| The purpose of this paper is to fill a gap in the current ITIL books concerning software licence compliance, and to provide some practical suggestions on how to go about achieving licence compliance. |
| Licence management is dealt with in a couple of paragraphs in the ITIL book, Best Practice for Service Support, see §7.3.10. However, there is no guidance contained in ITIL on how to implement licence management. There is even the implication that implementing Configuration Management on its own is sufficient to bring about a properly managed software licence environment. This is not the case. Software licence management has its own unique problems, which need to be addressed explicitly via a software licence compliance programme. |
| Configuration Management is necessary for licence management, but on its own is not sufficient to deliver software licence compliance. |
What is Software Licence Compliance? |
| Software licence compliance refers to the requirement to use software in accordance with the terms and conditions of software licences. Failure to do this can be construed as a criminal offence, so all software users MUST ensure that their use of software is legal. The relevant legislation in the UK is the Copyright, Designs and Patents Act, 1988. In short, using software without the agreement of the copyright holder is theft. |
|
How do you find out whether your software is legal? |
For an individual this ought not be too difficult. In practice, however, many people may not be able to prove the legality of their software, because they do not retain information pertaining to software licences and purchase. |
For a company finding out whether its software is legal can be a real headache. In order to be able to do this, all companies need the following elements in place:
|
| If discrepancies are found (and they almost certainly will be) |
| It is necessary to analyse the reasons why, and to address the problems identified as a result of this analysis. The following represent common causes for such discrepancies: |
Do your staff, contractors and suppliers know what the rules are? If they do not, then tell them. If they do, then ensure they understand what disciplinary measures are in place to deal with such behaviour. You may find you need to have the relevant disciplinary rules. Note that if you do not make it clear to employees and others that they should not load software without the relevant software licence, then you may be held responsible in any legal action. It may be that staff don't know or understand the rules for requesting software, or think that such rules do not apply to some types of software, especially that found on the internet, e.g. evaluation or trial copies of software. Or it may be that the process is too slow or bureaucratic so that staff cannot get the software when they need it. If so then you need to fix the process. |
Do you have a process for recording software purchases in such a way that meaningful data can be extracted at a later date? The quality of data entry into the accounting system may need to be reviewed here. It may also be worth your while ensuring that responsibility for the accuracy and completeness of such records is given to an individual manager. All licences and proof of purchase should be kept in a dedicated filing system. Remember that loss of this information constitutes a potentially significant loss of assets, so protect it. It is worth keeping copies of invoices in this dedicated filing system, even though the finance department should retain the originals. |
If you don't have such a method, how do you know that any one installation is covered by a licence? When server access groups are changed, does someone investigate the software licence implications of this? |
When equipment is redeployed, is it wiped clean of all software? If it is not, how do you know that .exe files and other such licensable products are not installed on it? It is common to find all kinds of software on a PC, which even the user does not know about. Remember – the rule is that if it is installed it will need a licence. In addition it is possible that people are added to server access groups without the relevant licence being purchased. |
| There are many other possible reasons to account for discrepancies between software installed and licences purchased. What is important is that you have a method for removing the cause of such discrepancies in future. If you don't, then any software licence control processes you introduce will be ineffectual. |
|
What do you need to do to introduce software licence control? The following steps, properly carried out, will deliver software licence control: |
| What? | Why? |
| Presentation to CEO and Board | Without top-level commitment you will not succeed. The people at the top need to understand the risk to the company and to them personally of a failure to comply with the terms and conditions of software licences. In the worst cases this could be unlimited fines and up to 2 years imprisonment. |
| Produce and distribute a software policy | To ensure everyone in the company understands the rules, roles and responsibilities relating to the use of software. You may need to amend the company's disciplinary code in order to accommodate explicitly the issue of software theft. |
| Company wide awareness campaign | To introduce the software policy and to explain why software licence compliance is necessary and to gain commitment of all staff to the initiative. You should use such a campaign as an opportunity to obtain feedback from staff on any weaknesses in the software management processes that will undermine software licence compliance. |
| Third-party awareness | All third-parties who operate on your estate and who have access to your IT systems need to be supplied with a copy of your software policy. Contracts should include explicitly the requirement to adhere to your software policy. |
| Audit strategy | To define the method, frequency, aims and objectives of software licence data capture. It is important to have a clear understanding of how you intend to go about obtaining accurate and usable data on installed software. The frequency of your audit activities may be constrained by the impact on the network. |
| Purchase and implement Audit tools | It will not be possible to identify software without software discovery and recognition tools. Even with the best tools the process of software recognition will be difficult, because of the large number of products on the market, and because of the existence of in-house products. It can be difficult to distinguish legacy application files from unidentified commercial products, particularly in an environment where mergers and acquisitions have taken place. |
| Implement audit process | To identify and recognise all licensable software. This needs to be done in such a way that files that make up a single application are grouped together to avoid double counting or worse. |
| Purchase history records | You need to know what you have purchased and how it relates to other purchases, e.g. has a licence been bought outright or is it an upgrade of an existing licence. |
| Reconciliation | To match installed software against purchase history records in order to identify licence requirements. |
| Define software licence requirements | In the case of under-licencing determine whether you should remove the relevant software or purchase additional licences. Note that if you remove the software you should retain records of what was removed. |
| Supporting software management processes | To maintain the accuracy of your software licence data you need to ensure that the processes for acquiring, installing, changing and disposing of software (and the hardware on which it resides) are in place and robust. |
| Physical storage | To keep physical media safe from misuse or damage, and to protect proof of purchase records from loss or damage. Loss of proof of purchase records may leave you in a position where you cannot prove you are using software legally. |
| Finally, be prepared for the unexpected. For instance, you need to purchase licences for a product, but the supplier no longer exists. What do you do? The answer is not, nothing! |
|
If you wish to know more about software licence compliance and how Casaubon Eck Ltd can help you achieve it, please e-mail: compliance@casaubon-eck.co.uk |