c72 b329d6f7e4b46a7467de0151210a1.ashx
DESCRIPTION
TRANSCRIPT
Government Guide For Software Management
COVER [u.s.]-3 '02 7/18/02 3:27 PM Page 1
C I B E R N E T
This Guide was prepared by the Family, Industry, and Community Economics group of Nathan Associates Inc.,with assistance from BDO Seidman, LLP. Nathan Associates is an international economic consulting firm. BDOSeidman is the U.S. member firm of BDO International, an international accounting and consulting organization.
COVER [u.s.]-3 '02 7/18/02 3:27 PM Page 2
©
ontents
©C
©
©
1 INTRODUCTION 21.1 A Step-by-Step Guide 31.2 Helping Governments Manage
Their Software Assets 31.3 How to Use this Manual 4
2 WHY MANAGE SOFTWARE ASSETS 62.1 Ensure Compliance with the Law 72.2 Control Costs 72.2.1 Control Costs of Acquisition 72.2.2 Avoid Costs of Unnecessary Hardware 82.2.3 Control Software Support Costs 82.2.4 Avoid Legal Challenges, Penalties,
and Fines 82.3 Improve Performance 82.3.1 Ensure Software Quality and Reliability 82.3.2 Maximize IT Resource Compatibility 92.3.3 Anticipate and Take Advantage
of Change 92.3.4 Increase Employee Productivity 9
3 HOW TO MANAGE SOFTWARE ASSETS 103.1 Create an Environment for Success 113.1.1 Articulate and Communicate a Clear
Statement of Software Policy 113.1.2 Obtain Employee Acceptance 113.1.3 Identify, Distribute, and Regularly
Update a List of Supported Software 143.1.4 Establish a Secure Repository 143.1.5 Develop and Implement Software
Procurement Procedures 14
3.2 Take Inventory 153.2.1 Accomplish Three Tasks 153.2.2 Conduct the Inventory in Accordance
With Four General Standards 163.2.3 Rely on the Element of Surprise,
Yet Include All Computers 163.2.4 Specialized Inventory and Metering
Applications Can Make the Job Easier 173.2.5 Other Options 173.3 Take Action 183.3.1 Take Corrective Action When Necessary 183.3.2 Always Take Preventive Action 19
GLOSSARY 20
APPENDIXA. Model Government Decree 22B. Sample Software Policy Statement 23C. Sample Form for List of Supported Software 26D. Sample Inventory Form 29E. Software Inventory and Metering Applications 30F. DOS® Commands to Inventory Software 31G. Windows® Commands to Inventory Software 36H. Macintosh® Commands to Inventory Software 38
US version Booklet '02 7/18/02 4:59 PM Page 1
Introduction
US version Booklet '02 7/18/02 4:59 PM Page 2
3
n today’s digital era,software is indispensable. It drivesour computers and allows us tocollect, organize, access, analyze,and share information on a scaleand with efficiency not imagined20 years ago.
Software, like other valuableassets, must be managed through-out its lifecycle to achieve itspotential benefit. An effectivemanagement plan must addressasset acquisition, use, and dispos-al. In addition, the process mustoccur in an environment recep-tive to management actions andcommitted to success.
Governments, as informationorganizations, are especiallydependent on software. Sincegovernments make and imple-ment laws on behalf of those theygovern, they have a clear respon-sibility to demonstrate, throughtheir policies and practices, theimportance of adhering to lawsgoverning the use of software.Legitimate software use by gov-ernments will encourage the pri-vate sector to follow suit, therebyleading to growth of the domesticsoftware industry which createsjobs and generates revenue.
1.1A STEP-BY-STEP GUIDEThis manual provides step-by-stepguidance for managing the
installed software base of govern-mental organizations. For seniorgovernment officials, it explainswhy software asset managementis important. For managers, it pre-sents a complete managementplan, including how to create anenvironment in which manage-ment will succeed, informationrequirements of the plan, aprocess for collecting informa-tion, and how to interpret and acton the information collected.
Although asset management ismore than asset tracking, in thecase of software, which is aportable and decentralized asset,tracking is a key component ofthe management process.Thismanual provides very specificinstructions for tracking software.It explains the importance of tak-ing inventory and how to do so. Itexplains how to identify illegalcopies of software and describesthe steps necessary to verify thatyour organization’s use of soft-ware is in compliance with licens-ing agreements. In addition, help-ful tools for inventorying softwareare identified. Using inventorytools is encouraged, but if you donot have access to inventoryapplication software, you will findhere detailed instructions foridentifying the software thatresides on your computers.
