Laserfiche WebLink
Security Policies and Procedures <br />B. Acquisition of software <br />It is up to the developer to decide which software tools they will require for their <br />workstation. All regulated software will only be download from trusted sources, such <br />as the Apple App Store, Windows Store, or directly from reputable websites, etc. <br />Unregulated software is allowed, but must be fully documented and approved for use <br />by the ISO. Documentation will include: <br />1. The source of the software <br />2. When it was downloaded <br />3. Who downloaded it for use and; <br />4. The date the ISO approved the use of the software <br />All software for Windows OS devices is required to be screened for malware prior to <br />installation. <br />Any unauthorized software must be approved and validated, or removed. <br />Users of workstations, netbooks, wireless and other personal devices must not install <br />unapproved software. <br />C. Open Source Software <br />The use of open source shareware or open source freeware may only occur if: <br />1. It is not used in a production environment OR <br />2. Prior to use it is fully tested, documented and Virtru's personnel are <br />assigned to support it. Checks to be performed include: <br />a. Verify usage license (no strong or weak copyleft licenses) <br />b. Review open CVEs and available patches <br />c. Perform internal security evaluation <br />d. Flag for external security evaluation during next penetration test <br />3. The source of the software is documented <br />a. URL <br />b. Project lead <br />c. Contributors <br />d. Whether the project is actively maintained <br />4. The ISO approves of the use <br />D. Documentation <br />Documentation for sensitive applications and the operating systems which run those <br />systems shall be stored securely. Backups of all documentation shall be maintained off <br />Rev.2015.8.6 <br />54 <br />