State of California California Technology Agency. Software Management Plan Guidelines

Transcription

1 State f Califrnia Califrnia Technlgy Agency Sftware Management Plan Guidelines Revised April 2011

2 Sectin Overview INTRODUCTION TO SOFTWARE MANAGEMENT PLANNING The State Administrative Manual (SAM) Sectin describes the state s plicy regarding sftware management. Specifically, Sectin 4846 states as fllws: Each agency shall establish and maintain apprpriate cmputer sftware management practices and ensure that cmputer sftware they use and/r have purchased with state funds is legally prcured and is used in cmpliance with licenses, cntract terms, and applicable cpyright laws. Each agency shall develp and implement plicies and prcedures t ensure that all staff understand and adhere t prper sftware management plicies. Sftware piracy refers t the installatin r use f unlicensed r unauthrized cpies f sftware. This can ccur thrugh using ne licensed cpy t install a prgram n multiple cmputers r taking advantage f sftware upgrade ffers withut having a legal cpy f the versin t be upgraded. Piracy includes having the number f simultaneus users n the netwrk exceeding the number f available client licenses fr a netwrked prgram, unauthrized dwnlading f sftware frm the Internet, r illegally duplicating and using cpyrighted materials such as cunterfeit cpies f CD's, diskettes and related manuals and materials. The Califrnia Technlgy Agency (Technlgy Agency) permits the use f Open Surce Sftware (OSS). Cnsistent with ther sftware, use f OSS is subject t the sftware management licensing and security practices included in e SAM, Sectins 4846, , 5310 Item 2 and Item 5, Subsectin (f), and Rles and Respnsibilities Califrnia Technlgy Agency: The Technlgy Agency is the principal gvernment department respnsible fr imprving executive agency practices regarding the acquisitin and use f cmputer sftware, mnitring and eliminating the use f unauthrized cmputer sftware. The Technlgy Agency will utilize apprpriate versight mechanisms t mnitr and audit expenditures by state agencies t fster state agency cmpliance with the plicies set frth in SAM Sectin 4846 and with established plicies and guidelines. Department f General Services: The Department f General Services will develp apprpriate language fr inclusin in State cntracts t require cmpliance with sftware licenses and applicable cpyright laws when State funds are used t acquire, perate, r maintain cmputer sftware. Califrnia Technlgy Agency 2 Sftware Management Plan Guidelines SIMM Sectin 120 April 2011

3 State Agencies: State agencies shall develp, implement, and maintain specific plans, prcedures, and prcesses t ensure cmpliance with the established requirements. State cntractrs and recipients f state grants and state lan guarantee assistance shall have apprpriate systems and cntrls in place t ensure state funds are nt used t acquire, perate, r maintain cmputer sftware in vilatin f applicable cpyright laws. Each state agency shall designate an apprpriate psitin r unit t be respnsible fr ensuring cmpliance. Each state agency s cmpliance prgram shall be dcumented with sufficient specificity t meet the audit requirements by its internal auditrs and Infrmatin Security Officer. 1.2 Intrductin t the Guidelines These guidelines have been issued t assist state agencies in develping r cntinually administering a sftware management prgram t prevent sftware piracy and prmte gd sftware management practices. The guidelines are als intended t assist agencies in preparing a Sftware Management Plan (SMP) as required by SAM Sectin The absence f an effective SMP expses an rganizatin t a variety f tangible and intangible risks including: damage t the rganizatin's reputatin fines frm civil damages fr cpyright infringement denial f prduct supprt r warranty service the pssibility f civil and criminal charges against the directrs and managers f an rganizatin fund in vilatin f cpyright The benefits f an effective sftware management prgram are many. These include: the ability t determine actual sftware csts the ability t btain technical supprt fr installed sftware prducts access t infrmatin relating t upgrade issues the ability t plan future expenditures mre accurately the knwledge that licensing f installed sftware is accurately dcumented by the current sftware inventry and listed n the agency's supprted sftware list. 1.3 Practices That Supprt Gd Sftware Management T manage sftware prperly, the fllwing practices shuld be fllwed: Have and maintain a cmprehensive inventry f all installed sftware including micrcmputers, mid-range, and mainframe envirnments and maintain cmplete and accurate recrds f all licenses, certificatins and sftware purchase transactins, string these in a secure repsitry. Peridically review installed sftware and accmpanying licenses t ensure nly legal and supprted sftware are in use and t ensure nging cmpliance with the Sftware Management Plicy. Califrnia Technlgy Agency 3 Sftware Management Plan Guidelines SIMM Sectin 120 April 2011