1.2 HELPING GOVERNMENTS MANAGETHEIR SOFTWARE ASSETS Software management is criticalto maximizing the benefit of gov-ernment investment in informa-tion technology (IT) resources.Today desktop computers prolif-erate and software is significantlyupgraded on a regular basis.A single government organizationmight be using hundreds of com-puters deployed at dozens oflocations running numerous typesand versions of operating systemand application software.
The proliferation of desktop com-puters and the portability of soft-ware have created an additionalreason to manage software: toensure its legitimacy.Without anorganization’s knowledge, itsemployees might be using illegal-ly copied software. For example,employees might have installedmore copies of a software pro-gram than the organization’slicense permits (commonlyreferred to as software “overuse”).Or, the organization might haveunknowingly acquired illegal soft-ware from a disreputable reseller.
This manual was written to makesoftware asset management sim-ple, yet effective, and to help gov-ernments avoid the cost of legalchallenges to the legitimacy oftheir software assets. It presents
©I
US version Booklet '02 7/18/02 5:00 PM Page 3
4
clear justification for manag-ing software and encouragesorganizations not currentlymanaging their software todo so by showing themhow.
1.3 HOW TO USE THIS MANUALThe organization and pro-duction of this manual wereintended to facilitate its use.If you are not yet convincedof the benefits of softwareasset management, readChapter 2, which identifiesthe benefits and explainshow the managementprocess will help youachieve them. Key reasonsinclude ensuring
compliance with the law,controlling costs associatedwith software assets, andimproving the performanceof the assets, the organiza-tion, and its employees. Ifalready convinced of thebenefits, skip to Chapter 3,which explains how to man-age your software assets.The process consists ofthree major steps.
1. Establish an environmentfor success. Begin by articu-lating a software policystatement that addresses theacquisition, use, and disposalof the software used by allgovernment agencies.
Employeesshould be
instructed
on the requirements andrestrictions of the usage pol-icy. Employees responsiblefor software procurementrequire specialized trainingin licensing requirementsand proper procurementprocedures.
2. Conduct a software inven-tory. Next, take inventory ofthe software residing onyour computers.The soft-ware you find and the waysin which it is being usedmust conform to the govern-ment’s software policy.
3. Commit to an ongoingprocess. Finally, an effectivesoftware management planrequires continuing actions.It is important to follow
sound procurementprocedures, to
maintain a com-plete and up-to-date record-keeping system,and to take cor-
rective and pre-ventive actions.
Perhaps most impor-tant, communicate with
employees to encour-age participation inthe process and
adherence to policy.
US version Booklet '02 7/18/02 5:00 PM Page 4
5
To assist you in getting started,this manual includes informationand examples of documents thatwill be used in or generated bythe management process. Exhibit Acontains a model governmentdecree on the illegal use of com-puter software. Exhibit B containsa sample software policy state-ment that can be adapted for useby your agency or organization.Exhibit C contains an example ofthe type of form you could use torecord and disseminate informa-tion regarding the softwaresupported by your organization.Exhibit D contains a samplesoftware inventory worksheet toguide your data collection efforts.Exhibit E presents an analysis of afew randomly selected softwareproducts that can help you inven-tory software and meter its use.Finally, Exhibits F, G, and H con-tain specific sets of commands foridentifying the software thatresides on your computers if youare unable to use inventoryapplication software.Thecommands are listed for threedifferent environments: DOS® onstand-alone computers, MicrosoftWindows® on stand-alone or net-worked computers, and Apple®
Macintosh® on stand-alone com-puters.
US version Booklet '02 7/18/02 5:00 PM Page 5
Why Manage
Software Assets
US version Booklet '02 7/18/02 5:00 PM Page 6
7
n today s dynamic
environment of dispersed desktop
computers and other IT assets,
managing your software assets is
necessary to:
■ Ensure your software is legal and
being used in compliance with
licensing terms;
■ Control costs associated with the
asset; and
■ Improve asset and organization
performance.
