BIO 12.06.01 ISO A.14.2.2

Enterprise Application Management Lifecycle Design

πŸ“… 2025-10-30
β€’
⏱️ 14 minuten lezen
β€’
🟒 Should-Have

πŸ’Ό Management Samenvatting

Application Management Lifecycle design implementeert end-to-end governance voor enterprise applications van request tot retirement met approval workflows, deployment automation, license management, security vetting en decommissioning procedures.

Aanbeveling
IMPLEMENTEER APPLICATION LIFECYCLE
Risico zonder
Medium
Risk Score
5/10
Implementatie
48u (tech: 16u)
Van toepassing op:
βœ“ Intune
βœ“ M365
βœ“ Azure AD

Application lifecycle management voorkomt: Shadow IT (ungeautoriseerde apps - security risks), License waste (unused Licenties costing €100K+ annually), Outdated software (unpatched vulnerabilities), No decommissioning (orphaned apps consuming resources). Lifecycle provides: Controlled onboarding (security vetting voordat deployment), Automated deployment (Intune), License optimization (reclaim unused), Regular reviews (are apps still needed?), veilige retirement (data migration, access revocation).

Implementatie

Application lifecycle stages: (1) Request: Business justification, security review (gegevenstoegang, permissions), cost approval; (2) Onboarding: Packaging (Intune), SSO configuration (Azure AD), testing (pilot group); (3) Deployment: Intune assignment, user training, ondersteunen documentation; (4) Management: License monitoring (unused Licenties), version updates, security patches; (5) Review: Quarterly app review (still needed?), usage metrics (adoption rates); (6) Retirement: Migration to alternative (if replacing), data export, license reclamation, Azure AD app removal, Intune app uninstall.

Vereisten

  1. App request process (approval workflow)
  2. Security vetting checklist
  3. Intune app packaging standards
  4. Azure AD SSO integration
  5. License management tool (M365 admin center)
  6. Quarterly app review schedule
  7. Retirement runbook

Implementatie

Define app request workflow (ServiceNow, Power Automate), establish security review process, document packaging standards, implementeren quarterly app reviews, Maak aan retirement procedures.

Compliance en Auditing

App lifecycle management ondersteunt: BIO 12.06 (Software installation controls), ISO 27001 A.14.2.2 (System change control), Licentie compliance (avoid audit violations).

Monitoring

Gebruik PowerShell-script application-management.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script application-management.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell
<# .SYNOPSIS Application Management Design .DESCRIPTION Implementation for Application Management Design .NOTES Filename: application-management.ps1 Author: Nederlandse Baseline voor Veilige Cloud Version: 1.0 Related JSON: content/design/platform/application-management.json #> #Requires -Version 5.1 #Requires -Modules Microsoft.Graph [CmdletBinding()] param( [Parameter()][switch]$WhatIf, [Parameter()][switch]$Monitoring, [Parameter()][switch]$Remediation, [Parameter()][switch]$Revert ) $ErrorActionPreference = 'Stop' $VerbosePreference = 'Continue' $PolicyName = "Application Management Design" $BIOControl = "14.02" function Connect-RequiredServices { # Connection logic based on API } function Test-Compliance { Write-Verbose "Testing compliance for: $PolicyName..." $result = [PSCustomObject]@{ ScriptName = "application-management" PolicyName = $PolicyName IsCompliant = $false TotalResources = 0 CompliantCount = 0 NonCompliantCount = 0 Details = @() Recommendations = @() } # Compliance check implementation # Based on: Design Document $result.Details += "Compliance check - implementation required based on control" $result.NonCompliantCount = 1 return $result } function Invoke-Remediation { Write-Host "`nApplying remediation for: $PolicyName..." -ForegroundColor Cyan # Remediation implementation Write-Host " Configuration applied" -ForegroundColor Green Write-Host "`n[OK] Remediation completed" -ForegroundColor Green } function Invoke-Monitoring { $result = Test-Compliance Write-Host "`n========================================" -ForegroundColor Cyan Write-Host "$PolicyName" -ForegroundColor Cyan Write-Host "========================================" -ForegroundColor Cyan Write-Host "Total: $($result.TotalResources)" -ForegroundColor White Write-Host "Compliant: $($result.CompliantCount)" -ForegroundColor Green $color = if ($result.NonCompliantCount -gt 0) { "Red" } else { "Green" } Write-Host "Non-compliant: $($result.NonCompliantCount)" -ForegroundColor $color return $result } function Invoke-Revert { Write-Host "Revert: Configuration revert not yet implemented" -ForegroundColor Yellow } try { Connect-RequiredServices if ($Monitoring) { Invoke-Monitoring } elseif ($Remediation) { if ($WhatIf) { Write-Host "WhatIf: Would apply remediation" -ForegroundColor Yellow } else { Invoke-Remediation } } elseif ($Revert) { Invoke-Revert } else { $result = Test-Compliance if ($result.IsCompliant) { Write-Host "`n[OK] COMPLIANT" -ForegroundColor Green } else { Write-Host "`n[FAIL] NON-COMPLIANT" -ForegroundColor Red } } } catch { Write-Error $_ }

Risico zonder implementatie

Risico zonder implementatie
Medium: Zonder app lifecycle = shadow IT (ungoverned app sprawl), license waste (€100K+ unused licenses), security gaps (unvetted apps), orphaned apps (no ownership), excessive permissions accumulate. Compliance: governance. Het risico is medium - app governance.

Management Samenvatting

Application Management Lifecycle: Request workflow (IT approval before deployment), Security vetting (permissions review, vendor assessment), Deployment automation (Intune/packaging), License management (optimization, reclamation), Quarterly reviews (verify usage, remove orphaned), Retirement process (decommission unused). Activatie: Define lifecycle processes + tooling (ServiceNow/Intune). Gratis (process). Implementatie: 16-48 uur (process design + tool integration). Prevents shadow IT + license waste.