The organization develops a list of software programs not authorized to execute on the information system.