Thursday, October 25, 2007

Software Asset Management – A Regulatory/Industry Compliance Perspective

Software Asset Management (SAM) not only makes good business sense (lowers cost of software ownership, is integral to good security and enhances the productivity of technology workers) but it is also a key component in most of the regulatory and industry compliance requirements facing businesses today.

OK, I stretch on a few like HIPAA and Gramm-Leach-Bliley (GLB)…you can technically comply with these without SAM as long as you have hardware asset management, but still – you need to know where your computer assets are, who has access to them and be able to restrict what data can be loaded onto them.

But for Sarbanes Oxley (SOX) and the Payment Card Industry (PCI) Standards, it goes beyond that to actual SAM.

For SOX, there is a COBIT™ control objective which loosely states “Ensure that only appropriate software is installed in the environment”. Well, if you take that apart (which your auditors do…) then “appropriate” would mean (a) that you know what is appropriate and what is not, (b) that you have this documented somewhere, and (c) that it is licensed correctly. Additionally, to prove that you comply you need to be able to show what is installed in your environment and prove that you have a process that is documented and followed for periodically checking this information.

For PCI, you need to maintain a vulnerability program which has two requirements: (1) use and regularly update anti-virus software and (2) develop and maintain secure systems and applications. Both of these requirements come with a list of required items but basically it comes down to being able to ensure that every system has the most up-to-date virus protection and the latest approved security patches for all applications running on those systems. How do you ensure this information if you (a) don’t know what’s installed and where, and (b) don’t have a way of verifying what patch level it is at?

SAM makes good business sense, and it is required by many of the major regulatory/industry compliance requirements…so why are so many companies still avoiding it? Why the piecemeal approach that I see so often in the business place? Why do CIO’s and CFO’s eyes roll back in their heads when you mention SAM? I realize IT staffs are frequently overloaded and often do not have the necessary current information to maintain a SAM program – but isn’t that why we outsource?

Would love your insights…

Thursday, September 13, 2007

Common Ways a Company Becomes Non-Compliant

Over the years I've worked with a number of companies and what has become obvious to me is that - it is rare that a company knowingly pirates software.

So, how do so many companies become non-compliant on their software agreements?

1) Lack of proper processes (and adherence to those processes) for software acquisition, deployment and retirement.
2) Lack of a good asset inventory tool that will accurately and easily report on what is installed.
3) Lack of records of what is owned.
4) Misconception or lack of knowledge of product use rights.
5) Misconception or lack of knowledge of volume licensing agreement rights.

Of all of these, I find the last two to be the most universal and it's a combination of misconception and lack of knowledge. Of the two I find misconception the most dangerous...because the company thinks that they're doing things right so they never ask for help.

How do the misconceptions happen? Generally, through outdated knowledge or guesswork.

Some things to be aware of:

1) Different use rights exist for different versions as well as different forms of acquisition.

For example, Microsoft 2007 software (Office, Server, Operating System) acquired OEM normally does not allow for downgrade; however, if acquired through Open, Select or Enterprise it normally does allow for downgrade. This was not always the case, in the past it had been allowed...was it allowed when you did it? Reference - http://download.microsoft.com/download/d/2/3/d23b9533-169d-4996-b198-7b9d3fe15611/downgrade_chart.doc). How were you planning to handle those OEM Office 2007 that are coming in the door? Were you going to downgrade those to 2003 until you're ready to upgrade?

2) Test and Development servers need to comply with product use rights same as Production.

3) Your Developers may have the "Professional" version of the software for development purposes but not be licensed for those for business use - be careful what's being installed on their production machines.

4) Vendors selling you a solution dependent upon another companies technology may not always provide you with full/accurate information about the licensing requirements...do your homework.

5) Client Access Licenses - in general if you're using the resources of a server, you need some form of client license for each user/device. Watch this carefully, it's the most common problem we find.

Just to name a few...

So, how do you keep up and still do your job? Frankly, you don't. You bring in professionals to educate you and provide you with documentation from the publisher supporting that education (do not rely on anything else...if a problem comes up, you're the one holding the bag) which you retain in a centralized location until those licenses (and their future upgrades) are no longer in use.

Questions? Comments? Would love to see them...

Tuesday, July 31, 2007

Software Asset Management – Luxury or Necessity?

I was speaking with a friend to day who asked me the question…is what you do a necessity or a luxury? I immediately responded that SAM is a necessity – but at the same time it made me really think about his question and about why he was asking it.

He’s a mortgage broker – and if you’ve watched the news at all, you know that there is a lot of pain going on in that industry. However; there is a lot of pain going on in a lot of industries right now, which is why he asked the question. If you think about it, while SAM is always important and there are always significant business reasons to do it – when things are tough financially and operationally it makes it even more important.

You can look at the figures all over and you will constantly see evidence that SAM saves companies around 30% on software costs in year one and about 10% on an annual basis. When you factor in the soft dollar savings on increased operational efficiency the savings go up dramatically. I know these numbers to be true based upon the results our clients have seen.

You could make the argument that while SAM is important, companies don’t need to hire consultants to do it for them so the hiring of a firm such as ours could be considered a luxury. True, companies can do it themselves…but unless you’re going to invest the time, money and energy to train someone within your organization to become a SAM expert – you will probably expend a fair amount of personnel time and then turn around and hire a professional when you don’t get the results you’re expecting.

Implementing a SAM program frequently involves a lot of esoteric knowledge – knowledge that is not necessary for ongoing maintenance but is necessary to provide the accurate evaluation of the current license and process status. Hire a professional to set up your program – let them put their expertise to work for you and train your staff on what it will take to maintain the program going forward.

So, unless you’re not going to buy software – SAM becomes even more important to you in lean times as it saves you considerable money, and hiring a professional to set up your program allows you to leverage their historical knowledge and expertise while at the same time ensuring that your staff only has to learn the pertinent information to maintain your program.

Has your company established a SAM program? Did you do it yourself or hire a professional? What was the outcome?