NSW Gvernment Sftware Asset Management Standard Versin 1.0 Octber 2014 standards@finance.nsw.gv.au ICT Services Office f Finance & Services Level 23, McKell Building 2-24 Rawsn Place SYDNEY NSW 2000
Sftware Asset Management Standard CONTENTS 1. CONTEXT 3 2. KEY PRINCIPLES 4 3. REQUIREMENTS 4 DOCUMENT CONTROL 8 APPENDIX A SAM PROCESS FRAMEWORKS 9 APPENDIX B CORE SOFTWARE ASSET MANAGEMENT PROCESSES 11 APPENDIX C CORE SOFTWARE ASSET MANAGEMENT PROCESSES MAPPED TO ISO/IEC 19770-1 17 APPENDIX D REFERENCES 19 APPENDIX E STANDARDS 20 2
Sftware Asset Management Standard 1. CONTEXT 1.1. Backgrund This Sftware Asset Management (SAM) Standard is a technical standard develped thrugh the NSW ICT Prcurement and Technical Standards Wrking Grup (PTS Wrking Grup). The standard cntains technical and business requirements that agencies shuld cnsider when prcuring SAM services. By defining cmmn gvernment requirements, the standard prvides an pprtunity t leverage whle f gvernment buying pwer and reduce inefficiencies. A substantial prprtin f an agency s ICT expenditure is allcated t purchasing, maintaining and perating sftware. The SAM standard will assist agencies in maintaining strategic versight f their sftware assets, and will help agencies ptimise their sftware envirnments. 1.2. Purpse The purpse f this standard is t assist NSW Gvernment agencies t develp, prcure and implement SAM slutins and tls, as well as take full advantage f the benefits f SAM slutins and tls. It details the issues that need t be cnsidered s each agency can identify the available ptins that best suit their business requirements, helping agencies achieve value fr mney thrugh cst savings and imprved flexibility f service fferings. 1.3. Scpe and applicatin This standard applies t all NSW Gvernment departments, statutry bdies and shared service prviders. It des nt apply t state wned crpratins, but is recmmended fr adptin. This standard des nt exhaustively cver all agency specific cnsideratins. Agencies may need t asses any specific requirements they have in additin t thse detailed in this standard. 1.4. Plicy The NSW Gvernment ICT Strategy sets ut the Gvernment s plan t build capability acrss the NSW public sectr t deliver better, mre custmer-fcused services that are available anywhere, anytime, and derive better value frm the Gvernment s annual investment in ICT. Develping whle f NSW Gvernment ICT technical standards is a key initiative f the NSW Gvernment ICT Strategy, with this wrk being driven by the PTS Wrking Grup. The standards are designed t be cnsistent with NSW Gvernment ICT Strategy and NSW Gvernment Clud Services Plicy and Guidelines bjectives, and they supprt the develpment f the NSW Gvernment s ICT Services Catalgue. The standards set ut service definitins as minimum requirements that suppliers must meet t be able t ffer their services thrugh the NSW Services Catalgue. This helps achieve cnsistency acrss service fferings, emphasising a mve t as a service surcing strategies, and it signals gvernment prcurement pririties t industry. This standard shuld be applied with existing standards, plicies and guidance that make up the NSW Infrmatin Management Framewrk, as set ut in the Infrmatin Management: A Cmmn Apprach, and including the NSW Digital Infrmatin Security Plicy. NSW Gvernment agencies must carefully cnsider their bligatins t manage gvernment data and infrmatin. Cntract arrangements and business prcesses shuld address 3
Sftware Asset Management Standard requirements fr data security, privacy, access, strage,, retentin and dispsal. ICT systems and services shuld supprt data exchange, prtability and interperability. Mre infrmatin n the develpment f standards fr the ICT Services Catalgue is at Appendix E Standards. 1.5. The ICT Services Catalgue This catalgue prvides suppliers with a shwcase fr their prducts and services, and an pprtunity t utline hw their fferings meet r exceed standard gvernment requirements. The standards, tgether with supplier service fferings in the ICT Services Catalgue, help t reduce red tape and duplicatin f effrt by allwing suppliers t submit service details nly nce. The fferings are then available t all ptential buyers, simplifying prcurement prcesses fr gvernment agencies. Implementing this categry apprach will embed cmmn appraches, technlgies and systems t maintain currency, imprve interperability and prvide better value ICT investment acrss Gvernment. 