4 Be familiar with the U.S. Cpyright Act fund in Title 17 f the U.S. cde in rder t understand the cnsequences f infringement f cpyright laws including the penalties and liabilities fr damages. Be familiar with the licensing agreements fr each individual sftware vendr in rder t understand the limitatins, such as transferring f licenses, expiratin f licenses, when supprt ends fr licenses, when upgrades will be needed, requirements fr patches, whether r nt sftware can be installed n hme cmputers, hw t terminate a license, etc. Have and maintain a sftware management prgram and train management and staff n the plicies and prcedures assciated with that prgram t ensure the use f best practices in sftware management and cmpliance with the plicy. Have and maintain a list f supprted sftware t guide what new sftware will be apprved fr purchase and what current sftware shuld be retained n the desktps, servers and ther prcessing devices. Remve all unlicensed sftware and sftware nt n the supprted sftware list, sftware n lnger in use frm individual cmputers, and nn-authrized sftware t make sure all sftware is legal and supprted and t free the hard drive space f unused sftware. Purchase sftware nly in the name f the state agency; nt in individuals' names. T the extent that the use f freeware and OSS is allwed by plicy within the department, make sure that such usage is apprved n a case by case basis and that apprpriate cntrls and prcesses are in place t ensure that sftware is used in accrdance with any cnditins r agreements prescribed by the manufacturer. T the extent that sftware purchased by end users is allwed by plicy t be installed n a department s cmputers, make sure that such usage is apprved n a case by case basis, that apprpriate cntrls and prcesses are in place t ensure that prper licensing is secured, and that the sftware is used in accrdance with the licensing agreements. D nt allw state licensed sftware t be installed n nn-state equipment except as specified in a service cntract r ther legal dcument that requires the parties t adhere t the agency's Sftware Management Plicy. Transfer and dispse f sftware accrding t license agreements t ensure prper dispsitin. Wipe r scrub hard drives f all sftware when cmputer devices are recycled r salvaged as necessary t cmply with the terms f the licensing agreement and t prtect any cnfidential r sensitive data. Require that sftware be acquired thrugh a frmal acquisitin prcess t ensure prper apprvals are btained, and that prper stck receipt, registratin and inventry recrds are created and maintained. Califrnia Technlgy Agency 4 Sftware Management Plan Guidelines SIMM Sectin 120 April 2011

5 2.0 Overview Sectin 2 STEPS FOR PREPARATION OF SOFTWARE MANAGEMENT PLANS The Sftware Management Plicy requires the identificatin f the sftware management rles and respnsibilities within the rganizatin and the submittal f a supprted sftware list by each department. Mst agencies have designated sftware management rles and respnsibilities t staff within their rganizatin. The same persn may perfrm multiple rles; hwever, ne individual needs t be designated as ultimately respnsible fr each specific sftware management task. In additin, agencies shuld have and maintain a list f apprved and supprted sftware. The bjective f the fllwing guidelines is t assist state agencies in develping their Sftware Management Plans. T prepare fr develping the plan, state agencies shuld: 2.1 Have A Sftware Management Team As resurces allw, have a Sftware Management Team that will be respnsible fr develping and implementing the sftware management prgram as well as preparing the SMP. The team shuld cnsist f: A Sftware Assets Manager r ther jb title whse rles and respnsibilities are: Understanding general licensing prcedures and specific requirements f sftware, including pen surce, used within the rganizatin and knwing the particular limitatins f the agreements. Maintaining a list f apprved sftware fr use in the acquisitin prcess and the prcess f identifying unlicensed and unsupprted sftware. Maintaining a baseline inventry f all sftware residing within the agency t serve as the fundatin fr the sftware management prgram. Perfrming nging inventries fr asset management and cmpliance purpses. Selecting and securing an autmated tl t be used in cnducting the baseline and nging inventries, shuld the state agency decide t acquire/use such a tl. Making sure that all sftware is registered, and that the recrds f licenses and renewals are prperly maintained. Ensuring all unlicensed sftware is remved frm cmputers, servers and ther prcessing devices. Ensuring there is a secure repsitry fr all sftware licenses and sftware media t prevent lss, misuse and theft. Ensuring that prper checkut prcedures are develped and fllwed fr lading sftware nt the agency's cmputers. Califrnia Technlgy Agency 5 Sftware Management Plan Guidelines SIMM Sectin 120 April 2011

