W H I T E P A P E R : Software Compliance. Understanding and Managing Software Compliance Issues



Similar documents
How To Get A License From A Business To A Computer (For A Business)

Software License Asset Management (SLAM) Part 1

TOP QUESTIONS ABOUT MICROSOFT AUDITS

1.Business Advisor Series

BELTUG Paper. Software Licensing Audits Checklist

Software License Asset Management (SLAM) Part III

How to Survive a Software Audit through Effective Software Management. By John Tomeny, Sassafras Software Inc.

Automating Software License Management

Why you need an Automated Asset Management Solution

Software asset management White paper. Improving IT service delivery through an integrated approach to software asset management.

IBM Tivoli Asset Management for IT

Best Practices for Implementing Software Asset Management

Software Asset Management Toolkit

How To Manage Software License Management With An Aspera Catalog

SOLUTION BRIEF: CA IT ASSET MANAGER. How can I reduce IT asset costs to address my organization s budget pressures?

BUYER S GUIDE: PC INVENTORY AND SOFTWARE USAGE METERING TOOLS

How To: Choosing the Right Catalog for Software License Management

License management service

Software Licensing and Compliance Guide

IBM Maximo Asset Management for IT

Cracking the Code on Software License Management

Controlling Desktop Software Expenditures

Making the Business Case for IT Asset Management

Virtual Desktop Infrastructure

agility made possible

How To Protect A Publisher From Self Audit

Software Audits Three Ways to Cut the Cost and Pain of a Software Audit

Transition: Let s have a look at what will be covered.

How To Improve Mainframe Software Asset Management

Quantifying ROI: Building the Business Case for IT and Software Asset Management

Software Licenses Managing the Asset and Related Risks

Seven Steps to Getting a Handle on Software Licensing

Managing PST Files. From Discovery to the Archive. Overview

How To Manage It Asset Management On Peoplesoft.Com

CITY OF WAUKESHA HUMAN RESOURCES POLICY/PROCEDURE POLICY B-20 SOFTWARE USAGE AND STANDARDIZATION

HP Software Licensing and Management Solutions (SLMS) Helping organizations maximize their software investment.

Automated IT Asset Management Maximize organizational value using BMC Track-It! WHITE PAPER

PEOPLESOFT IT ASSET MANAGEMENT

HP Client Automation software Starter and Standard Editions

The Power to Take Control of Software Assets

Software License Asset Management (SLAM) Part II

Getting a head start in Software Asset Management

Anchor Bay Schools Software Policy

Software License Optimization and Compliance: 10 Best Practices

Altiris Asset Management Suite 7.1 from Symantec

Choosing a Server to Fit Your Business. A step-by-step guide to help businesses maximize the benefits of Intel. Xeon -based server solutions.

Desktop Management for the Small Enterprise

8 Minute Overview. The Premier Agentless License Management Solution. Modern IT & The Importance of Software Asset Management

ZENworks Asset Management 11. Product Brochure

GOVERNANCE AND MANAGEMENT OF CITY COMPUTER SOFTWARE NEEDS IMPROVEMENT. January 7, 2011

DOT.Comm Oversight Committee Policy

HP OpenView AssetCenter

MICROSOFT OPEN PROGRAMS GUIDE. Microsoft Open Programs Guide

Matrix42. License Compliance of Virtual Workplaces

Software Licence Compliance. A guide to Software Asset Management in the Enterprise

Patch Management Policy

Software License Management: 2012 Software License Management Benchmark Survey SOLUTION WHITE PAPER

Software Asset Management on System z

Software Asset Management Guide

Power, Patch, and Endpoint Managers Expand McAfee epo Platform Capabilities While Cutting Endpoint Costs

SOFTWARE ASSET MANAGEMENT (SAM) IMPLEMENTATION PROJECT Policy and Process Guide

Main Findings. 1. Microsoft s Windows Server 2003 enterprise license and support costs are competitive with Red Hat Enterprise Linux.

