An employee downloading a cracked accounting software or a file-sharing tool could introduce malware that steals your customer data or financial information—leading to regulatory fines under DPDP Act 2023 and loss of customer trust. A manufacturing firm in Gujarat lost ₹12 lakhs when an employee installed pirated software containing ransomware that encrypted critical production records. Uncontrolled software also creates legal liability: if someone installs unlicensed software, your company faces audit penalties and BSA (Business Software Alliance) copyright claims. Without this control, your IT person cannot keep systems secure or compliant, making you vulnerable to audits by GST authorities and customer due-diligence checks.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You walk in and see employees downloading and installing whatever they want from the internet—Chrome extensions, games, unauthorised versions of tools—with no restrictions or oversight. Your IT person has no way to know or prevent what's being installed on company machines.
Initial
You have a basic IT policy document that says 'no unauthorised software,' but it's not enforced technically; employees still install things and IT only finds out when something breaks. Your network has no monitoring or blocking mechanisms in place.
Developing
You've tightened Windows settings so employees cannot install software without admin approval, and your IT person maintains a basic list of approved programs. Occasionally IT checks machines and removes unauthorised software when discovered, but no continuous monitoring happens.
Defined
You have a formal Approved Software List documented and employees must request software before installation. Your IT person uses Windows Group Policy or a simple endpoint management tool to enforce restrictions, and logs are reviewed monthly to catch violations.
Managed
You deploy Mobile Device Management (MDM) or Endpoint Detection and Response (EDR) software that actively prevents unauthorised software installation across all devices and generates real-time alerts. Your IT team reviews security reports weekly and has a documented incident response process for violations.
Optimised
You maintain automated endpoint controls with AI-driven behavioural monitoring that detects anomalous software execution in real time, automatic remediation, and continuous re-validation against threat intelligence feeds. Regular audits verify compliance, and the control is integrated with your broader identity and access management framework.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Draft a simple one-page Acceptable Use Policy (AUP) that explicitly forbids installing unauthorised software and lists consequences (e.g., disciplinary action). Get it signed by all employees and store signed copies in HR records. | Business owner or HR manager with IT person's input | 2-3 days |
| 1 → 2 | Enable Windows Restricted Groups or remove local admin rights from employee accounts so they cannot install software without IT approval. Create a simple approval request process (email or shared spreadsheet). Document the list of approved software. | IT person | 1 week |
| 2 → 3 | Formalise an Approved Software Inventory with justification for each tool (business purpose, license status, security assessment). Implement Group Policy Objects (GPO) to enforce the restriction centrally and establish a monthly manual audit process to check machines for violations. | IT person with compliance or process owner | 2-3 weeks |
| 3 → 4 | Deploy a lightweight MDM or endpoint management solution (e.g., Microsoft Intune, ManageEngine, or open-source Jamf) to automate software inventory visibility and block unauthorised installations in real time. Set up weekly alert review and escalation process. | IT person or external vendor setup with internal ownership | 4-6 weeks including testing and staff training |
| 4 → 5 | Integrate EDR/XDR tooling with threat intelligence feeds and implement automated behavioural analysis to detect zero-day malware and suspicious execution patterns. Conduct quarterly vulnerability assessments and perform continuous control validation with annual third-party audits. | IT security lead or managed security service provider (MSSP) | Ongoing (quarterly reviews, annual audits) |
Documents and records that prove your maturity level.
- Signed Acceptable Use Policy (AUP) or Employee IT Security Agreement clearly stating software installation restrictions and consequences, with signatures or acknowledgement records from all employees
- Approved Software List (inventory document) containing software name, version, business justification, license status, and approval date—updated at least annually
- Screenshots or reports showing Windows Group Policy settings or endpoint management tool configurations that enforce software installation restrictions
- Software request approval log or ticketing system showing employee requests, IT approvals/rejections, dates, and business justification for each approved tool
- Monthly or quarterly audit reports documenting manual checks of machines for unauthorised software, with findings and remediation actions taken
Prepare for these questions from customers or third-party reviewers.