2.1ENSURE COMPLIANCE WITH THE LAWComputer software is protected under
copyright law and cannot be used,
reproduced or distributed without the
manufacturer s express authorization.
Copies of computer software are typi-
cally licensed, not sold, to the user.
Accordingly, your right to use, repro-
duce, and distribute a software program
is subject to the terms of the software
license agreement, which constitutes a
valid legal contract between the
licensee and the software publisher.
The software license gives the software
publisher a claim for damages in the
event you fail to comply with its terms.
A licensed copy of software can be
installed and used on only one com-
puter, unless the license agreement
expressly permits use of a second
copy, for example, at home or on a
portable computer. However, a license
agreement typically allows
you to maintain a back up copy of
software for archival purposes.
In addition to licensing agreements,
copyright law protects software
publishers from the unauthorized
copying, distribution, and sale of
software. In today s digital era,
copyright law also prohibits users
from uploading, downloading, or
transmitting unauthorized copies of
software via the Internet or other
electronic media. Violations of these
restrictions are civil and criminal
offenses, exposing the infringer to
significant civil damages, as well as
criminal fines and imprisonment.
Governmental organizations have a
key role to play in supporting the
protection of intellectual property
by ensuring all software and its use
are in compliance with licensing
agreements and copyright law.
Copying, distributing, and using
software illegally deprive
economies of legitimate and taxable
economic activity. Perhaps more
important, use of illegal software
reduces the reward for innovation
and, by doing so, slows economic
growth and development. A govern-
ment decree in support of ensuring
all software and its use are in com-
pliance with licensing agreements
and copyright law sets the stage for
an effective software management
plan. Appendix A contains a sample
government decree.
2.2 CONTROL COSTSThe second major reason for
managing your software assets is to
control all costs associated with the
assets. An effective management
process will:
■ Control software acquisition
costs;
■ Avoid unnecessary hardware
costs;
■ Control software support costs;
and
■ Avoid the costs of legal chal-
lenges and fines or penalties for
use of illegal software and unau-
thorized use of legal software.
2.2.1 Control Costs of AcquisitionAn effective management process
minimizes software acquisition costs
by identifying and communicating
the current and future software needs
of your organization, budgeting for
software acquisition, and purchasing
only what is necessary while doing
so in conformance to clearly defined
procurement procedures.
Budgeting is key. You must identify
planned software expenditures in a
separate line item of your IT budget
and track your actual versus planned
expenditures. By doing so, you can
more accurately evaluate your needs,
ensure that software acquired is legit-
imate, and plan for future acquisition.
Large organizations often devote 25
percent of their IT budgets to software.
©I
US version Booklet '02 7/18/02 5:00 PM Page 7
8
2.2.2 Avoid Costs of Unnecessary HardwareA software management process
allows an organization to identify and
communicate with its employees the
software it currently supports, as well
as expected upgrades, substitutions,
disposals, and data and program
retention policies. By collecting and
sharing this information, software,
data, and program files can be man-
aged on a systematic basis with a
minimum of disruption. In addition,
the non-disruptive removal of soft-
ware no longer supported frees space
on existing hardware, thereby helping
organizations avoid the costs of
unnecessarily upgrading or replacing
hardware.
2.2.3 Control Software Support CostsBy identifying your organization s
current and future software needs and
specifying when software will cease
to be supported, you can control the
cost of supporting software and avoid
the cost of renewing licenses unnec-
essarily or in overly expansive terms.
Control can be effected by a manage-
ment process that regularly reviews
the organization s software needs,
updates the list of supported software
periodically, and clearly communi-
cates in advance when various appli-
cations and versions will no longer be
supported and, hence, removed from
the organization s computers.
2.2.4 Avoid Legal Challenges, Penalties, and FinesYour agency or organization can
avoid the costs of legal challenges,
fines, and penalties by implementing
the software asset management
process described here. The process
will generate a record of documenta-
tion necessary to avoid these costs.
The record will include:
■ A written statement of your orga-
nization s software policy;
■ Evidence of employee acknowl-
edgement and understanding of the
policy, the management process,
and his or her responsibilities;
■ A complete and current inventory
of your software assets; and
■ Documentation of all actions taken
in support of the management
process.
2.3 IMPROVE PERFORMANCEIn addition to more effective control
of costs, which improves the
performance of all organizations, a
software asset management plan will:
■ Ensure software quality and
reliability;
■ Maximize IT resource compatibility;
■ Anticipate and take advantage of
change; and
■ Increase employee productivity.
