I'm not sure if this is the correct place for this question because it's more procedural than technical. But I'm trying to come up with something and I'm looking for some input. My question is: What information would you need to know about an application in order for it to be considered "authorized" on your network? More detail/perspective - We have applications on the network, some of which are internally developed others are procured. Some likely don't show up in vulnerability scans etc. Basically, I'm new to a company that doesn't know what we have or where it is. There is a list of what various stakeholders THINK we have, but it's wildly inaccurate. I'm having all app owners and data owners come to the table and let me know what they have so I can figure out what my risks are so I can mitigate/compensate/accept. - Future applications I want to have a checklist of sorts. (i.e. these are the things I need to know for an application before you're authorized to buy it.) Any advice on this?