SOFTWARE ASSET MANAGEMENT POLICY
Metadata Author.Contributor Derrick Bates Coverage.spatial UK, Cumbria Creator ICT Client Team Organisational Development Date.issued 1 st May 2008 Description The document sets out the corporate policies and procedures for the management of corporate software assets. Format Txt Identifier Language Eng Publisher Cumbria County Council Rights.copyright Cumbria County Council Status Version 1.0 Final Subject.category Software Asset Management Subject.keywords Asset management; licence; compliance; piracy; fast; resources; retrieval; policy; strategy; security; users Title Cumbria County Council Software Asset Management Policy Distribution Issue Date Version Name Title Revision History Document Status Date Reason for review Author ID.version V 0.1 Draft 2007-09-14 Creation D Bates V 0.2 Draft 2007-09-21 Amended D Bates V 0.3 Draft 2007-11-13 Further amendments D Bates V 0.4 Draft 2008-03-14 Further amendments D Bates V 1.0 Live 2008-05-01 Final D Bates Approval Name Position Date Signature A Cook HIT & BI 01/05/08 These Policies replace all previous versions and amendments to Council software management policies. It applies to all Members, employees, temporary and contract workers of Cumbria County Council. Page 2 of 10
Table of Contents 1 INTRODUCTION...5 2 SOFTWARE ASSET MANAGEMENT POLICY STATEMENT...5 3 SOFTWARE ACQUISITION...5 4 SOFTWARE DELIVERY...5 5 SOFTWARE INSTALLATION...5 6 SOFTWARE MOVEMENTS...6 7 SOFTWARE RETIREMENT...6 8 SOFTWARE DISPOSAL...6 9 COMPLIANCE AND DOCUMENTATION...6 10 FONTS...6 11 EVALUATION (FREEWARE & SHAREWARE)...6 12 GAMES & SCREENSAVERS...6 13 INTERNET DOWNLOADS...7 14 EMAIL ATTACHMENTS...7 15 MOBILE/LAPTOP USERS...7 16 AUDITING...7 17 DISASTER RECOVERY...7 18 DISCIPLINARY PROCEDURES FOR BREACH...7 19 APPENDIX 1 PROCEDURES...8 Page 3 of 10
19.1 Acquisition, Delivery & Installation...8 19.2 Movements...8 19.3 Retirement & Disposal...8 19.4 Fonts...8 19.5 Evaluation (Freeware and Shareware)...8 19.6 Games & Screensavers...9 19.7 Internet Downloads...9 19.8 Email Attachments...9 19.9 Mobile/Laptop Users...9 19.10 Auditing...9 19.11 Disaster Recovery...10 19.12 Disciplinary Procedures for Breach...10 Page 4 of 10
1 Introduction The document supports the Council s compliance with current statutes and regulations as well as British and International Standards for Software Asset Management (SAM). It lays down the Council s policies and procedures in respect of management of its software assets. The means of signifying agreement with these policies and procedures is through the Council s Acceptable Use Policy. As at publication date and for the purposes of this document the ICT Strategic Partner is Agilisys. 2 Software Asset Management Policy Statement It is the policy of Cumbria County Council to respect all computer software copyrights and adhere to the Terms & Conditions of any licence to which Cumbria County Council is a party. Cumbria County Council will not condone the use of any software that does not have a licence and any employee found to be using, or in possession of unlicensed software may be the subject of disciplinary procedures. It is the responsibility of all Cumbria County Council employees, consultants, temporary or contract workers to read, fully understand and signify agreement to Cumbria County Council s Acceptable Use Policy. 3 Software Acquisition All computer software acquired by the Council must be purchased through the ICT Strategic Partner. No user may purchase software directly and the purchase of software by any other means such as credit cards, expense accounts or petty cash is expressly forbidden. Specialist software for use by the disabled must be accompanied by an assessment from Occupational Health. 4 Software Delivery All newly purchased software will be delivered to the ICT Strategic Partner so that licences can be checked and Asset Registers updated. No other staff may take delivery of computer software. 5 Software Installation Computer software can only be installed by the ICT Strategic Partner, under no circumstances is computer software be installed by any other Council staff. Page 5 of 10
6 Software Movements All staff or department moves must be controlled through the corporate Office Move procedure so that the appropriate software can be added or removed and asset registers updated. 7 Software Retirement The retirement of Software/Hardware used by the Council may only be carried out by the ICT Strategic Partner. 8 Software Disposal The Disposal of Software/Hardware used by the Council may only be carried out by the ICT Strategic Partner in compliance with the Waste Electrical and Electronic Equipment (WEEE) Directive. 9 Compliance and Documentation All licences, invoices and original media for all of the software in use in Council premises are to be held securely by the ICT Strategic Partner. All media must be signed in and out by an authorised person as defined by the Strategic ICT Partner. A periodic check will be carried out by the IT Security Officer to ensure the actual media matches with the inventory. 10 Fonts Font software is bound by the same policies and procedures as all software. No user may install any font software onto Council systems. 11 Evaluation (Freeware & Shareware) Shareware, Freeware & Public Domain software is bound by the same policies and procedures as all software. No user may install any free or evaluation software onto Council systems. 12 Games & Screensavers The Council does not permit the use of any games or screensavers other than those previously agreed by line managers, or the games and screensavers which form part of your operating system Page 6 of 10