Solution Recipe: Remote PC Management Made Simple with Intel vpro Technology and Intel Active Management Technology

LANDesk Data Analytics

Using AssetCenter 5 and Enterprise Discovery to Start a License Management Process

The Power to Take Control of Software Assets

Next Generation ITAM in the Cloud: Business Intelligence and Analytics as a Service

WHITE PAPER. Automated IT Asset Management Maximize Organizational Value Using Numara Track-It! p: f:

A Guide to PST Files How Managing PSTs Will Benefit Your Business

IT and Software Asset Management: A Key to Reducing Costs

Information Technology Services

SOFTWARE LICENSE CONTROL

Auditor General s Office. Governance and Management of City Computer Software Needs Improvement

The Software Experts. Software Asset Management Services & Solutions

Solution Recipe: Improve PC Security and Reliability with Intel Virtualization Technology

10 Steps to Establishing an Effective Retention Policy

How To Manage The Sas Metadata Server With Ibm Director Multiplatform

Data Sheet: Archiving Symantec Enterprise Vault Store, Manage, and Discover Critical Business Information

Control Costs with a 4-Speed SACM Transmission

Server Consolidation with SQL Server 2008

Transcription:

W H I T E P A P E R : Software Compliance Understanding and Managing Software Compliance Issues Lori Henry Thompson Sales Operations Manager CompuCom Systems, Inc. August 2007 Executive Summary The mere word compliance sends shivers down the spines of IT managers not because they think their organizations have anything to hide, but because they know it is what they do not know and the process of responding to a software audit that can temporarily cripple their operation. The failure to recognize the importance of software management can result in financial, security and liability exposures. Software piracy affects thousands of businesses nationwide, costing millions of dollars in tax revenues and lost jobs. It can result in fines of up to $150,000 for each software title copied and increases the risk of security and technical complications. Most businesses are ethical, but many do not understand that good corporate governance means a good system of checks and balances throughout the organization to ensure ethical and legal operations.

Introduction In cases of alleged software piracy, a software publisher can initiate a software audit. In most cases this begins with a request for an inventory of, and proof of purchase for, software licenses. The audit can also be instigated by a watchdog group such as the Business Software Alliance. Regardless of how the process is initiated, a software audit is rarely anticipated for and typically results in the siphoning away of valuable resources from business-critical or planned projects. Beyond just the resource strain, software audits can also yield requirements for additional expenditures to correct license deficiencies, as well as deploy additional asset management services to prevent future compliance violations. Could your organization withstand an impromptu software compliance audit at the present moment? Now might be a good time to find out, by answering the questions in the Microsoft License Management Program Risk Assessment survey below. If you answer more than six questions negatively, your organization is at high risk. Software Compliance Risk Assessment Questionnaire QUESTION YES NO 1. Does your organization have a clearly written Software Asset Management policy approved and sponsored by senior management? 2. Is the SAM policy clearly communicated to all of your employees? 3. Are your employees held accountable for the software installed on their computers? 4. Does your organization have a standard procedure for acquiring and distributing software? 5. Does your organization have a standard procedure for maintaining and securing software licenses? 6. Is the ownership and maintenance of your organization s SAM initiative clearly defined? 7. Does your organization maintain accurate hardware records of its information technology assets? 8. Does your organization maintain accurate records of its installed software? 9. Does your organization maintain a physical inventory of licenses for all software purchases? 10. Has there been a reconciliation of the installed software to actual licenses owned within the past six months? Total Yes and No responses checked: Source: Microsoft License Management Program 1999 CompuCom s Perspective In the game of software compliance, it pays to play by the rules and the rules keep changing. Organizations experiencing rapid growth may have acquired hardware and software assets through multiple mergers and find that they re grappling with decentralized software procurement processes. The rapid-fire release of new software versions, coupled with the constant churn of employee turnover and new technologies, adds still another layer of complexity to software compliance management. In such a chaotic environment, who has time to worry about software licenses? In the grand scheme of things, compliance is really no big deal, right? Wrong. Let s take a look at the rules of the game. 3

