Skip to main content

University Policy #119

Software Life Cycle Policy

Initially approved: August 24, 2015
Revised and Renamed: September 24, 2024

Policy Topic: Information Technology
Administering Office: Division of Information Technology/Office of the CIO


It is the policy of ĢƵ (“WCU” or the “University”) to ensure that its software assets are developed, used, and maintained in compliance with all applicable software licensing laws and agreements, and that these technology resources are used effectively to further the University's mission. 


This policy shall apply to all software utilized by the ĢƵcommunity[HB1]  including, but not limited to the acquisition and/or adoption of software under any one or more of the following circumstances:

  1. software that is installed on any endpoint device.
  2. software that is used via the network local to ĢƵor the Internet.
  3. software that makes use of sensitive, confidential, or privileged data or information. 


&Բ;“Acquisition” or “adoption” means a software asset that is purchased or obtained (including software that is free), by either ĢƵor individuals, to be used academically, administratively, or for the purposes of research, scholarship, or creative works. 

Application” - See also “software

&Բ;“License” means a legal instrument which governs the use or redistribution of software.

&Բ;“Software”, “Software Asset”, “Application” means a computer program, add-on, or collection (suite) of programs that can be accessed through a website, installed on laptop/desktop computers, on mobile devices (such as tablets or smartphones), or on a server environment (either within ĢƵor hosted elsewhere). 


  1. Per ISO 27002, WCU’s adopted information security framework, all software assets should be inventoried to support risk management, audit activities, vulnerability management, incident response and recovery planning. Therefore: 
    1. ĢƵDivision of Information Technology (DoIT) shall maintain an inventory of all software assets installed on WCU-owned endpoint devices.
    2. ĢƵDoIT shall maintain an inventory of contracts for all IT services and software assets.
    3. If software is identified on a WCU-owned endpoint device that is not in the inventory, then the software must be removed from the device, or go through the software review process to be added to the inventory.
    4. If security vulnerabilities are detected in software, or if known deprecated versions of software are identified on WCU-owned endpoint devices, then it is the user’s responsibility to update the software to a non-vulnerable/secure state or remove the software from the device.
    5. Given the item above, software asset owners must maintain a contract or license agreement that allows for the software asset to be updated to the latest secure version or remove the software from the device. 
  2. In order to maintain the required inventory as described above, the following process must be followed for adoption and approval of all software.
    1. Employees or University administrative units (i.e., divisions, departments, offices) who are acquiring software must submit a request at or contact the ĢƵIT Help Desk at (828) 227-7487[KC2]  prior to acquiring the software.
    2. In recognition of the diverse uses of software on campus, the Division of Information Technology agrees to the timely facilitation of a customized intake process that indicates appropriate steps for software acquisition, adoption, and approval.
    3. Oversight of the software acquisition process will be managed by the appropriate unit within the Division of Information Technology, as designated by the Chief Information Officer.
    4. The employee or administrative unit acquiring or adopting software must adhere to the licensing agreements provided by the vendor and other governing bodies.
    5. Employees acquiring or adopting software must adhere to all applicable ĢƵand UNC policies.


 This policy will be reviewed by the Information Technology Leadership every three years. 


The University will take appropriate action in response to user abuse or misuse of information technology resources. Action may include, but not necessarily be limited to, suspension or revocation of access to information technology resources; referral to the appropriate office(s) for disciplinary action; or referral to law enforcement. 


University Policy #52: Responsible Use of Information Technology Resources

University Policy #62: Contract Review and Execution

University Policy #97: Information Security and Privacy Governance

University Policy #117: Information Security Policy

International Standards Organization (ISO/IEC 27002:2022, Clause 5 Organizational Controls)