2.3.1 Ensure Software Quality and ReliabilityAn effective software management
process will ensure the quality and
reliability of the software. Illegally
copied software - which can be
defective or infected with a virus,
obsolete, or recently released but not
adequately tested - can be identified,
avoided, and, when found on the
organization s computers, removed.
Licensed software, on the other hand,
offers the assurance of product
authenticity and quality, the warranty
of the software publisher, documenta-
tion, instruction manuals, tutorials,
product support (including upgrade
information and trouble-shooting ser-
vices), and training.
US version Booklet '02 7/18/02 5:00 PM Page 8
9
2.3.2 Maximize IT Resource CompatibilityWith the numerous types and
versions of software available in
today s market, issues of compati-
bility often arise. If employees in
one part of your organization
require documents created by a
specific application, but employees
in other parts of the organization
use only an incompatible applica-
tion, you must weigh the decision of
whether to authorize the use of,
support, and training in both
computer programs. By managing
the lifecycle of your software assets,
you generate the information
necessary to address compatibility
issues and weigh tradeoffs on the
basis of all costs and benefits.
2.3.3 Anticipate and Take Advantage of ChangeAn effective software management
process will make it easier to
anticipate and take advantage of
change - both technological and
organizational - while minimizing
its potentially adverse consequences.
In the course of the management
process, you will be identifying and
communicating the current and
future software needs of your
organization. Reactions within the
organization will lead to a clearer
understanding of future needs and
additional insight into the advan-
tages and disadvantages of deploy-
ing anticipated technology sooner
rather than later. The process will
help you avoid the acquisition of
software on the verge of becoming
obsolete as well as new still unreli-
able software.
2.3.4 Increase Employee ProductivityComputer software has dramatically
transformed today s business and
organizational environments.
Because of software, today s workers
are more efficient and businesses
are more productive. Software has
reinvented old notions of bringing
products and services to customers
and established real-time communi-
cation as a cornerstone of organiza-
tion effectiveness.
Software asset management ensures
that workers have the tools they
need to accomplish their tasks
efficiently, and the education and
training they need to use the tools
effectively.
US version Booklet '02 7/18/02 5:00 PM Page 9
How to Manage
Software Assets
US version Booklet '02 7/18/02 5:00 PM Page 10
11
n effective software
management process consists of
three major tasks. First, you need to
create the right organizational envi-
ronment, one in which all employ-
ees are committed to the success of
the process. Next, you need to take
inventory of your assets. You need
to know what you have before you
can manage it. And finally, you must
be prepared to take action - correc-
tive and preventive - and you must
keep policy, procedures, and infor-
mation current.
The right organizational environ-
ment is one in which employees are
receptive to the goals, decisions, and
actions of the management process.
This environment can be created if
you:
■ Articulate and communicate a
clear statement of software policy;
■ Obtain employee understanding
and acknowledgement of the
policy;
■ Identify, distribute, and regularly
update a list of supported soft-
ware and authorized use;
■ Establish a repository for master
disks of purchased software, all
software licenses, software docu-
mentation, purchase invoices if
available, and information gener-
ated by the management process;
and
■ Develop, implement, and regularly
monitor adherence to software
procurement procedures.
Taking inventory of your software is
a critical component of the manage-
ment process. You must identify all
software residing on your organiza-
tion s computers, and collect and
store in a secure repository the
licenses and documentation for the
software your organization supports.
Finally, be prepared to take action.
Corrective action might be neces-
sary to align inventory with policies
and procedures, as well as licensing
agreements. Stay current by regular-
ly updating the list of software sup-
ported by your organization and
updating, as necessary, the terms of
your licensing agreements. And take
preventive action to minimize the
need for future corrective action.
3.1 CREATE AN ENVIRONMENT FOR SUCCESSYou must build out the organization-
al environment in five dimensions.
Remember, no management process
will succeed if its goals are not
clearly defined and achievable, if
responsibilities are unclear, or if
there are no consequences to actions
taken or not taken in the process.