2. KEY PRINCIPLES The fllwing principles guide the develpment and implementatin f this standard. Facilitating as a service: Specificatin f envirnments shuld supprt agencies in mving t as a service surcing mdels. Interperability: Meeting this standard shuld help agencies achieve applicatin and hardware interperability, ensuring that agency cmputing envirnments enable apprpriate infrmatin sharing acrss devices and applicatins. Mbile and flexible: Envirnments shuld supprt mdern ffice wrk practices, including flexible and/r activity based wrking r ht desking. Vendr / perating envirnment agnstic: Envirnments shuld be vendr and perating system agnstic. Devices such as laptps, ntebks, thin-clients etc. shuld be able t cnnect t, and access the netwrk. The netwrk shuld als be fully cmpatible with widely used perating envirnments. 3. REQUIREMENTS 3.1. SAM system deliverables In accrdance with recgnised standards an effective SAM system shuld: Capture infrmatin abut sftware assets and their use Supprt cre tasks and functins Manage the sftware asset lifecycle Supprt business bjectives and utcmes Prmte respnsible SAM, and Deliver best practice 3.1.1. Capturing infrmatin The SAM system shuld incrprate the ability t capture accurate, cmplete infrmatin abut the sftware assets and their use. This may include asset discvery tls, deplyment recrds and prcurement recrds. This may als invlve deplying sftware asset registers r lgs t recrd the sftware assets that the agency wns, as well as sftware asset audit and metering tls t track where and hw agency sftware is used. 4
Sftware Asset Management Standard 3.1.2. Supprting cre tasks and functins The SAM system shuld assist the agency t perfrm its cre asset tasks including asset identificatin, cntrl, and licence cmpliance mnitring. This includes enabling the agency t cmplete sftware licence ptimisatin, ratinalising its sftware prtfli by reallcating, re-harvesting and deplying sftware licences where apprpriate. The system shuld enable the agency t readily and reliably plan fr its future sftware needs, including identifying pprtunities fr retirement, prtability r pling fr planned prjects. 3.1.3. Managing the sftware asset lifecycle The SAM system shuld address the full asset lifecycle, frm identifying business requirements t the retirement f the asset. The system shuld prvide interfaces int ther systems that enable the agency t manage, change, acquire, develp and deply sftware, as well as manage incidents and exceptins. It shuld enable the agency t manage sftware retirements, including identifying pprtunities fr reuse where permissible under licence agreements. 3.1.4. Supprting business bjectives and utcmes The SAM system shuld assist agencies in achieving their business bjectives. Objectives may include imprving wrker prductivity and mbility by allwing the agency t scale and deply its sftware assets as needed, assisting the agency t manage the cst f its sftware assets mre effectively, and managing the risks assciated with sftware licencing. Ultimately, the SAM system shuld assist the agency t achieve a better return n its sftware investments. 3.1.5. Prmting respnsible SAM Agencies deplying SAM systems shuld establish and implement internal plicies and cntrls that help them t manage the system apprpriately. This includes clarifying emplyee bligatins fr cmpliance with cpyright and infrmatin legislatin, as well as cntrls that ensure ptential r actual breaches are quickly addressed and remedied. T ensure this ccurs, the SAM system shuld include educatin and cmmunicatin strategies t assist emplyees at all levels understand their respnsibilities. 3.1.6. Delivering best practice Agencies shuld utilise a system that aligns with r addresses the elements f ne f the standards fr SAM. This standard references ISO/IEC 19770-1 and ITIL v3 SAM, which are internatinally recgnised. The prcess framewrks fr these standards are shwn in Appendix A, and the elements f the ISO standard are detailed in Appendix B. There are ther widely recgnised standards such as COBIT 5, and thers may becme available ver time. Appendix C shws cre sftware asset prcesses mapped t ISO/IEC 19770-1, and Appendix D lists ther references. 5
Sftware Asset Management Standard 3.2. SAM cmpetency Agencies can assess their current SAM cmpetency r the capability f their SAM system against the fur brad levels as described in Table 1, r n the basis f the cre SAM elements (t be) implemented as per Table 2 and described in detail in Appendix B. Table 1: SAM Capability Classificatins SAM implementatin Reactive SAM Practive SAM Managed SAM Optimised SAM Descriptin Mst manual prcesses, ad-hc purchasing and cmpliance risks due t limited licensing prcedures. Defined and standard sftware purchasing, deplyments and security updates. Organised licensing and standardised plicies. Managed acquisitin prcesses and plicies, centralised asset tracking and. Visibility and cntrl f asset csts, savings, gvernance and liabilities. Optimal acquisitin and redeplyment cycles, efficient business infrastructure with agile and adaptable IT slutins. Optimised insight int agency assets fr current needs and future plans. The fur levels f intended r implemented SAM capability r cmpetency are listed in the first clumn in the table belw. The crrespnding required prcesses t be adpted frm the ISO standard are ticked in the clumns. As nted thrughut, cmpliance can be t any apprpriate standard, prviding the agency is satisfied that the business utcmes it requires frm SAM are being achieved. 6
