Thursday, June 21, 2007

What's an acceptable "out of compliance" number?

I was privy to an interesting conversation a few weeks ago...the topic was "What level of non-compliance is acceptable?". Basically the basis for the discussion was that being illegal on some licenses was to be expected but at what level does it become an issue.

Before jumping into all sorts of morality issues, I'll stop myself and instead put this in the context of...assuming it will cost me money to prove every single license, is there a point at which I can say "under this amount is not worth the cost"?

Now, morally I don't feel there is a number greater than zero that can be acceptable. If you can't prove licensing for a single product, you owe it to yourself and the publisher who invested their time and resources into its creation to buy the product (and then keep better records).

Getting off my moral high horse I will point out that running even a single copy of software that you can't prove licensing for is a risk to you and your organization. As with any risk to your organization, your organizations risk assessment framework should address this topic for you. But remember - you can't manage what you don't know and you can't apply a risk assessment if you don't have the details!

What are your thoughts?