6 Maintaining a sftware lg t recrd when sftware is checked ut f the repsitry, wh checked ut the sftware, why the sftware was required, and when the sftware is returned t the repsitry. Ensuring that prper educatin n sftware management practices is available within the rganizatin and that training thrugh new emplyee rientatins, etc., is administered t all levels f staff including users, acquisitin supprt, technical, management and executives. Staff need t be aware f cpyrights prtecting cmputer sftware and the plicies and prcedures adpted by the agency t hnr thse cpyrights. Ensuring the required Sftware Management Plan and certificatins are develped and maintained accrding t the schedule utlined in the State Infrmatin Management Manual Sectin 05A. Mnitring the use f sftware n state wned desktps and mbile cmputers, which includes thse used in the hme envirnment t accmplish state wrk. Ensuring crrective actin is taken in terms f crrecting any license agreement breaches and ensuring the plicy and prcedural flws that led t failures f cmpliance are mdified t prevent further prblems. An Acquisitin Manager r ther jb title whse rles and respnsibilities are: Understanding general licensing prcedures and specific requirements f sftware used within the rganizatin including the limitatins f the agreements. Ensuring that prper sftware prcurement practices are in place and fllwed. Ensuring prper educatin f acquisitin staff in sftware prcurement practices. Ensuring language is included in state cntracts requiring vendrs t certify that they have apprpriate systems and cntrls in place t ensure that state funds are nt used t acquire, perate r maintain cmputer sftware in a manner that des nt cmply with applicable cpyrights. A Desktp and Mbile Cmputing Crdinatr whse rles and respnsibilities are: Reviewing sftware acquisitin requests that are being purchased thrugh the Desktp and Mbile Cmputing Plicy t ensure purchases are in cncert with the agency's supprted sftware standards. Reviewing exceptin requests fr purchases f sftware nt n the agency's supprted list and making recmmendatins t the Sftware Manager as t the apprpriateness f these purchases and the additin f the sftware items t the supprted sftware list. A Sftware Administratr r ther jb title, fr mainframe and mid-range cmputing systems, whse rles and respnsibilities are t manage sftware assets: NOTE: This is als desirable in netwrk installatins and desktp and mbile cmputing. Ensuring prper licensing n installed hardware is in accrdance with cntractual requirements. Califrnia Technlgy Agency 6 Sftware Management Plan Guidelines SIMM Sectin 120 April 2011

7 Negtiating the terms and cnditins f sftware usage with apprpriate vendrs, departmental prcurement staff, and/r the Department f General Services. Managing the physical inventry f sftware rders and maintaining a sftware inventry database f departmental sftware assets. Mnitring all installed and distributed cpies t ensure sftware cpyright prtectin. Acquiring new sftware, upgrades and fixes as necessary. Keeping abreast f all new and existing licensing requirements. Internal Auditrs whse rles and respnsibilities are: Perfrming internal audits as necessary t evaluate the existence and effectiveness f the SMP. Taking steps t verify that recmmended crrective actins are taken and ensuring that the apprpriate management is ntified when vilatins ccur. 2.2 Have And Maintain A Methdlgy T Cnduct A Full Sftware Inventry Each state agency must regularly cnduct a full sftware inventry applying the practices utlined abve. State agencies are advised t research alternatives fr cnducting a full inventry f all sftware residing n the agency's infrmatin technlgy systems. Alternatives can include acquiring an autmated tl, preparing an inventry thrugh manual prcedures, r cntracting fr an inventry service. Autmated tls are available that can inventry cmputer sftware thrugh a variety f techniques. In selecting an autmated tl, cnsider: Ease f use, requiring minimal training fr IT staff Accuracy Flexibility Cmpleteness Extensibility, enabling the tl t be used n multiple platfrms A manual inventry can be cnducted by individually accessing each cmputer and listing the sftware n each machine. Cntract services are available fr cnducting a sftware inventry as well as prviding additinal services such as training, auditing, and develping sftware management plans. 2.3 Have And Maintain A List Of Supprted Sftware T standardize n the purchase and usage f sftware fr desktps and netwrks, have and maintain a list f supprted sftware. The list will facilitate prcurement as well as assist when auditing fr sftware management cmpliance. Fr a supprted sftware list: Califrnia Technlgy Agency 7 Sftware Management Plan Guidelines SIMM Sectin 120 April 2011

8 Identify with specificity the sftware supprted within the rganizatin. The list shuld cntain the fllwing infrmatin: Class f sftware (perating system, wrd prcessr, spreadsheet, database, , utilities, graphics, netwrk) Name and versin f sftware (Office 2007, Adbe Acrbat 9, Windws XP Service Pack 3, McAfee, etc.). Sub-class f sftware (OS390, Windws, Wrd, Excel, Access, ADABAS, IDMS, DB2, Grupwise, Outlk, WinZip, Nrtn, Crel Draw, Nvell, Unix) Type f license (enterprise r standalne), Apprpriate user base (clerical supprt, technical, management, executive) 2.4 Have And Maintain A Sftware Prcurement Prcess It is essential that the purchasing f sftware be a standard prcedure cnsistent with the acquisitin f ther critical department assets. All sftware purchases shuld prceed thrugh the state agency's nrmal purchasing prcess, requiring requisitins and management apprval. Cmpnents f a sftware prcurement prgram and prcess that will prmte prper sftware acquisitin may include: Educating and training prcurement staff n sftware licensing and cpyright laws. Centralizing all sftware purchases t prmte adherence t standardized sftware prcurement prcesses. Establishing a signature prcess t ensure respnsible parties are aware f and apprve each sftware acquisitin. Requiring that all sftware purchases be accmpanied by prper licenses and receipts, evidencing legal acquisitin and use. Requiring that all sftware purchases be made thrugh reputable, authrized resellers t prevent purchasing cunterfeit prgrams. Obtaining licenses and receipts fr each purchase. Ensuring that purchased sftware is registered with the manufacturer, if required. Ensuring sftware cannt be dwnladed and purchased frm the Internet withut apprval. Ensuring that purchased sftware is listed n a cmprehensive sftware lg. 2.5 Have And Maintain Recrd Keeping Standards Maintaining cmplete and accurate recrds is essential fr a gd sftware management prgram. T ensure that a sftware cmpliance prgram is ultimately successful, have and maintain gd recrd keeping standards t assist internal auditrs and ther audit fficers in cnducting a cmprehensive examinatin f sftware cmpliance. Califrnia Technlgy Agency 8 Sftware Management Plan Guidelines SIMM Sectin 120 April 2011

9 Prper recrd keeping shuld include: Maintaining sftware purchase recrds (purchase rder, invices, receipts, cpies f cancelled checks, if apprpriate). Maintaining a repsitry f sftware media, dcumentatin, prduct licenses, license agreements, manuals, and registratin cards. Stre sftware media, licenses and registratin cards in a secure area t prevent theft, lss r misuse. Maintaining a sftware lg including prduct and versin, publisher, sftware serial number purchase date, user name, user lcatin, hardware serial number and cmments. Maintaining recrds f staff wh have attended training in sftware management practices r have been intrduced t sftware cpyright requirements and apprpriate sftware usage thrugh ther educatinal pprtunities such as emplyee rientatin. Califrnia Technlgy Agency 9 Sftware Management Plan Guidelines SIMM Sectin 120 April 2011