Sftware asset identificatin Sftware asset inventry Sftware asset cntrl Applicatin gvernance Dependency analysis Sftware asset verificatin Sftware licence cmpliance Sftware asset security Cnfrmance verificatin Relatinship and cntract mgmt. Financial Service level Security Sftware Asset Management Standard Table 2: SAM Prcesses and Capability / Cmpetency Matrix Cre Sftware Asset Management Prcesses Sftware Asset Management Capability r Cmpetency Reactive SAM Practive SAM Managed SAM Optimised SAM 7
Sftware Asset Management Standard DOCUMENT CONTROL Dcument histry Status: Final Versin: 1.0 Apprved by: NSW Prcurement & Technical Standards Wrking Grup Apprved n: 23/9/2014 Issued by: NSW Office f Finance & Services Cntact: standards@finance.nsw.gv.au Telephne: (02) 9372 7445 Review This standard will be reviewed in 12 mnths. It may be reviewed earlier in respnse t pstimplementatin feedback frm agencies. 8
Sftware Asset Management Standard APPENDIX A SAM PROCESS FRAMEWORKS Table 3 belw summarises, at a high level, the ISO/IEC 19770-1 Prcess Framewrk fr SAM, while Table 4 n the fllwing page utlines the ITIL Prcess Framewrk. Table 3: ISO/IEC 19770-1 Prcess Framewrk fr SAM Gvernance Cntrl envirnment Gvernance structures Rles and respnsibilities Plicies, prcesses and prcedures Capabilities and cmpetence Planning and implementatin prcesses Planning Implementatin Mnitring and review Cntinuus imprvement Cre SAM prcesses Inventry prcesses Sftware asset identificatin Sftware asset inventry Sftware asset cntrl Verificatin and cmpliance prcesses Sftware asset recrd verificatin Sftware licensing cmpliance Sftware asset security cmpliance Cnfrmance verificatin Operatins prcesses and interfaces Relatinship and cntract Financial Service level Security Primary prcess interfaces fr SAM Sftware lifecycle Change Sftware develpment Sftware deplyment Prblem Acquisitin Sftware release Incident Retirement A detailed explanatin f the expected cre SAM prcesses mentined in the table abve is cntained in Appendix B. 9
Sftware Asset Management Standard Table 4: ITIL v3 Prcess Framewrk fr SAM Overall prcesses Overall respnsibility Cmpetence, awareness and training Risk assessment Perfrmance metrics and cntinuus imprvement Plicies and prcedures Service cntinuity and availability Cre asset prcesses Asset identificatin Status accunting Asset cntrl Database Financial Management Lgistic Prcesses Requirements definitin Design Evaluatin Prcurement Build Deplyment Operatin Optimisatin Retirement Verificatin and cmpliance prcesses Verificatin and audit Licensing cmpliance Security cmpliance Other cmpliance Relatinship prcesses Cntract Supplier Internal business relatinship Outsurcing 10
Sftware Asset Management Standard APPENDIX B CORE SOFTWARE ASSET MANAGEMENT PROCESSES A. Inventry prcesses Sftware asset identificatin The SAM system shuld enable the agency t ensure necessary classes f assets are selected and gruped. Assets shuld be defined, recrded and srted by apprpriate characteristics that enable effective and efficient cntrl f sftware and related assets. The SAM system shuld include a Sftware Asset Register that meets the fllwing minimum sftware identificatin requirements: The register shuld identify the type f sftware assets t be cntrlled and infrmatin assciated with them frmally defined, taking int accunt: Items t be managed are chsen using established selectin criteria, and gruped, classified and identified t ensure manageability and traceability thrughut their lifecycle. Basic infrmatin, including: Sftware vendr Sftware title Sftware editin Sftware versin Licence type/mdel Number f licences wned Cntract numbers relating t purchase UNSPSC cde (if available) System wner / prduct manager (where apprpriate) Supprt and maintenance status. Items t be managed include: Definitive Sftware Master List List f all sftware apprved fr use in the rganisatin Cntracts related t sftware assets regardless f frmat Licence agreements (including end user licence agreements, click thrugh licence agreements and freeware licence agreements etc.), incrprating terms and cnditins Prf f purchase. A Hardware Asset Register shuld be used t capture relevant details relating t hardware asset classes, namely: Lcatin (where apprpriate) System wner Status (test/develpment/prductin etc.) Type (sftware, hardware facility etc.) Platfrms n which sftware assets can be installed/run Changes t assets Hardware inventry including lcatins are verified n a regular (minimum six mnthly) basis including reprting identified exceptins. Sftware asset inventry The SAM system shuld enable the agency t ensure physical instances f sftware assets are prperly stred and that required data characteristics fr all assets/cnfiguratin items are accurately recrded thrughut the lifecycle. 11
Sftware Asset Management Standard T achieve these gals, the system shuld include the fllwing: Definitive Sftware Master List: media library (including cpies f all versins/patches f all sftware currently in use in the envirnment). Definitive Sftware Master List: dcumentatin (a cpy f each piece f dcumentatin relating t each sftware title installed in the envirnment). Definitive Sftware Master List: licences and prf f purchase (including all base licences, upgrades, crss grades etc.). Cpies f all sftware patches relating t sftware currently installed in the envirnment Installed sftware (including versin, editins, patches etc.). Sftware packages authrised fr deplyment. Sftware asset cntrl The SAM system shuld enable the agency t cntrl its sftware assets while maintaining a recrd f changes t its sftware asset hldings. The sftware asset cntrls shuld allw the agency t demnstrate that: An audit trail is maintained with changes made t sftware including changes in status, lcatin, custdianship and versin. Apprpriate plicies, prcesses and prcedures are apprved and issued fr develpment, maintenance and f sftware versins, images, builds and releases. B. Verificatin and cmpliance prcesses Sftware asset recrd verificatin The SAM system shuld enable the agency t ensure recrds are accurate and maintained in accrdance with infrmatin requirements. The system shuld include prcesses fr sftware asset recrd verificatin, including: Verificatin f installed sftware reprting t ensure accuracy at least. Minimum quarterly recnciliatin between what is installed and what was authrised fr installatin acrss the envirnment. Inventry and verificatin f the Definitive Sftware Master List media library, licence and prf f purchase cnducted n a half yearly basis. Cntract dcumentatin related t sftware assets verified fr cmpleteness at least annually. Any issues, prblems r exceptins t the abve are dcumented, rt-cause analysis is perfrmed and remediatin activities undertaken t achieve crrectin. All findings and remediatin activities t be fully dcumented. Sftware licensing cmpliance The SAM system shuld enable the agency t ensure all sftware is licensed crrectly and that cntractual and licence terms and cnditins relating t sftware installatin and usage are met. The system shuld include plicies, prcesses and prcedures t ensure that emplyees cmply with their sftware licence bligatins and terms f use, including: Prcurement plicy. Deplyment/installatin plicy. Usage plicy. Regular cnfirmatin f effective licence psitin. Recrding f discvered cmpliance issues in the Sftware Risk Register. Apprpriate remediatin actins are taken and recrded. The rt cause f the issue is determined and actin is taken t address it. 12
Sftware Asset Management Standard Sftware asset security cmpliance The agency shuld ensure physical and technical security measures related t the strage f sftware and related assets prevent unauthrised access r use. Implementatin f the SAM system shuld enable the agency t: Reprt n wh has had access t the sftware media and licence keys. Identify which purpse the sftware was accessed fr. The date f access and return. Reprt n actins taken t address unauthrised r extended access. Cnfrmance verificatin The SAM system shuld enable the agency t mnitr and ensure cnfrmance with regulatry requirements and best practice standards. Agencies shuld be in a psitin t demnstrate that: Plicies and prcedures are develped, apprved and issued fr verifying cmpliance with their selected standard. Verificatin prcedures are being perfrmed annually and that crrective fllw-up actin is taken n identified exceptins. C. Operatins prcesses and interfaces The SAM system shuld enable the agency t execute the peratinal functins that are essential t achieving verall SAM bjectives and benefits. Relatinship and cntract The SAM system shuld enable the agency t manage its relatinships with ther rganisatins, including its cntracts and cntractual relatinships fr sftware and related assets/services. Implementatin f the system will enable the agency t demnstrate: Plicies and prcedures are develped, apprved