated or replaced with a secure, updated version.
Developer responsibilities
All software installed by developers must be regularly patched and updated to the latest versions to mitigate security risks. Developers are responsible for ensuring that software they install remains up-to-date.
- Developers must regularly check for updates and apply them as soon as they become available.
- If a vulnerability is identified in the software (via CVE monitoring or vendor announcements), developers must update or remove the affected software immediately.
- The Tech circle will conduct periodic vulnerability scans and audits of developer-installed software. Any software that is found to be outdated or vulnerable must be updated or removed in accordance with company security policies.
Access control
- Software installation is restricted to those with appropriate administrative rights. Standard users should not have the ability to install or modify software on company devices.
- Users must have separate accounts for administrative and non-administrative tasks, especially on Linux systems. Users should only use administrative privileges when absolutely necessary.
Developer access privilieges
- Developers may be granted elevated privileges (e.g., sudo rights on Linux, admin rights on macOS) to install software, but must adhere to all security protocols as outlined in this policy.
- Separate administrative accounts should be used for installations, ensuring that day-to-day tasks are performed under non-privileged accounts.
Incident reporting
- Employees must report any software vulnerabilities, bugs, or security incidents related to software immediately to the Tech circle
- If any unauthorised software is discovered, the Tech cricle must assess the risk and take necessary actions, such as uninstalling the software or isolating the system.
Member and employee responsibilities
- Compliance: Members and employees are responsible for adhering to this policy at all times. Non-compliance may result in disciplinary action.
Exceptions
- Any exceptions to this policy must be approved in writing by the Tech circle and will be granted only under exceptional circumstances.
Monitoring and review
- Policy Review: This policy will be reviewed at least annually or after any significant changes in the company’s infrastructure or threat landscape.
- Audit and Monitoring: The Tech circle will audit and monitor compliance with this policy.
Last updated: