Is your company tightening its pursestrings? Have you been told to hold off on all "unnecessary purchases" for a couple of quarters? Did your 2009 budget just go through rather drastic cuts? Have layoffs occurred or are they looming?
If you answered yes to any of the above, you're not alone. For any of us who came through the "Dot Bust" of the early 2000's (particularly in Northern California), we may remember these signs well. I remember heading into it (as a not yet 2 year old consulting business) and the phases that it went through. However; I also have worked with many businesses since and have seen the outcome of decisions they made to "save costs" that had long term negative impact.
Here are some things to think about:
1) You can't manage what you don't know. Software costs are one of the line items you're going to be watching closely - make sure you have the tools in place to tell you exactly what is being used and what you own. Then you can continue to provide your business users with the tools they need to do their job but ensure that you're not over-purchasing in this category.
2) Servers and client access licenses - get expert advice. This is consistently the area where I see costly mistakes being made, typically on the basis of relying on the knowledge of someone who doesn't keep current with publisher's product use rights. A recent half day consultation with us saved one of our clients $30,000 in server licensing costs. This is an area where it doesn't cost much to get advice that can save you a bundle!
3) Review your maintenance agreements and renewal contracts - in the past several "lush" years we've seen many clients opting for convenience over cost savings. Now that things are leaner, you might need to re-think some of your past decisions to ensure they are meeting your current goals.
4) Evaluate your reseller. Just like #3 above, are the "value added services" provided by your reseller justifying their markup on your software? This is another area where that client we mentioned in #2 received significant benefit from that consultation. They needed to change resellers and leveraged us to make the change - it resulted in $15,000 in free consulting services from us as a "thank you" from their new reseller...that's paying for them to have us manage their software license situation monthly for the next year!
5) If you're downsizing and having to "do more with less", we can ensure you still have the information you need on a monthly basis to get full value of your software assets...for a fraction of the cost of doing it internally - call or e-mail me and free up some of your staffs limited time.
These are just some suggestions, the important thing to remember is this...in times of financial hardship it is our responsibility to ensure our decisions help our companies (a) survive the downturn, and (b) are positioned to prosper immediately in the upturn.
Showing posts with label Compliance. Show all posts
Showing posts with label Compliance. Show all posts
Monday, October 27, 2008
Thursday, October 25, 2007
Software Asset Management – A Regulatory/Industry Compliance Perspective
Software Asset Management (SAM) not only makes good business sense (lowers cost of software ownership, is integral to good security and enhances the productivity of technology workers) but it is also a key component in most of the regulatory and industry compliance requirements facing businesses today.
OK, I stretch on a few like HIPAA and Gramm-Leach-Bliley (GLB)…you can technically comply with these without SAM as long as you have hardware asset management, but still – you need to know where your computer assets are, who has access to them and be able to restrict what data can be loaded onto them.
But for Sarbanes Oxley (SOX) and the Payment Card Industry (PCI) Standards, it goes beyond that to actual SAM.
For SOX, there is a COBIT™ control objective which loosely states “Ensure that only appropriate software is installed in the environment”. Well, if you take that apart (which your auditors do…) then “appropriate” would mean (a) that you know what is appropriate and what is not, (b) that you have this documented somewhere, and (c) that it is licensed correctly. Additionally, to prove that you comply you need to be able to show what is installed in your environment and prove that you have a process that is documented and followed for periodically checking this information.
For PCI, you need to maintain a vulnerability program which has two requirements: (1) use and regularly update anti-virus software and (2) develop and maintain secure systems and applications. Both of these requirements come with a list of required items but basically it comes down to being able to ensure that every system has the most up-to-date virus protection and the latest approved security patches for all applications running on those systems. How do you ensure this information if you (a) don’t know what’s installed and where, and (b) don’t have a way of verifying what patch level it is at?
SAM makes good business sense, and it is required by many of the major regulatory/industry compliance requirements…so why are so many companies still avoiding it? Why the piecemeal approach that I see so often in the business place? Why do CIO’s and CFO’s eyes roll back in their heads when you mention SAM? I realize IT staffs are frequently overloaded and often do not have the necessary current information to maintain a SAM program – but isn’t that why we outsource?
Would love your insights…
OK, I stretch on a few like HIPAA and Gramm-Leach-Bliley (GLB)…you can technically comply with these without SAM as long as you have hardware asset management, but still – you need to know where your computer assets are, who has access to them and be able to restrict what data can be loaded onto them.
But for Sarbanes Oxley (SOX) and the Payment Card Industry (PCI) Standards, it goes beyond that to actual SAM.
For SOX, there is a COBIT™ control objective which loosely states “Ensure that only appropriate software is installed in the environment”. Well, if you take that apart (which your auditors do…) then “appropriate” would mean (a) that you know what is appropriate and what is not, (b) that you have this documented somewhere, and (c) that it is licensed correctly. Additionally, to prove that you comply you need to be able to show what is installed in your environment and prove that you have a process that is documented and followed for periodically checking this information.
For PCI, you need to maintain a vulnerability program which has two requirements: (1) use and regularly update anti-virus software and (2) develop and maintain secure systems and applications. Both of these requirements come with a list of required items but basically it comes down to being able to ensure that every system has the most up-to-date virus protection and the latest approved security patches for all applications running on those systems. How do you ensure this information if you (a) don’t know what’s installed and where, and (b) don’t have a way of verifying what patch level it is at?
SAM makes good business sense, and it is required by many of the major regulatory/industry compliance requirements…so why are so many companies still avoiding it? Why the piecemeal approach that I see so often in the business place? Why do CIO’s and CFO’s eyes roll back in their heads when you mention SAM? I realize IT staffs are frequently overloaded and often do not have the necessary current information to maintain a SAM program – but isn’t that why we outsource?
Would love your insights…
Subscribe to:
Posts (Atom)