and issued fr managing relatinships with suppliers prviding sftware and related assets/services t include: Definitin f respnsibilities fr supplier with individuals assigned t have clear verall respnsibility fr managing suppliers. Frmal dcumented reviews at least half yearly f supplier perfrmance, achievements and issues, with dcumented cnclusins and decisins abut actins t be taken. Plicies and prcedures develped, apprved and issued fr f custmer-side relatinships including: Definitin f respnsibilities fr managing custmer-side business relatinships with respect t sftware and related assets/services. Regular reviews f current/future sftware requirements acrss the agency as a whle. Frmal dcumented annual reviews f service prvider perfrmance, custmer satisfactin, achievements and issues, with dcumented cnclusins and decisins abut any actins t be taken. Plicies and prcedures develped, apprved and issued fr managing cntracts including: Ensuring cntractual details are recrded in an n-ging cntract system as cntracts are signed. Cpies f all signed cntractual dcumentatin securely maintained in a dcument system in additin t keeping riginal signed dcuments. Half-yearly dcumented reviews prir t cntract expiry, and all cntracts with dcumented cnclusins and decisins abut actins taken. 13
Sftware Asset Management Standard Financial The SAM system shuld enable the agency t apprpriately budget and accunt fr its sftware and related assets. Implementatin shuld allw the agency t achieve the fllwing: Definitins f financial infrmatin relevant t f sftware and related assets are agreed with relevant parties and dcumented by asset type. Frmal budgets are develped fr acquisitin f sftware assets and related supprt. Actual expenditure n sftware assets and related supprt and infrastructure csts is accunted fr against budget. Clearly dcumented financial infrmatin is available abut sftware asset values (including but nt limited t histrical and/r depreciatin csts). Frmal dcumented quarterly reviews f actual expenditure against budget with dcumented cnclusins and decisins abut any actins required. Security Manage infrmatin security effectively with all SAM activities and supprt apprval requirements related t SAM. Implementatin will enable agencies t demnstrate: Frmal plicy is develped and apprved regarding security/access restrictins fr all SAM resurces, including physical/electrnic stres f sftware builds/releases. Access cntrls are specified, bth physical and lgical, t enfrce the apprval requirements f SAM plicies. There is dcumentary evidence shwing that specified access cntrls are implemented in practice. D. MANAGING THE SOFTWARE LIFECYCLE An effective SAM system shuld be clsely integrated with standard prcesses. Change Ensuring effective integratin between the SAM system and the change prcess will enable the agency t demnstrate that a frmal prcess exists, requiring that: All change requests that affect sftware and/r SAM prcesses are identified and recrded. All change requests that affect sftware and/r SAM prcesses are assessed and apprved via a frmal change prcess that includes SAM representatives. The success r failure f changes is dcumented and peridically reviewed. Acquisitin Effective integratin between the SAM system and the prcurement prcess will allw the agency t demnstrate that: The relevant standard architectures are defined fr the prvisin f sftware services, as well as criteria fr deviating frm thse standards. Standard sftware cnfiguratins are defined, as are criteria fr deviating frm thse standards. Standard sftware prcurement methds are defined, as are criteria fr deviating frm thse standards. Sftware apprved fr use is detailed in the Sftware Catalgue indicating editins, versins and apprved acquisitin methd. 14
Sftware Asset Management Standard Plicies and prcedures are develped, prperly authrised and issued fr requisitining and rdering sftware and related assets, including: Hw requirements are specified. Management and technical apprvals required. Use/redeplyment f existing licences if available. Recrding future purchase requirements fr thse cases where sftware can be deplyed befre reprting and payment. Acquisitin methd and apprved exceptins. Plicies and prcedures develped, prperly authrised and used fr receipt-prcessing functins related t sftware and related assets including: Prcessing invices, recnciliatins t rders and retentin f cpies fr licence purpses. Receipting and safe-keeping valid prf f licence fr all licences purchased. Prcessing incming media including requirements fr verificatin, recrd-keeping and safekeeping f cntents (physical and electrnic). Sftware develpment Effective integratin between the SAM system and the sftware