13 Internet Downloads No software, whatsoever, may be downloaded from the Internet. 14 Email Attachments Users may not load or use any software received via e-mail. Sharing software via email is prohibited. 15 Mobile/Laptop Users Council software policies apply to mobile users and all laptops will be equipped with auditing software for regular checks. 16 Auditing All users must be aware that the Council electronically audits all computers on a regular basis. Sample random audits also may be carried out. 17 Disaster Recovery The owner of every business process and support process is responsible for ensuring that an appropriate business resumption risk assessment is carried out. Where that resumption includes the redeployment or reinstallation of software in support of business activities the software licencing must comply with this Policy and the conditions of the original Vendor licence. 18 Disciplinary Procedures for Breach The Council s software policies are implemented to safeguard the Council from the many varying laws surrounding software use. Any user found to be in breach of these policies may be subject to disciplinary procedures. Page 7 of 10
19 Appendix 1 Procedures 19.1 Acquisition, Delivery & Installation The user is to call the ICT Strategic Partner Service Desk requesting a quote for the software and obtain a reference number. Complete the online Equipment Request Form using the supplied reference number. Obtain the relevant authorisation signature and pass to the ICT Client Team as a Non Standard Request. Once delivered, the software will be added to the Authorised Software List against the specific user. The software will then be identified to the audit tool and loaded to the user s workstation by the ICT Strategic Partner. The software will be added to the Definitive Software List and the media will be placed in the secure storage area, controlled by the ICT Strategic Partner. 19.2 Movements In the event of staff relocations Departmental Managers are to complete the online Office Move Form. As part of this procedure they are to ascertain whether new software will be required. Old software can be re-distributed and the new locations of staff, hardware, network points and software for the asset register recorded by the Strategic ICT Partner. 19.3 Retirement & Disposal Once a computer is deemed ready for disposal, all software will be removed. Where the licence permits, the software will be re-used, stored for future use or retired. Software purchased as part of a computer will be disposed of with the computer as these licences are non-transferable. All Council data will be removed and the hard disk will be securely cleaned or physically destroyed. The asset register will be updated and the certificate of disposal/destruction will be held on file. 19.4 Fonts Where a user has a valid business requirement for a specific font they will use the standard software acquisition procedure. 19.5 Evaluation (Freeware and Shareware) Where a user has a valid business requirement for a piece of shareware or freeware they will use the standard software acquisition procedure. Upon the appropriate management agreements, the software will be obtained, tested and loaded to the user. Page 8 of 10
If this software is shareware, and requires deletion or licensing after a trial period, the user will be contacted one week prior to the end of trial date to ascertain whether he or she wishes to retain use of the software. If the software is to be retained usual acquisition procedures will be followed. If it is not required the software will be completely uninstalled. 19.6 Games & Screensavers Before being delivered to the user, the ICT Strategic Partner will ensure that the computer is loaded with software to corporate standards and the screensaver is set to enable after a static period of 5 minutes with a password required to gain access. 19.7 Internet Downloads If a user has a valid and approved reason for an item of software available on the internet, he/she will inform the ICT Client Team using the standard software acquisition procedure. The ICT Client Team and the ICT Strategic Partner will then check the licensing requirements for the software, where appropriate purchase a licence, download the software, virus check the download and benchmark the software, prior to delivery to the end user. 19.8 Email Attachments If you receive any unexpected files, which do not appear to be standard business documents, inform the IT Security Officer and the ICT Strategic Partner immediately. 19.9 Mobile/Laptop Users Laptops used as a primary access mechanism through a docking station in a Council office will be subject to the same audit regime as desktop machine. Users with laptops that are not regularly attached to the Council network will be subject to periodic recall for update and audit. See Auditing. 19.10 Auditing The Council uses auditing software on a regular basis to ascertain whether all of the software loaded is legal. The audit is checked and reconciled with the Definitive Software Library and all unauthorised software is deleted. The source of the unauthorized software will be ascertained and disciplinary action may be taken. Page 9 of 10
19.11 Disaster Recovery The ICT Strategic Partner is responsible for regularly reviewing its ability to recover or re-supply the organisation, within the timeframe required, with all the business software that will be needed to effect recovery of the business in the event of a major disaster. 19.12 Disciplinary Procedures for Breach The standard Council disciplinary procedures will apply. Page 10 of 10