The rules provided herein are the opinions of the author and should be considered as guidelines only. The liability and risk involved with using pirated software now reach far beyond copyright infringement and per-violation penalties. Pirated software can now result in Sarbanes-Oxley violations, which can mean millions in fines and as much as 20 years in prison for executives. In whomever s parlance, software noncompliance is what s known as an off balance sheet liability. Rule Number One: Ignorance Is No Excuse Software piracy is a serious and costly issue that can be avoided with a comprehensive software compliance management program. Avoiding the penalties and fines, most of which can be astronomical, is a key factor in the management of software licenses. Many illegal installations are accomplished in all innocence. Unfortunately, whether a program has been installed illegally by the company or an employee, the organization can be found liable in any civil and criminal complaints that ensue. Rule Number Two: One Strike, And You re Out According to the Business Software Alliance (BSA), if convicted, organizations can be fined up to $250,000, and individuals within an organization can be sentenced to jail for up to five years, or both. The software publisher owning the copyright can also immediately deny an organization the use of its program and request additional damages to the tune of up to $150,000 for each program as well as attributable profits. That s a hefty price tag. To put this in the proper perspective, exactly how many desktops in your company are running Microsoft Word right now, and how many copies of Microsoft Word does your company own? If the numbers don t match, you re not in compliance. Rule Number Three: They Have Ways of Finding You Software publishers, as well as the BSA, routinely initiate software audits that require an inventory and proof of purchase for their products. These audits are painstakingly thorough, and because they rarely come at a convenient time, can create a significant drain on an organization s resources, as critical resources must be diverted from current initiatives to manage the audit. Rule Number Four: Those Fines Are Just the Tip of the Iceberg While steep, the financial consequences of noncompliance don t end with the initial fine or penalty, or even with prison time. Those organizations proven to be in noncompliance must generate funds to pay for the pirated software, as well as for the purchase of additional asset management services following their piracy offense. Software noncompliance can also inflate IT support costs in a myriad of other ways: Increased deskside support expenses Greater exposure to viruses, corrupt disks and defective software More compatibility issues Longer upgrade and product deployment timelines Rule Number Five: Cover Your Assets With An Inventory Tool Because taking an inventory of existing IT assets has presented a roadblock for many organizations intent on complying with software licensing regulations largely due to the expense and logistics involved managing these assets has historically been a challenge. However, many asset management and inventory tools are currently available that can be quickly and inexpensively implemented. Electronic inventory tools equip today s asset management systems with global software compliance capabilities that reconcile inventory information with the software licensing information that resides in the organization s database. 4

Proof of Purchase Acceptable proof of purchase documentation varies from publisher to publisher. For example, Microsoft prefers license confirmations as proof of purchase and will challenge the acceptability of any other documents, such as invoices or agreements. Thus, it is very important to review the terms of the licensing agreement to ascertain the acceptable proof of purchase for a specific software product. Six Essential Steps to Successful Software Management The two keys to foolproof software compliance are proactively managing assets and developing an ongoing software management program that clearly defines the processes surrounding software deployment and installation. It s very easy to move software from one PC to another so an organization can never be 100 percent certain it is compliant at any given time. Thus, it bears repeating that the diligent monitoring of software on company-owned assets is absolutely necessary. You can ensure that your organization has the documentation to successfully withstand an audit by completing the following crucial steps: Step 1: Review and understand existing software licensing agreements. The first step in determining an organization s software compliance liability is identifying how many computers the company supports, which agreements are currently in place and which hardware and software purchasing records are on hand. Often an organization can get an initial read by simply comparing the total number of hardware assets owned with the total number of software licenses owned. This process is relatively easy in cases where the company has a centralized purchasing function, but for organizations with decentralized purchasing departments or multiple vendors, it may be more complicated. Regardless of this situation, it is the organization s responsibility to provide proof of purchase for all software programs currently installed on its IT assets. Once existing software and hardware purchase records are identified, the organization would be well advised to create a software asset managementtracking device to streamline operations. See Table 2, Sample Organization Environment Summary, and Table 3, Sample Licensing Agreement Inventory Log, for examples of effective tracking devices. A comprehensive review of licensing agreements should involve thorough clarification of the following licensing terms: Maintenance Note whether the agreement includes maintenance, as well as technical support for maintenance and automatic distribution of upgrade media. You must request media for new releases of some software products. Also note whether annual maintenance fees are part of the contract, since many large-volume licensing agreements with deep discounts require that maintenance be purchased on an annual basis. Finally, be aware that publishers may refer to maintenance as upgrade insurance, upgrade advantage, and software assurance. In addition, maintenance may be combined with a support agreement. 5