develpment prcess will allw the agency t demnstrate: That, where practical, sftware develpment is ccurring in a segregated envirnment. That a frmal prcess fr sftware develpment exists and cnsiders standard architectures and cnfiguratins, licence cnstraints and dependencies. Frmal prcess fr sftware develpment t include SAM requirements and cntrls. Sftware release Effective integratin between the SAM system and the sftware release prcess will allw the agency t demnstrate that: Release f sftware is apprved by the respnsible. Result f the release is recrded and peridically reviewed. Sftware deplyment Effective integratin between the SAM system and the sftware deplyment prcess will allw the agency t demnstrate that: Distributin f sftware and related assets is apprved by the respnsible. Security requirements are cmplied with, including ver access t sftware being distributed and after installatin. All changes t the status f relevant sftware are recrded accurately and in a timely fashin including any change f custdianship, and an audit trail f changes is kept. Dcumented cntrl t verify what was deplyed is the same as authrised fr deplyment. Success r failure f deplyments is recrded and peridically reviewed. 15
Sftware Asset Management Standard Incident Effective integratin between the SAM system and the incident prcess enables the agency t demnstrate that: All incidents that affect sftware/related assets r SAM prcesses are recrded and classified as t their pririty fr reslutin. All such incidents are reslved in accrdance with pririty fr reslutin and the reslutin is dcumented. Prblem Effective integratin between the SAM system and the Prblem Management prcess enables agencies t demnstrate that: All incidents that affect sftware and/r related assets and/r services, alng with SAM prcesses, are recrded and classified as t their impact. High pririty and repeat incidents are analysed fr underlying causes and priritised fr reslutin. Underlying causes are dcumented and cmmunicated t incident. Prblems are reslved in accrdance with pririties fr reslutin and the reslutin is dcumented and cmmunicated t incident. Retirement/re-harvesting The SAM system shuld assist the agency t ensure that sftware and related assets are remved, recycled and reused as apprpriate and in cmpliance with infrmatin requirements. The system shuld enable prcesses t ensure that: Deplyed cpies f sftware are remved frm retired hardware (where it is permitted fr licences t be remved). Licences and ther assets which can be redeplyed are identified fr redeplyment. Assets transferred (re-harvested) t ther parties, and are transferred taking int accunt any cnfidentiality, licensing r ther cntractual requirements. Licences and ther assets that cannt be redeplyed are prperly dispsed f. Recrds are updated t reflect the changes abve, and audit trails are maintained f all changes. 16
Planning Prcurement Sftware Cntract Mnitring & reprting Sftware Asset Management Standard APPENDIX C CORE SOFTWARE ASSET MANAGEMENT PROCESSES MAPPED TO ISO/IEC 19770-1 Inventry prcesses Sftware asset identificatin Sftware asset inventry Sftware asset cntrl Applicatin gvernance Dependency analysis Verificatin and cmpliance prcesses Sftware asset recrd verificatin Sftware licensing cmpliance Sftware asset security cmpliance Cnfrmance verificatin The scpe f sftware assets cntrlled shuld be defined and address sftware entitlement (prduct and versin), prf-f-licence, cntracts/agreements, media and sftware deplyment. A central and cmprehensive inventry f sftware assets (physical and electrnic) shuld be maintained t recrd installed sftware and sftware licences. Activities t ensure that the inventry is effectively maintained must be embedded brader SAM prcesses. Prcesses t cntrl and recrd changes t sftware assets shuld be embedded within the SAM system t ensure that an apprpriate audit is maintained. Prcesses t cntrl and recrd types, versins, OEM and utcmes f all applicatins deplyed acrss the enterprise t ensure redundancies in types f applicatins are effectively mnitred, managed and where apprpriate cllated. Prcesses t cntrl and recrd peratinal and technical requirements dependencies driving deplyment t map dependency f cmmissined ICT capabilities against the type and number f applicatins s deplyed, and where applicable, enterprise wide licence prtability, licence re-harvesting, active bslescence and eliminating redundancies acrss bth licence numbers and types. Cntrls shuld be established t detect and manage deviatins in SAM prcesses and ensure that accurate sftware asset recrds are maintained. Effective prcesses shuld be established t ensure that licensing terms are understd and there are regular licence recnciliatins perfrmed t verify that sftware is being used under the terms f the licence. Effective prcesses and cntrls shuld be established t prevent unauthrised installatin f sftware and detect any deviatins t the standard prcesses. NSW Gvernment aims t implement standards based n parts f the ISO/IEC standards hwever there is n requirement fr ISO certificatin. Deviatins frm the SAM system shuld be addressed. 17
