Soldato
My colleague already had an older version of Nitro PDF Pro 7 on her machine but when her PC broke they refused to install it again because it was so old.
Yes I downloaded the trial but our IT have already installed Nitro PDF Pro 14 on quite a few PCs so they already have it and they suggested it to my colleague.
Stop filling blanks in with your own crap
Why the hostility?
I don't have to fill in the gaps, you simply put forward this scenario with software installation that is against all IS practices I've been subjected to for the last 20 years that are getting stricter and stricter and nothing you are angrily replying with is remotely making it any less of a eye brow raising IS policy..
My criticism is of the process you describe, not about whether you can install software yourself. In fact there is no criticism of you at all, I'm pointing this at your IT/IS Team.
I'm only saying your scenario would not be allowed by the draconian IT/IS I have to (and have in previous orgs) endure and they always come back to security as one of the main arguments..
Here's some things about your 'process' we wouldn't be allowed to do and the reason for that is how much we've had to do to maintain our ISO 27001 certification to allow us to sell to many hospitals:
1. We only have one sanctioned 'current' tool for a role, i.e. It would be Nitro PDF OR Adobe Acrobat (pro versions) not both. This is for many reasons, from pricing breaks with volume negotiations, support, compatibility, maintenance as well as security (why have two code bases that can be attacked vs one? although I think there is an argument for diversifying, it's always been overruled by IT/IS).
2. I would get laughed at if I tried to justify it by saying Adobe Acrobat Pro was £499 vs Nitro PDF 14 at £190 - this is one off retail pricing, if IT are charging you that for a massive org like the NHS, someone needs shooting.. There are the 'hidden' cost for support as well not to mention from a security point of view, offering cheap/free tools is definitely one very well known attack vector.
3. Since they do subscription models, we'd have to use those because those get more maintenance and ensure they are always up to date etc.. standalone is often less cost effective overall.. having software that isn't maintained as well or eligible for updates is a security risk.
4. Because we don't work in a bubble, we'd have to submit a scope of test that show some effort has been made to ensure we've exercised enough use cases to show a good degree of compatibility with the other tools out there, this is not so much about security but ensuring we don't run into issues that cost staff/IT issues.
5. IS do their own research on tools, they have a SOUP (Software of unknown provenance) process for tools, it's aimed at many things but security is part of that.. how often they update, what is their patching policy etc..
6. We wouldn't be able to justify reusing old tools 7 iterations out and expect the latest version to be therefore OK, we have to review most tools annually.. Fox-it was one that got dropped off our list and replaced with Adobe Acrobat precisely down to some security risk related issue (Shame, I liked Foxit).
I don't need to know the in's/out's of your specific process as you've furnished me with enough to think this doesn't seem as up to date with current best practices in other orgs.