10 Sectin 3 SOFTWARE MANAGEMENT PLAN 3.0 Overview Sftware management is an imprtant cmpnent f a State agency's verall resurce and cmpliance management prcess. The Sftware Management Plan (SMP) enables agencies t lay ut the framewrk fr a sftware management prgram t ensure that all State agencies meet the requirements f the Califrnia Sftware Management Plicy as stated in SAM Sectins These guidelines have been prepared t assist state agencies in develping the required SMP. T the extent that agencies have existing dcuments that have been develped thrugh the administratin f the Desktp and Mbile Cmputing Plicy r ther internal department effrts and that these dcuments will meet the requirements f the SMP, they can be submitted in lieu f creating new dcumentatin. The SMP shuld include the fllwing infrmatin t indicate hw the state agency plans t address the required sftware management prgram activities t cme in full cmpliance with the state IT plicy r hw the state agency is already accmplishing these activities and will cntinue with the administratin f a sftware management prgram. 3.1 Baseline Inventry Methdlgy It is essential that a baseline inventry be cnducted in rder t knw what sftware exists within an agency s that it can be prperly managed. An inventry cnsists f determining all sftware physically residing n an agency's cmputers and inventrying all riginal licenses fr the sftware. The SMP must address: Wh is invlved in cnducting the inventry (rganizatin/classificatin); What inventry methdlgy is used (e.g. autmated tls, manual prcesses, cntract services); Hw the inventry prcess is rganized; What infrmatin is gathered; Hw the infrmatin is reprted (e.g. frm, summary reprt); Wh receives the inventry infrmatin (sftware management team members, CIO, agency directr); and The baseline inventry cmpletin date. Califrnia Technlgy Agency 10 Sftware Management Plan Guidelines SIMM Sectin 120 April 2011

11 3.2 Unlicensed/Unauthrized Sftware Identificatin Methdlgy The identificatin f unlicensed and unauthrized sftware is accmplished by: 1) cmparing the results f the physical inventry with the license agreements, and 2) cmparing the results f the physical inventry t the list f sftware authrized by the rganizatin. The SMP must address: Wh is invlved in the identificatin f the unlicensed and unauthrized sftware (rganizatin/classificatin); Hw cmparisns are perfrmed t identify legal versus unlicensed and unauthrized sftware; Hw unlicensed and/r unauthrized sftware is reprted; Wh receives the reprts f unlicensed and unauthrized sftware; and Hw unlicensed and unauthrized sftware is remved frm cmputers. 3.3 Secure Repsitry A secure and prtected repsitry prevents lss, theft and unauthrized use f sftware, licenses and dcumentatin. T the extent pssible, repsitries shuld be kept in a centralized strage area within each facility. The SMP must address: What physical repsitries are used (e.g. file cabinet, lcked rm) and their lcatins (e.g. centralized, decentralized); Wh has access t the repsitries (rganizatin/classificatin); and What check ut prcedures are used t remve and return sftware and dcumentatin t the repsitries. 3.4 Onging Inventry And Cntrl Methdlgy Once the sftware base is examined in the initial "baseline" inventry, nging cntrl prcesses and prcedures must be in place t ensure that the inventry recrds are updated and remain cmplete and accurate. New sftware acquisitins must be added t the inventry and remved sftware must be deleted. In additin, peridic inventries shuld be cnducted t verify sftware recrds and mnitr nging cmpliance with the Sftware Management Plicy. Fr these subsequent inventries, it may nt be practical t include all cmputers. A sample f cmputers may be inspected. The SMP must address: Wh is respnsible fr develping, implementing and maintaining the nging inventry cntrl prcesses and prcedures; What nging inventry cntrl prcesses and prcedures are used t address receipt and installatin f sftware, remval, and dispsal f sftware and change cntrl; Califrnia Technlgy Agency 11 Sftware Management Plan Guidelines SIMM Sectin 120 April 2011