Working with a third-party software management firm, such as CompuCom, makes the complex process of understanding the intricacies of software licensing agreements much easier. Original Equipment Manufacturer (OEM) Agreements Each installed product is governed by specific rules, and you must know what they are. For example, OEM Microsoft Windows must live and die with the PC on which it was originally installed. For more information about OEM-installed products, check the End User License Agreement (EULA). Version Restrictions While many software products are compatible with earlier product versions, they cannot be upgraded without a license. For example, if it becomes necessary to re-image a desktop or laptop that was purchased with Microsoft Windows 98 pre-installed by the OEM, it is illegal to load Microsoft Windows 2000 on the computer without first obtaining the appropriate upgrade license. Concurrency Concurrency refers to instances in which the publisher allows multiple users to access the same application, and it is common in organizations that deploy thin client applications. Server Licensing Server licensing can be complex, as well as confusing, since different publishers license server software in various ways. Licenses may apply to a specific server, processor, user, connecting device or Client Access License (CAL). For information on your organization s licensing and pricing agreement, refer to your licensing contracts or contact the publisher or reseller who provided you with the product. Complicating matters is the advancement and adoption of virtual environments. Tracking and managing licenses can be even more challenging when virtual systems can be brought up and taken down at will. Licensing within virtual environments varies by company. Those companies wishing to increase market share focus on physical hardware, while others use various ratios of virtual machines to physical hosts to manage licenses. For more information on your organization s licensing and pricing agreements, refer to your licensing contracts or contact the publisher or reseller to obtain licensing information. Subscription Options Many publishers are now offering subscription options for software products. Software subscriptions are similar to equipment leases. Usually, the subscription will be contracted for a set period of time with a per-seat price, and payment may be made on a periodic basis. At the end of the subscription agreement, software must either be uninstalled or purchased. 6

(Table 1) Sample Organization Environment Summary Description Number Total number of workstations 3,128 (include laptops) in organization Total number of end-users 2,782 in organization Total number of servers 95 in organization (Table 2) Sample Licensing Agreement Inventory Log Product Licensing Program Expiration Date License Count Microsoft Office 2007 Select 6.0 - Level B 7/5/2008 2,500 Microsoft Office XP Pro Select 6.0 - Level B 7/5/2008 500 Microsoft Windows 98 Select 6.0 - Level B 7/5/2008 2,500 Microsoft Windows XP Select 6.0 - Level B 7/5/2008 500 Microsoft Windows SA Select 6.0 - Level B 5/2/2009 3,000 Windows 2000 CAL Select 6.0 - Level B 6/5/2009 1,000 Exchange Server Select 6.0 - Level B 6/5/2009 10 Exchange V5.5 CAL Select 6.0 - Level B 7/5/2008 3,000 Windows Server 2003 Select 6.0 - Level B 7/5/2008 15 Goldmine V4.0 Std. ED No longer using 150 Printscreen 95 Site License 100 users 12/15/1998 100 pcanywhere V8.0 -H&R VLP - Level A 8/2/2003 15 pcanywhere V8.0 -Host VLP - Level A 8/2/2003 100 Crystal Reports V9 No License -Bought Boxed Product na 250 Step 2: Take an inventory of existing IT assets. In the absence of current information on software use, a plan for obtaining it must be put in place. An accurate inventory identifies instances of software noncompliance, while helping to determine: Whether the most up-to-date versions of software programs are in use, Whether any installed programs are not being used, so they can be deleted to save disk space, and Which individually purchased programs are not part of the standard desktop. The type of inventory method chosen, as well as the number of desktops included in the inventory, depends on the organization s long-term objectives and its desire to effectively manage software assets. Some organizations opt for a manual inventory system, and many others currently use one of the several available electronic inventory tools highlighted below. If only inventorying a sample, as opposed to all of the devices owned, review the risk assessment guidelines from Table 1 to determine the appropriate size of the sample. Also note that, depending on the results of the sample inventory, it may still be necessary to inventory all of the computers in the organization. Low risk The sample size should be a minimum of 10 percent of all assets. Medium risk The sample size should be a minimum of 20 percent of all assets. High risk The sample size should be a minimum of 30 percent of all assets. Prior to selecting asset inventory products or services, it must be determined whether the organization already owns technology products that might be leveraged to help gather necessary asset information. These include Altiris, Microsoft s Systems Management Server SM, Hewlett-Packard s HP OpenView/ Peregrine, Computer Associates CA-Unicenter, BMC Remedy/Miramba, Novell Zenworks or IBM s Tivoli. Two additional considerations include the software inventory tool s level of automation and reporting capabilities, because without them the data collected by the tool may be ineffective in the determination of compliance status. Reporting capabilities should include the ability to summarize data by department, site, or software suite. 7

