Software compliance policy

Transcription

1 Software compliance policy Name of policy, procedure or regulation Software compliance policy Purpose of policy, procedure or regulation To provide a coordinated approach to software asset management Who formally approved this policy, procedure or regulation? ITRSG Who has responsibility for its update? Information Services in consultation with Faculties and Services To whom does this policy, procedure or regulation apply? All University staff and students Dec a) Date of approval b) Proposed date of review Introduction Staffordshire University recognises the importance of the legal and ethical use of software assets. This document provides guidelines for employees to follow to ensure that we are both legal and ethical in the use of our software assets. All software installed on University owned machines is for business use only in the context of academic delivery or commercial activity and should not be used by employees for personal interests The software asset management system provides a control mechanism by monitoring all software used across the University by staff or students using our networked equipment. The policy facilitates: Purpose The legal and ethical use of software assets installed on any University device and accessing the University network The co-ordination of the use of software within Staffordshire University 1

2 The management of all university-owned software in use by University staff/students Rationalisation of the software licenses in use to gain best value Why we need the Policy It is the policy of Staffordshire University to respect all computer software copyright and adhere to the Terms and Conditions of any license to which Staffordshire University is a party. Staffordshire University does not condone the use of unlicensed software. Staffordshire University depends on its computer systems and supporting software to provide a high quality and efficient service to all of its customers. Individual employees have a responsibility to protect these systems and ensure that their activities do not breach legal or regulatory compliance requirements. The Policy is designed to achieve this by clearly defining and clarifying the responsibilities of all employees, or other designated company representatives. The Policy will facilitate the mitigation of potentially significant risk exposures by Staffordshire University including but not limited to: The risk to Staffordshire University of commercial/legal disputes if licensing terms are not properly observed Damage to corporate reputation Unexpected financial impact Breaches of security Operational interruptions Unsupportable operations How we apply and control the policy The use of software across Staffordshire University will be monitored on a regular basis and information provided to the Asset Champions. Any breach, or suspected breach, of the policy will be fully investigated. Where it is considered that an employee has deliberately or negligently failed to follow the requirements of the policy, disciplinary action will be taken by an appropriate senior manager. Any employee deliberately using unlicensed software or software not approved by the University will be subject to disciplinary procedures and/or civil or even criminal proceedings. 2

3 Policy on use of software General Policies Staffordshire University has purchased fully licensed copies of computer software from a variety of publishers and vendors. Licensed and registered copies of software programs are placed on computers within the university and appropriate backup copies made in accordance with the licensing agreements and company policies. No other copies of this software or its documentation can be made without the express written consent of the software publisher and/or Staffordshire University. Software from Other Sources Staffordshire University will provide copies of legally acquired software to meet all legitimate needs in a timely fashion and in sufficient quantities for all of our computers. The use of software obtained from any other source could present security and legal threats to the company, and such use is strictly prohibited. Additional Copies In some cases, the license agreement for a particular software program may permit an additional copy to be placed on a portable computer or home computer provided only one user uses both installations. Free student licenses are also provided by some vendors as part of the agreement. Unauthorised Copies The unauthorised duplication of copyrighted software or documentation is a violation of the law and is contrary to established standards of conduct for Staffordshire University employees. Internal Controls Staffordshire University reserves the right to protect its reputation and its investment in computer software by enforcing strong internal controls to prevent the making or use of unauthorised copies of software. These controls will include periodic assessments of software use, announced and unannounced audits of institutional computers to assure compliance, controlled installation rights, the removal of any software installed with or without permission found on Staffordshire University property for which a valid license or proof of license cannot be determined, and disciplinary actions, in the event of violation of this policy. 3

4 Staffordshire University Employee Responsibilities The use of software provided for business purposes by the company, requires that a Staffordshire University employee or other designated company representative will: Agree to abide by the Policy Assume responsibility for use of the software in line with normal business purposes and Information Security policies in force. Staffordshire University Senior Management Responsibilities Senior managers will support the asset champions to enforce this policy ensuring that appropriate time and resource is provided to the champion. How to ensure compliance with the policy In order to help employees meet the responsibilities stated the following must be observed: All Staffordshire University software purchases must be agreed with the department s asset management champion and sourced through approved suppliers (wherever possible) to ensure that cost effective, efficient and stable systems and services are maintained to corporate standards (see software procurement policy) Software provided by Staffordshire University must only be used for business purposes Only approved and authorised software will be supported by Staffordshire University. Where any exceptions are requested, the request for administrative rights Proforma must be completed and sent to IS Admin for inclusion and discussion at the next IT Resources Steering Group meeting Software legally owned by employees for their own personal use, is not permitted to be installed on University owned machines. All software must be appropriately sourced from a University supplier Software can only be installed by authorised employees. Employees will not be given administration rights to load software. All software requirements above the standard image should be discussed with the faculty/service champion Software that is required for specific or specialised short-term activities will also need the prior permission of the department s asset management champion All purchases are subject to the Purchasing regulations managed by Finance 4