12 Wh is respnsible fr ensuring the inventry cntrl prcesses and prcedures are cntinuusly fllwed; Wh cnducts the nging inventries (rganizatin/classificatin); What prcesses/prcedures are in place t ensure the nging inventries ccur and wh is respnsible fr them; What methdlgy is used t sample the inventry (e.g. by sub-unit, by gegraphical lcatin); Hw is the sample size determined; and Hw ften will sample inventries ccur (e.g. mnthly, quarterly, every six mnths). 3.5 Internal Audits Effective sftware management is a cntinual prcess and includes audits. The bjective f the nging audits is t determine the nging cmpliance with sftware license agreements. These peridic spt checks will identify if unlicensed sftware has been deliberately r inadvertently installed n an agency's cmputers. The audit prgram shuld als examine the agency's sftware prcurement and recrd maintenance prcesses as well as the means by which staff are infrmed f apprpriate sftware usage. The SMP must identify: Wh perfrms these audits (rganizatin/classificatin); Wh is ntified f the results f the audit; and Hw results are cmmunicated (e.g. frms, reprts, presentatins). 3.6 Crrective Actins Crrective actin must be taken when unauthrized use f sftware is identified. Crrective actin is needed 1) when there is a breach f cpyright law r the terms f a sftware license, r 2) when inventry reveals unlicensed cpies f sftware. If either situatin is identified, the sftware prgrams must be deleted immediately. If nging use f the sftware is needed, immediate actin shuld be taken t crrect the licensing breach with the manufacturer. The SMP must address: Wh is respnsible fr crrective actins (rganizatin/classificatin); Hw crrective actins are accmplished; Wh is ntified f the crrectins; and Hw infractins are kept frm reccurring (e.g. educatin, changes in prcess, mre mnitring, up-dating the list f supprted sftware, re-evaluating the need fr additinal sftware licenses). Califrnia Technlgy Agency 12 Sftware Management Plan Guidelines SIMM Sectin 120 April 2011

13 3.7 Cntractrs' Certificatin The Sftware Management Plicy requires that state cntractrs certify they have apprpriate systems and cntrls in place t ensure that state funds will nt be used in the perfrmance f a cntract fr the acquisitin, peratin r maintenance f cmputer sftware in vilatin f cpyright laws. These requirements are t be incrprated as standard language in cntracts awarded by the state. The SMP must address: Wh ensures that certificatin has ccurred (rganizatin/classificatin); Hw the respnsible individual receives certificatin f cmpliance (e.g. written statement frm cntractr, written clause in a cntract); What cntrls are in place t ensure apprpriate measures are being taken t ensure cmpliance; and What measures are taken if cntractrs d nt cmply. 3.8 Dispsal Of Hardware And Sftware All hardware and sftware that is n lnger t be used in state service shall be dispsed f in an apprpriate manner. Sftware shuld be destryed t ensure that it cannt be re-used. Hardware can be recycled, except fr thse cmpnents which must have a license. Hard drives shuld be wiped r scrubbed t remve sftware as necessary t cmply with terms f the sftware licenses. The SMP must address: Wh is respnsible fr dispsal f sftware and hardware cmpnents (rganizatin/classificatin); and The prcedures in place t ensure sftware and hardware are dispsed f prperly. 4.0 Rles And Respnsibilities Fr The Administratin Of The Sftware Management Prgram Rles and respnsibilities fr the administratin f the sftware management prgram and the develpment f the SMP need t be defined within each state agency. The SMP must identify: What are the rles and respnsibilities f the department's executive staff? What are the rles and respnsibilities f department management? What are the rles and respnsibilities f user's f cmputer resurces? What are the rles and respnsibilities f the Sftware Management Team? Califrnia Technlgy Agency 13 Sftware Management Plan Guidelines SIMM Sectin 120 April 2011