(Table 3) Sample Organization Environment Inventory Summary Description Number Total number of workstations 3,128 (include laptops) in organization Total number of end-users 2,782 in organization Total number of servers 95 Total number of 3,000 workstations inventoried Total number of 75 servers inventoried The tool implemented must capture the following types of information: Product name and version number Unless you can identify the specific product version, you cannot accurately determine whether the installed software matches your licensing agreements. Be aware that some software audit tools read version information from unreliable source files, such as the version resource block, which skews results. To meet compliance audit requirements, you must ultimately reconcile licenses against purchases. Since audit tools capture their information from a variety of places, there is a significant risk that the data retrieved will not match that which has been recorded by the purchasing department. To manage this gap, it is necessary to normalize the software naming conventions to achieve a true settlement. Ideally, it is best to decide up front which data is to be captured as part of the documentation of the license and normalize the software s naming convention at the time it is installed. Using this normalized data, auditors can accurately reconcile software licenses to purchases. User name/employee ID During the inventory process, it is highly likely that you will discover some software that has been purchased and installed by individual departments. To effectively address any issues, software managers need to know how many such installations are discovered, as well as which individuals and departments are using them. Only when this information is tied directly to the asset inventory can management take corrective action; thus, it is helpful to capture the asset s serial number, so software can be accurately tracked to the computer of residence. Product suites Because it is crucial to count only real applications and those that have licensing implications, a narrow focus is necessary with respect to product suites. Many applications are licensed and purchased in suites, making it necessary to compare application suites with all individual applications. Only by taking this extra step, which also helps in the vendor negotiation process, can the organization s true licensing position be determined. Step 3: Compare the inventory to current software purchasing records and the organization s software standards to determine problematic areas. Depending on the inventory method implemented, the organization will obtain various levels of data about devices and servers. As noted above, many inventory discovery products on the market today include asset summary reports that eliminate the need to perform data analyses. Management should compare the information gained from the asset inventory to existing software licensing agreements, purchasing records and publishers records. Accomplishing due diligence in this way prepares the organization to accurately gauge its potential liability for software noncompliance. See Table 3, Sample Organization Environment Inventory Summary and Table 4, Sample Software Owned vs. Installed for examples of these types of comparisons. 8

(Table 4) Sample Software Owned vs. Installed Product Licensing Program Expiration Date License Count Number of Installations / Gap Analysis User Accounts Microsoft Office 2007 Select 6.0 - Level B 7/5/2008 2,500 2,400 100 Microsoft Office XP Pro Select 6.0 - Level B 7/5/2008 500 886 (386) Microsoft Windows 98 Select 6.0 - Level B 7/5/2008 2,500 2,652 (152) Microsoft Windows XP Select 6.0 - Level B 7/5/2008 500 634 (134) Microsoft Windows SA Select 6.0 - Level B 5/2/2009 3,000 2,500 500 Windows 2000 CAL Select 6.0 - Level B 6/5/2009 1,000 1,725 (725) Exchange Server Select 6.0 - Level B 6/5/2009 10 24 (14) Exchange V5.5 CAL Select 6.0 - Level B 7/5/2008 3,000 3,200 (200) Windows Server 2003 Select 6.0 - Level B 7/5/2008 15 38 (23) Goldmine V4.0 Std. Ed. No longer using 150 22 128 Printscreen 95 Site License 100 users #1548963 12/15/1998 100 2,300 (2,200) pcanywhere V8.0 -H&R VLP - Level A 8/2/2003 15 58 (43) pcanywhere V8.0 -Host VLP - Level A 8/2/2003 100 12 88 Crystal Reports V9 No License - Bought Boxed Product na 250 280 (30) Step 4: Uninstall noncompliant software and/or purchase new software. Once any offending software installations and noncompliance issues are accurately identified, it is a relatively simple task to determine which software products must be purchased, upgraded or uninstalled. This requires careful matching of the legitimate copies of software with the current needs of the organization. With the exception of operating systems, software can frequently be uninstalled from devices in cases where it is not needed and installed on devices that do need it. Most software programs can also be upgraded, if necessary. At this point, however, any illegal software must be uninstalled from the company s computers, and it is also the ideal time to remind employees about the company s software policy and the dangers associated with software piracy. Step 5: Finalize and implement software and asset management policies regarding software use and license compliance, software license tracking processes and reporting, as well as software standards. Implementing policies regarding software use and license compliance, software license tracking processes and reporting, and software standards will continue to ensure that an organization remains software-compliant following an internal inventory or external audit. The following actions are recommended: 1) Centralize the software procurement process. 2) Designate a single, internal owner for the organization s software assets and purchasing requirements. This individual should be responsible for: Defining roles and responsibilities of the organization s IT and purchasing departments and business units with respect to software Defining the procurement processes for software products and licenses Developing and maintaining a central repository for purchasing records Managing licensing agreements and maintenance programs Tracking licenses and ensuring compliance 3) Create a formal list of the software sanctioned by the organization for employees use. Include program names, version numbers, number of copies or users permitted by the license and plans to add, upgrade, or discard the software. 9