Planning Prcurement Sftware Cntract Mnitring & reprting Sftware Asset Management Standard Operatins prcesses and interfaces Relatinship and cntract Effective prcesses and cntrls shuld be established t address relatinship and cntract fr SAM in line with crprate plicies and prcedures. Specific cnsideratins relating t effective relatinship and cntract fr SAM shuld be addressed thrugh: Identifying a relatinship wner fr each vendr relatinship Engaging with the apprpriate cmmercial authrity (as required) Ensuring that the terms f the licence are understd and cmplied with Vendr driven activities (e.g. true up, audit r maintenance / subscriptin renewals) are cmpleted in line with the terms f the licence Peridic frecasting f lng-term sftware requirements. Financial Service level Security Regular reprting f sftware related spend shuld be established. The requirements f the financial reprting must be determined by the rganisatin-wide financial practices. Service levels shuld be embedded within the SAM system t measure the effectiveness f the prcesses. Effective security cntrls shuld be established t ensure that access t the sftware asset inventries (physical and electrnic) is apprpriately restricted. 18
Sftware Asset Management Standard APPENDIX D REFERENCES Agencies shuld have regard t the fllwing statutes, NSW Gvernment plicies and standards: AS/NZS ISO 31000 Risk Principles and guidelines Cpyright Act 1968 Electrnic Transactins Act 2000 Gvernment Infrmatin (Infrmatin Cmmissiner) Act 2009 Gvernment Infrmatin (Public Access) Act 2009 Health Recrds and Infrmatin Privacy Act 2002 Infrmatin Technlgy Infrastructure Library (ITIL) v3 ISO/IEC 19770-1 Sftware Asset Management NSW Digital Infrmatin Security Plicy NSW Gvernment Clud Services Plicy and Guidelines NSW Gvernment Open Data Plicy NSW Gvernment ICT Strategy NSW Gvernment ICT Technical Standards Mbility Standard NSW Gvernment Digital Infrmatin Security Plicy NSW Gvernment ICT Strategy and Implementatin Update 2013-14 NSW Gvernment Infrmatin Classificatin and Labelling Guidelines NSW Prcurement: Small and Medium Enterprises Plicy Framewrk Privacy and Persnal Infrmatin Prtectin Act 1998 Public Finance and Audit Act 1983 Public Interest Disclsures Act 1994 State Recrds Act 1998 TPP 09-05 Internal Audit and Risk Management Plicy fr the NSW Public Sectr 19
Sftware Asset Management Standard APPENDIX E STANDARDS Develping standards Develpment f a standard begins with identifying the need fr a new standard, which is fllwed by the develpment f the standard in cnsultatin with the industry and experts grups, including the Australian Infrmatin Industry Assciatin (AIIA). The fllwing diagram utlines the prcess. Need fr new r amended standard identified Business requirements change Standard develped (Industry/agencies cnsulted) Services added t Catalgue Standard apprved and released by PTS Wrking Grup Market engagement fr services which meet the standard The PTS Wrking Grup is chaired by the Office f Finance and Services and includes senir representatin frm acrss the NSW Gvernment clusters. Agencies engage with the PTS Wrking Grup cncerning services fr inclusin in the ICT Services Catalgue. This drives the develpment f technical standards, where nne exist. The PTS Wrking Grup has the leading rle in reviewing and endrsing the technical standards develped in respnse t agencies requirements. The PTS Wrking Grup is supprted by tw sub grups respnsible fr the areas f Telecmmunicatins and Services & Slutins. The sub-grups are respnsible fr initial develpment and review f standards relating t their areas f respnsibility. Management and implementatin There is scpe t mdify standards thrugh the NSW ICT gvernance arrangements as necessary. Standards are designed t add value, augment and be cmplementary t, ther guidance, and they are cntinually imprved and updated. This standard des nt affect r verride the respnsibilities f an agency r any emplyee regarding the and dispsal f infrmatin, data, and assets. Standards in ICT prcurement must als address business requirements fr service delivery. NSW Prcurement facilitates the implementatin f the standards by applying them t the gds and services made available thrugh the ICT Services Catalgue. Standards will als be available n the PrcurePint web site. 20