14 5.0 Actin Plan The SMP must include an actin plan which lists thse activities that are in alignment with SAM Sectin If the department is currently cmpliant thrugh administratin f the Desktp and Mbile Cmputing Plicy r ther internal effrts, it can demnstrate that cmpliance thrugh the submissin f current sftware management dcumentatin. If nt currently in full cmpliance, the department must include an actin plan fr achieving cmpliance as part f the Sftware Management Plan. Include in the actin plan thse steps needed t: Obtain and maintain a current full sftware inventry; Detect any unlicensed and unauthrized sftware; Prvide the secure repsitry fr all sftware media and licenses; Maintain a prcess fr nging inventry cntrl; Establish and maintain a sftware management audit prgram and institute that prgram as an nging effrt; Establish and maintain the respnsibility and prcesses fr taking crrective actins when sftware breaches are identified; Maintain a means t ensure the cntractr certifies t apprpriate sftware usage; and Maintain a cnsistent and structured prcess fr dispsal f sftware and hardware. The actin plan shuld als identify thse steps fr the preparatin f the fllw-up sftware management reprt t be submitted t the Technlgy Agency. 6.0 Timeline The SMP must include a timeline that identifies when thse tasks listed in the actin plan discussed abve will be cmpleted. If the department can demnstrate cmpliance with the Executive SAM Sectins thrugh current dcumentatin, it will nt be required t prvide a timeline in the SMP. 7.0 Authrized Sftware List A current list f authrized sftware will assist in guiding what sftware is apprpriate and legal fr each rganizatin. The list shuld shw all classes and subclasses f sftware necessary t meet the agencies business needs and, within each class and subclass, which prducts and prduct versins will be supprted and the categry f emplyees using the prduct. The SMP must include a cpy f the agency's mst current authrized sftware list. 8.0 Sftware Management Educatin It is essential t have an educatin effrt s that all staff can receive training in the legal use f sftware and gd sftware management practices. Emplyee educatin shuld Califrnia Technlgy Agency 14 Sftware Management Plan Guidelines SIMM Sectin 120 April 2011

15 include the individual agency's plicies and prcedures relating t sftware management as well as statewide plicies. Training shuld be custmized t meet the specific audience needs (users, prcurement staff, management, technical staff, and executives). Sftware management educatin can be incrprated int nrmal emplyee rientatin and ther training pprtunities. The SMP must address hw the state agency will ensure that staff is made aware f sftware cpyright laws and gd sftware management practices. 9.0 Newly Established Agencies and Departments Newly established agencies and/r departments are required t submit an SMP in cnjunctin with their Desktp and Mbile Cmputing Plicy. Newly established state agencies and/r departments will submit t the Technlgy Agency a Sftware Management Reprt prpsing the plan the agency will implement in rder t cmply with the Sftware Management Plicy. The reprt shall include: 1. Prcedures n hw the agency and/r department will: a. Cnduct a 100 percent inventry f the agency s sftware t create a baseline and hw that baseline was cnducted; b. Detect and remve illegal and unlicensed sftware; c. Prvide fr a secure repsitry f sftware media, and licenses; d. Prvide nging inventry tracking and mnitring f new purchases and installatins; e. Perfrm peridic internal audits and ensure apprpriate crrective actins are taken when necessary; f. Receive certificatin frm its cntractrs and bidders that they have apprpriate systems and cntrls in place t ensure that state funds are nt used t acquire, perate, r maintain cmputer sftware in a manner that des nt cmply with applicable cpyrights; g. Ensure prper dispsal f hardware and sftware cnsistent with license requirements. 2. A statement f the rles and respnsibilities within the agency fr the administratin f the sftware management prgram and enfrcement f plicy; 3. An actin plan detailing the steps t full implementatin f the sftware management plicy; 4. A timeline fr full implementatin f the sftware management plicy; 5. A list f the agency s currently supprted sftware; 6. A plan fr emplyee rientatin and educatin Certificatin and Cmpliance Annually, each agency and/r department will submit t the CIO a certificatin reprt declaring they are in cmpliance with SAM Sectins Califrnia Technlgy Agency 15 Sftware Management Plan Guidelines SIMM Sectin 120 April 2011

16 State agencies shall retain within their rganizatin, fr three years, the annual certificatin in the frm f a Statement f Cmpliance (see SIMM Sectin 80) alng with the summary f updated inventries and audits cnducted by the agency as part f their nging sftware management practices. The certificatin, t be submitted t the agency CIO, must include the name f the agency representative respnsible fr ensuring agency cmpliance with the Sftware Management Plicy. In supprt f this certificate, each agency must maintain a detailed inventry reprt that must be made available t the Technlgy Agency and/r the Department f General Services upn request, per SAM Sectin Califrnia Technlgy Agency 16 Sftware Management Plan Guidelines SIMM Sectin 120 April 2011