4) Cascade a written policy throughout the organization regarding software usage and installation on all company assets. The policy should clearly communicate the organization s goals, desktop and server software standards, existing computing environment (technical and staffing), technology direction and a universal software requisition process that includes justification. Distribute the policy to new hires and current employees, and socialize it throughout the company on bulletin boards and computer networks. Require each employee to acknowledge the policy and understand the consequences for violations. Sample letters and other documentation are available in the Tools and Resources area on the BSA.org site. 5) Minimize the number of resellers from which your organization can procure software. In addition to simplifying software management, this also helps ensure that software is purchased from reputable, authorized resellers or directly from the manufacturer. 6) Purchase only software that includes original user material such as documentation, license agreements or license proofs. 7) Purchase site licenses, when possible, that include maintenance for a specified number of users. This simplifies the management and tracking of software licenses and ensures employees have access to the latest versions of products and receive appropriate technical support when needed. 8) Purchase optional maintenance and technical support, when possible. Covering the entire term of the software contract ensures your organization has the most current version of the software. Note that it is typically less expensive to buy maintenance prior to a new release than to buy the upgrade to the latest version. Step 6: Maintain and support new standards and processes, including performance reports, upgrade and migration plans, projected purchases and future projects that require software licenses. After the software inventory has been completed and reconciled with purchasing records and vendors or publishers records, and following the implementation of an effective software management policy, the most important steps to ensuring that an organization has an effective long-term licensing management program in place have been taken. At this point, acknowledged best practices dictate the reconciliation of purchasing and each vendor s records. You should periodically verify that your vendor is properly reporting your purchases with the publisher. However, it is important to recognize that, as time passes, situations change, and policies that were serviceable initially can gradually grow less effective if not maintained and enforced. Periodically, an organization should perform spot checks on individual computers to ensure that software has not been illegally installed. It is also prudent to conduct an annual inventory, just as one would for other important company assets. And, finally, when employees separate from an organization, a check must be made to ensure that the software they used while employed remains with the company and has not been copied. 10

Integrating IT. Delivering Value. About CompuCom CompuCom Systems, Inc., a global company headquartered in Dallas, Texas, provides IT managed services, infrastructure solutions, consulting and products to Fortune 1000 companies committed to enhancing their end users experience. Founded in 1987, privately held CompuCom employs approximately 11,500 associates. For more information, visit www.compucom.com. CompuCom Systems, Inc. 7171 Forest Lane Dallas, TX 75230 +1 800.225.1475 +1 972.856.3600 www.compucom.com Learn more about CompuCom s broad range of services and how seamless integration can help you drive greater business value from your IT infrastructure. Visit us online at www.compucom.com 2015 CompuCom Systems, Inc. All rights reserved. CompuCom is a registered trademark of CompuCom Systems, Inc. The names and logos of any companies or products mentioned herein may be the trademarks of their respective owners in the United States, Canada, and/or other countries. The inormation contained herein is subject to change without notice WPUMSC0807-0K

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information