3.1.1 Articulate and Communicate a Clear Software PolicyAn effective management plan
begins with a clear statement of pol-
icy. It should include separate
sections for articulating your organi-
zation s commitment to three goals:
■ Enforcing all applicable copy-
rights;
■ Managing software assets to
obtain maximum benefit; and
■ Acquiring properly licensed soft-
ware through an approved pro-
curement process that minimizes
the risk of acquiring illegal soft-
ware.
Appendix B contains a sample poli-
cy statement for your organization
to consider. The policy statement
you develop should be included in
your organization s employee hand-
book. It should also be posted on
your organization s employee bul-
letin board and made available on
your Intranet.
3.1.2 Obtain Employee AcceptanceTo succeed, employees must under-
stand and accept the management
process. You can enlist their support
by doing three things:
■ Clearly describe, communicate,
and require acknowledgment of the
organization s policy, management
process, procurement procedures,
and employee responsibilities.
■ Educate and train employees to
understand what is expected of
them, how they can contribute
to the success of the management
process by knowing how to
identify illegal software and by
©A
US version Booklet '02 7/18/02 5:00 PM Page 11
12
understanding and complying
with the terms of software licens-
es, and how to use the software
provided and supported by the
organization.
■ Pay special attention to transi-
tional events such as an employ-
ee s hiring or departure.
Specify, Communicate, and Require AcknowledgmentInitially, generate support by clearly
specifying and communicating a
software policy, a chain of com-
mand, and responsibilities of each
employee. Include the information
in the employee handbook.
Distribute the information at new-
employee orientation. Avoid confu-
sion by requiring each employee to
sign a copy of the statement. The
signed statement is evidence that
each employee has been made
aware of, understands, and agrees to
comply with the organization s soft-
ware policy and management
process.
Educate and TrainTraining is an important element of
obtaining employee acceptance. You
should develop a training program
providing instruction in three general
areas:
■ Understanding the organization s
statement of policy, including the
management process, procure-
ment procedures, and employee
responsibilities;
■ How to know if software or its
use is illegal; and
■ How to take advantage of the
software assets supported by the
organization.
In addition to explaining the policy
to new employees during their ori-
entation, helping employees under-
stand the policy and their responsi-
bilities can be accomplished by reg-
ularly reviewing with all employees
the results of the management
process and procurement proce-
dures. An ideal time for review is
after completion of a software audit
or inventory.
Training employees to recognize
when software or its use is illegal
begins with an understanding of the
many variations of software theft.
The five most common types of
theft, and how to help employees
avoid committing these illegal acts,
are summarized below.
1. End user piracy occurs when an
individual or organization (the end
user ) reproduces copies of software
without authorization. End user
piracy can take the following forms:
■ Using one licensed copy to install
a program on multiple computers;
■ Copying disks for installation and
distribution;
■ Taking advantage of upgrade
offers without having a legal
copy of the version to be upgraded;
■ Acquiring academic or other
restricted or non-retail software,
the license for which does not
permit sale to, or use by, the
organization; or
■ Swapping disks in or outside the
workplace.
2. Client-server overuse is a com-
mon form of end user piracy. A
client-server configuration links
multiple computers and permits
users to access software stored on a
local area network. Client-server
overuse often occurs because the
organization or its employees fail to
understand license restrictions in a
network environment. Server soft-
ware licenses generally limit the
number of users on the server, or
may require individual access
licenses for users. Certain applica-
tion licenses will authorize use of
one installed copy by multiple
users, but only within the limits of
the license provisions. Exceeding
the permitted number or types of
users constitutes unauthorized use.
License overuse can be controlled
by carefully checking software
licensing agreements at the time
of purchase and installation and
educating employees on proper
software use.
3. Counterfeiting is the illegal
duplication and sale of copyrighted
material with the intent of directly
imitating the copyrighted product.
US version Booklet '02 7/18/02 5:00 PM Page 12
13
In the case of packaged software, it
is common to find counterfeit
copies of the CDs or diskettes
incorporating the software program,
as well as related packaging, manu-
als, license agreements, labels,
registration cards, and security
features. You can guard against the
unwitting purchase of counterfeit
product by:
■ Carefully checking the authentic-
ity of any product you acquire;
■ Purchasing from resellers with a
reputation for integrity and hon-
est business practices; and
■ Ensuring that all user materials
and a licensing agreement are
included with software at the
time of its acquisition.