- "Show me your Approved Software List. How often is it reviewed and updated? Who approves new software requests and based on what criteria?"
- "How do you prevent employees from installing software without permission? Can you demonstrate the technical controls (Group Policy, MDM, etc.) in place?"
- "Walk me through a recent employee request for new software—show me the approval request, the business justification, and the decision recorded."
- "How do you monitor and detect unauthorised software installations? Show me audit logs or reports from the last quarter confirming compliance."
- "What happens if an employee is found installing unauthorised software? Do you have documented incidents and remediation records?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Block unauthorised software installations and enforce approved software list at the Windows/OS level without extra cost | Windows Group Policy (built-in to Windows Pro/Server editions; requires domain setup) or Apple Parental Controls (macOS); no additional cost | — |
| Centrally manage software installation policies, inventory, and automatic updates across multiple machines from one dashboard | Jamf Now (limited free tier for up to 3 devices), or open-source tools like Canonical Landscape for Linux | Microsoft Intune (₹2,000–5,000/user/year), ManageEngine Desktop Central (₹80,000–3,00,000/year for 50–500 devices), Jamf Pro (₹5,000–15,000/device/year) |
| Real-time monitoring, threat detection, and automated response if unauthorised or malicious software tries to execute | YARA (signature-based detection; requires manual setup), Windows Defender (basic EDR capabilities in Windows 11 Pro) | CrowdStrike Falcon (₹8,000–20,000/device/year), SentinelOne (₹10,000–25,000/device/year), Kaspersky EDR (₹5,000–12,000/device/year) |
| Track and document all software installations, removals, and changes across the network for audit compliance | ManageEngine AssetExplorer (community edition; limited to 10 devices), or manual PowerShell scripts to generate reports | LANDESK or Snow License Manager (₹2,00,000–10,00,000/year for mid-sized MSMEs) |
| Scan installed software against known vulnerabilities and license compliance databases to flag risky or unlicensed tools | NIST NVD (vulnerability database; no automated scanning), or open-source Rapid7 Nexpose Community (limited vulnerability DB) | Qualys VMDR (₹3,00,000+/year), Tenable Nessus Professional (₹80,000–2,00,000/year) |
- Assuming Windows built-in restrictions are enough—many MSMEs rely only on Group Policy without monitoring, so employees work around it or install software on personal devices used for work, creating shadow IT and data loss risks.
- Not maintaining an updated Approved Software List—the policy exists but IT approves tools ad-hoc without documenting business case or security review, leading to audit failures and duplicate/redundant software that increases security surface and license costs.
- Blocking software too strictly without a clear approval process—frustrating employees who then find workarounds (portable executables, cloud-based alternatives, personal accounts) or bypass IT entirely, undermining the control and creating compliance gaps.
- Ignoring mobile and remote worker devices—focusing only on office desktops while employees on work-from-home and BYOD schemes install unauthorised apps on laptops and phones, creating unmonitored security risks.
- No enforcement or follow-up—publishing a policy but never auditing compliance or taking action against violators, so the control becomes meaningless and employees ignore it.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (Reasonable security practices) and Schedule 2 (Security safeguards) require organisations to implement technical and organisational measures to prevent unauthorised access, including control over software and system access |
| CERT-In 2022 | Directions on Information Security: Direction 4 requires 'Implementation of Information Security Governance and Risk Management' including access control and endpoint security measures |
| ISO 27001:2022 | Annex A.5.3 (Access control), A.8.1 (User endpoint devices), and A.8.3 (Installation of software on organisation assets) |
| NIST CSF 2.0 | Govern (GV) and Protect (PR) functions: PR.IP-1 (management of physical/logical/personnel assets), PR.AC-1 (processes for access authorisation) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →