CM-11 User-installed Software

Description

If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved "app stores." Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods.

Texas DIR Required By: 2023-01-20

System adds:

1. Users may not install applications which capture indiscriminate input from a human interface device such as a keyboard.
2. Applications designed to capture discriminate input are not in scope of this control standard if the application meets the following criteria:
   1. The application behavior is explicitly approved by the user on a per-application basis;
   2. The application does not run at the operating system level, and
   3. The application does not capture indiscriminate input from a web browser.

Applicability

This Control applies to all University information resources.

The information resource owner, or designee, is responsible for ensuring risk mitigation measures described in this Control are implemented.

The intended audience is users of University information resources.

Implementation

TAMU-CC shall:

1. All software installed on University-owned or operated computer systems used by faculty members, staff members, agents, or students in the conduct of University business must be appropriately licensed (Texas A&M System Regulation 29.01.02, Use of Licensed Software [TAMUS 29.01.02]).
   1. For software having a licensing agreement, persons installing or authorizing the installation of software should be familiar with the terms of the agreement. Where feasible, the licensing agreement should be maintained in the department that operates the system on which the software is installed or through a license management agreement with a third party.;
   2. In cases where this is not feasible, individuals or organizations should maintain sufficient documentation (e.g., End User License Agreements, purchase receipts) to validate that the software is appropriately licensed.
2. Enforces software installation policies through endpoint central management tools; and
3. Monitors policy compliance at least annually.
4. See the TAMU-CC document Acceptable Use Policy for a list of prohibited software.
5. Users may not install applications which capture indiscriminate input from a human interface device such as a keyboard.
6. Applications designed to capture discriminate input are not in scope of this control standard if the application meets the following criteria:
   1. The application behavior is explicitly approved by the user on a per-application basis;
   2. The application does not run at the operating system level, and
   3. The application does not capture indiscriminate input from a web browser.

Revision History

Last Updated: February 21, 2025

Previous Versions:

• June 29, 2023
• May 31, 2022
• March 25, 2021
• September 16, 2019