Any department or groups autho-
rized to acquire software should be
aware of the following warning
signs that often signify counterfeit
software:
■ The price of the software is
deeply discounted or otherwise
appears too good to be true ;
■ The software is distributed in a
CD jewel case without the pack-
aging and materials that typically
accompany a legitimate product;
■ The software lacks the manufac-
turer s standard security features;
■ The software lacks an original
license or other materials that
typically accompany legitimate
products (e.g., original registra-
tion card or manual);
■ The packaging or materials that
accompany the software have
been copied or are of inferior
print quality;
■ The CD has a gold, blue or blue-
green appearance, as opposed to
the silver appearance that charac-
terizes legitimate product;
■ The CD contains software from
more than one manufacturer or
programs that are not typically
sold as a suite ; or
■ The software is distributed via
mail order or online by resellers
who fail to provide appropriate
guarantees of legitimate product.
4. Hard-disk loading occurs when a
computer hardware reseller loads
unauthorized copies of software
onto the machines they sell to make
purchase of the machine more
attractive. You can avoid purchasing
such software by ensuring that all
hardware and software purchases
are centrally coordinated through
your organization and all purchases
are made through reputable suppliers.
Most important, require receipt of
all original software licenses, disks,
and documentation with every hard-
ware purchase.
5. Online software theft has become
more prevalent with the rise in
Internet popularity. Employees who
download unauthorized copies of
software via an Internet site are in
violation of the copyright law, just
as if they had made an authorized
copy from a disk. Although some
manufacturers expressly permit
their software programs to be down-
loaded without payment of a licens-
ing fee, these programs are still sub-
ject to a licensing agreement. Pay
careful attention to educate all
employees to the fact that software
should not be downloaded from the
Internet without express authoriza-
tion by the official, department or
group in charge of software
procurement.
The final element of your training
program is conventional training.
One of your more challenging tasks
will be to obtain acceptance of the
list of software supported by your
organization. Everyone will have a
software preference and someone is
likely to want an application your
organization has chosen not to sup-
port. To minimize the likelihood of
such outcomes and their
potentially disruptive impact, it is
critical to offer regular training in
the software supported by your
organization.
Pay Special Attention to Employee TransitionsEmployee transitions are critical
times in the software management
process. Exiting employees need to
be debriefed. Their computers
should be checked for installed soft-
ware. They should be asked whether
US version Booklet '02 7/18/02 5:00 PM Page 13
14
they have illegally copied onto a
diskette or other portable storage
medium any software licensed or
controlled by the organization. If
they had installed copies of the
organization s software on their
home computers, they should be
reminded of their responsibility to
delete the programs. The computer
previously assigned to the exiting
employee must be reconfigured
with the software required of the
employee(s) to whom the computer
will be reassigned.
3.1.3 Identify, Distribute, and Regularly Updatea List of Supported SoftwareYou must identify with specificity
the software supported by your
organization. The list, a sample
form of which is contained in
Appendix C, must contain informa-
tion in three broad categories:
■ Software currently supported,
terms of the license, and autho-
rized number of users;
■ Location of the software; and
■ Future plans to add, upgrade, and
dispose of software.
By following the four steps
described below, the list you devel-
op will include the information nec-
essary to fully specify the current
state of your organization s autho-
rized and supported software assets.
1. Begin by determining all classes
and subclasses of software your
organization deems necessary to
accomplish its mission. Different
classes include operating systems,
communications, utilities, word
processors, graphic, database,
spreadsheet, network, and others.
Subclasses are, for example, a disk
operating system and network oper-
ating system, data compression util-
ities, presentation graphics, etc.
2. Within each class and subclass,
decide which product and version
will be supported and the employees
who will be using it.
3. Once the number of employees
requiring use of the software is iden-
tified, determine the number of
copies to be authorized and supported
by the organization. Of course this
will depend on the licensing terms
available for the software. Specify
the terms of the license chosen.
4. Finally, decide how to distribute
the software. Specify the serial num-
ber(s) of the computer(s) on which
the software is installed, and, when
applicable, the organizational unit or
department and the employee(s) to
whom the computer is assigned.
In addition to developing the list of
currently supported software and
authorized use, you must project
your software needs at least three
years into the future. It is important
to look ahead to anticipate software
upgrades, additions, and disposals.
The future schedule of such events,
though preliminary and subject to
change, should be included in the
list of supported software.
3.1.4 Establish a Secure RepositoryAll licenses and documentation for
the organization s authorized and
supported software, as well as the
original diskettes or CDs, should be
collected and stored in a secure cen-
tral location. By providing secure
storage for the original diskettes or
CDs, you will minimize the risk of
software theft and unauthorized
duplication of software programs.
Leaving original disks or CDs lying
around often leads employees to
mistakenly believe they are spare
copies that can be loaded onto their
computers.
3.1.5 Develop and Implement SoftwareProcurement ProceduresYour organization should develop
and implement an official software
procurement process. Any depart-
ment or group authorized to pur-
chase software should be trained in
general licensing requirements and
proper procurement procedures.
The process begins with a formal-
ized request for authorization to
US version Booklet '02 7/18/02 5:00 PM Page 14
15
purchase software, an evaluation and
justification of need, and identifica-
tion of the channels through which
the software must be purchased.
Additional procedures that should
be part of the process are listed
below.
■ Require that all purchases of
software be made through a
purchasing department or group
designated with such responsibil-
ity for the organization;
■ Require that all requests be sub-
mitted in writing and approved
by the department manager with
budgetary signing authority;
■ Disallow reimbursement of any
employee expense charged to an
employee expense account that
was expended for software acqui-
sition;
■ Require that all software purchases
be made through reputable,
authorized resellers;
■ Require that all software purchas-
es be accompanied by related
user materials (e.g., manuals, reg-
istration cards, etc.) and all prop-
er licenses and receipts evidenc-
ing legal acquisition and use; and
■ Disallow purchase of software
not included in the organization s
list of supported software.
Part 3 of the sample software policy
statement in Appendix B contains a
suggested procurement process
statement. To ensure compliance
with the process, periodically review
records of software purchases.
3.2 TAKE INVENTORYThe second major task of an effec-
tive software asset management
process is inventorying all software
residing on all the organization s
computers, the original licenses for
all software supported and autho-
rized for use by your organization,
and all software documentation
(including purchase invoices if
available). You must know what
you have before you can manage it.
By comparing the results of this
initial baseline inventory to the
organization s software policy and
list of supported software, you will
be able to identify and delete illegal
software and software you no
longer officially support, and identi-
fy and stop use in violation of your
software licensing agreements.
Your organization s progress in this
effort should then be monitored
through subsequent periodic audits
or inventories.
3.2.1 Accomplish Three TasksThe software inventory must gener-
ate information that allows you to
accomplish three tasks:
■ Identification of all software
residing on your organization s
computers;
■ Identification of illegal and
unsupported software residing on
your organization s computers;
and
■ Identification of software use that
is not in compliance with the
organization s policies and proce-
dures, copyright law, or licensing
agreements.
Identify Software Residing on theOrganization’s ComputersThe inventory begins with identifi-
cation of all software found on the
organization s computers. The
process consists of the following
tasks:
■ Record the serial number of the
computer, workstation, or server
being analyzed.
■ Record the organizational depart-
ment to which the computer is
assigned.
■ Record the name of the employ-
ee(s) to whom the computer is
assigned.
■ Inspect the contents of the com-
puter or workstation s hard disk
and, if networked, the server and
other locations where software
might be found.
■ Identify any hidden files and
directories and record the details
of any such occurrences for sub-
sequent investigation.
■ For software with single user
licenses, record the serial
number of each. For networked
US version Booklet '02 7/18/02 5:00 PM Page 15
16
computers, record the licensing
information for the software
found on the workstation and
server.
■ Ask the manager and staff if any
software is maintained on floppy
diskettes, and, if so, inspect the
diskettes.
■ Inspect the computer and user
areas for evidence of any photo-
copied material such as user
guides.
■ Ask the manager and staff if any
unauthorized software is used in
the department.
■ Review the findings and compare
them with the list of supported
software, and the licenses and
documentation stored in the
repository.
Appendix D contains a sample form
for recording the information that
must be collected in the software
inventory. Specialized inventory
application software, which is dis-
cussed later, can be used to make
the inventory job relatively easy.
Identify Illegal and Unsupported SoftwareThe identification of illegal and
unsupported software is accom-
plished by comparing the results of
your inventory to the list of soft-
ware supported by your organiza-
tion. Although the task is straight-
forward, it can involve additional
analysis. Some executable files
found on the computers might
appear to be a software program not
supported while, in fact, they are
components of supported software or
otherwise legitimate instruction sets.