5 Definitions Employee For the purpose of the Policy, the term employee is used generically to include all employees, contractors, consultants, 3 rd party suppliers and service providers to Staffordshire University. Authorised Authorised means any employee or designated representative whose role requires that they may install or de-install software. Purchased or Licensed Software For the purposes of the Policy software should be interpreted to mean, any program or code that runs on a Staffordshire University computing device. The definitions should be interpreted to include plug-ins such as Adobe Acrobat Reader and Macromedia Flash Player. The definition should not be interpreted to include data files. If you are in doubt about the definition of software, clarification may be obtained from the Client Technology and Applications Manager, Information Services The Law COPYRIGHT, DESIGNS and PATENTS ACT 1988 and the Digital Economy Act 2010 This is the primary legislation governing intellectual property. It extends legal protection to software in the form of both civil and criminal penalties for the abuse of intellectual property rights. The legislation is applicable to both corporates and individuals. It should be noted that the duplication of software for commercial gain is a criminal offence under the Act and that the penalties for such an offence may include substantial fines and/or imprisonment. Authorisation to Install Installation of Software The installation of software will occur via authorised personnel within Staffordshire University or designated service provider. These parties have system administrator access to computer systems that will enable them to carry out the installation. The asset management champion is able to view all software license information and will investigate any areas of non compliance 5

6 De-installation, upgrade or decommissioning of software As with the installation of software the de-installation, upgrade or decommission of software by end users is not permitted. Accordingly, only authorised persons as outlined above may carry out the transfer of software from one computer to another. Users who require the de-installation, upgrade or decommission of software should action this via department s asset management champion. The asset management champion should liaise with Information Services Client Technology and Applications team for advice and guidance. Disposal of software The Asset management champion is responsible for ensuring that software media and activation keys are disposed of correctly. These should be defaced to ensure they cannot be re-used. Software asset management systems Staffordshire University uses a software asset management system (Snow) to manage its software and related licenses. All asset management champions have access to this system and are required to input license information for any software purchased which is not included in the University standard image. Asset champions will receive monthly reports of any non-compliant software held by individuals within their department for further investigation and appropriate action. Software procurement procedure Staffordshire University uses a standard procedure for software procurement. See separate procedure document 6

7 Employee Self Assessment Guideline for the Staffordshire University Software Compliance Policy All staff: Read and study the Staffordshire University Software Compliance Policy Read the guideline below to confirm to yourself that you are confident that you understand and appreciate the need to follow the company s policy on the use of software. I have read a copy of the Staffordshire University policy on the use of software and I understand and am fully aware that: The Company has legal and copyright obligations. Any software licenses provided by Staffordshire University for use by an employee remain the property of the Company. Only authorised employees may install/de-install software Employees logging on to University-owned devices are agreeing to the IT regulations of the University It is a legal requirement that employees are prohibited from personally purchasing software (media or internet downloads) for installation on any equipment owned by Staffordshire University. The use of software across Staffordshire University will be monitored on a continual and regular basis. Any breach, or suspected breach, of the policy will be fully investigated and where it is considered that an employee or other designated company representative (contractor or external consultant), has deliberately or negligently failed to follow the requirements of the policy, disciplinary action may be taken. Employees must make all reasonable efforts to protect all software and associated information (e.g. manuals, media) provided by Staffordshire University from theft, damage or corruption. Employees must not add, modify, change or upgrade any of the software provided by Staffordshire University for their use without the prior permission of the department asset management champion. Employees must not copy or duplicate any software provided by the company or allow any such software to be copied by anyone else. Employees leaving the employment of Staffordshire University must return and obtain a receipt prior to their departure, for all computer materials - including software and associated information provided by the company. 7