The VT Minimum Security Standard defines an "Application" as "software programs, code, or packages" that perform specific functions directly for end users or for other applications. Applications can be "self-contained" or groups of programs and may or may not be network accessible. Any applications developed and maintained "in-house" by VT units must be inventoried in the Isora GRC Apps section.

Your OU's "Apps" inventory should be maintained in Isora GRC according to the VT IT Risk assessment Standard. The standard outlines the OUs responsibility for inventory maintenance as follows:

Unlike the hosts inventory, which are entered on "sheets" that are tied to OUs in Isora GRC, Apps are inventoried individually as follows:

1. Navigate to Isora GRC and authenticate through the VT Login service.
2. Navigate to the Inventory module and choose the Apps tab.
3. Click "New App"
4. In the New App form, enter the following information about your application into the corresponding fields:
   1.  Name = Name of the application
   2.  Description = High level overview of the application and its purpose for the unit or university
   3. Vertical = Type of service provided by the application
   4. Vertical Product = LEAVE BLANK, to be used for third-party applications, NOT internally developed applications
   5. Classification = Risk classification of the application based on the VT Risk Classification Standard
   6. Categories (for high-risk apps ONLY) = High-risk data type(s) being stored/process by the application:
      • "Health", "Student", "Bank Account", "SSN", "Credit/Debit Card", "PII (Military ID, Passport, Driver's License)", "Research - Export Controlled/CUI", or "Critical to University", or IT service provided by resource.
      • "Email", "AAA (authentication, authorization, accounting)", "DNS", "DHCP"
   7. Priority = Asset criticality to the organization
      • "Critical" - Loss of the asset for even a short period of time could prevent the organization from achieving its mission and/or could pose a risk to health ad safety if compromised.
      • "Essential" - The organization could work around the loss of the asset for several days or perhaps a week, but eventually the technology asset would have to be restored to a useable status.
      • "Non-essential" - The organization can operate with the asset for an extended (though perhaps finite) period, during which some units or individuals may be inconvenienced and/or need to identify alternatives.
   8. Owners = list the org code responsible for the application, along with all site or application administrators for the application (separated by a comma). Entries must reference valid Isora GRC user accounts, org codes, or use any properly formatted email addresses (VT Faculty/Staff emails ONLY; DO NOT enter student information into Isora GRC).
   9.  If the application is deployed to a university-managed host that has been inventoried on any unit's hosts sheet, this relationship should be captured using the Deployment function. Click "New Deployment"
      
   10. Search for the name or IP address of the host that is hosting the application and then select the application deployment tier of "dev", "test", or "prod" Enter the application URL(s), if applicable.
       
5.  Click "Save" to save the new app entry to the unit's inventory.
6. Repeat for all internally developed apps relevant to the unit.