Identify Unauthorized UseThe identification of unauthorized
use is accomplished by comparing
the terms of the licensing agree-
ments you have for your supported
software with the number of com-
puters on which the software was
found and the number of users hav-
ing access to the computers.
Software metering applications,
which are discussed later along with
other inventory application soft-
ware, can help to ensure that soft-
ware use is in compliance with the
software license.
3.2.2 Conduct the Inventory in Accordance withFour General StandardsYou should conduct the software
inventory in accordance with stan-
dards regarding the qualifications of
people who will take the inventory,
the independence of these people
and their organization, their exercise
of professional care in conducting
the inventory and preparing inven-
tory reports, and the presence of
quality controls.
A person or team that collectively
possesses adequate professional
proficiency for the tasks required
should take the inventory. Look for
the following qualifications:
■ Knowledge of and experience
with the methods and techniques
applicable to inventorying
software;
■ Knowledge of the programs,
activities, and functions of your
organization; and
■ Good communication skills.
The person or team should be free
from personal and external impair-
ments to independence. In addition,
an independent attitude and appear-
ance must be maintained. It is
important that the opinions, conclu-
sions, judgments, and recommenda-
tions of the person or team be
impartial and viewed as impartial
by knowledgeable third parties.
Due professional care must be used
to conduct the inventory and prepare
inventory reports. The person or
team should use sound judgment in
establishing the scope and timing of
the inventory, selecting the method-
ology and specific procedures, and
evaluating and reporting the results.
3.2.3 Rely on the Element of Surprise, YetInclude All ComputersOnce the organization s entire soft-
ware base has been examined in
the initial baseline inventory,
the organization should conduct
periodic inventories to monitor
compliance. For these subsequent
US version Booklet '02 7/18/02 5:00 PM Page 16
17
inventories, it might not be practical
to include all computers in a single
procedure. In such circumstances, a
sample of computers should be
inspected, but over the course of a
year, every computer should be re-
inspected and its installed software
included in the inventory.
3.2.4 Specialized Inventory and MeteringApplications Can Make the Job EasierSpecialized application software can
inventory and meter the use of your
organization s software. When possi-
ble, these tools should be used. They
will make the inventory process
more efficient and help you more
accurately manage software use.
Evaluate specific products available
in your market by answering the
following questions:
■ Is the application effective for an
organization this size;
■ Does the application work in a
networked or stand-alone envi-
ronment;
■ How does the application recog-
nize software and, if by compar-
ing to known products included
in a database, how often is the
database updated;
■ How is the application deployed;
■ What is the application s user
interface;
■ What are its reporting capabilities,
■ What support is available;
and
■ What is the cost of the
application?
Appendix E contains a matrix sum-
marizing five randomly chosen
inventory applications and two ran-
domly chosen metering applica-
tions. Please do not interpret the
inclusion of these specific products
as indication of support for them
over the dozens of others that are on
the market today or about to be
brought to the market.
3.2.5 Other OptionsYou can conduct the software
inventory without the use of spe-
cialized application software. The
process will take additional time
and, with respect to monitoring
software use, the information gener-
ated is likely to be less precise.
Nevertheless, the process will gen-
erate the information you need to
guard against the possibility of ille-
gal software and illegal use of soft-
ware in your organization.
Appendixes F, G, and H contain
command sets for inventorying your
software without the benefit of a
specialized application within the
following three environments:
■ Stand-alone computers running
DOS;
■ Stand-alone or networked com-
puters running Windows; and
■ Stand-alone Macintosh computers.
The key to identifying software on
DOS and Windows systems is to
find all files suffixed with .EXE,
which is short for executable.
All software must have at least one
executable file. The challenge is to
weed through numerous executable
files that might be small subsets of
instructions embedded in legitimate
software to find the executable file
of an illegal program.
Using DOS on Stand-Alone ComputersIt is best to use specialized invento-
ry application software. An inven-
tory can be performed without such
software, but you must commit a
significant amount of time to the
inventory process. You must inspect
the contents of each computer s
hard drive using only DOS-based
command instructions. There are
three alternative ways to undertake
the effort, and the commands to fol-
low in each approach are contained
in Appendix F.
■ Exhaustive inspection;
■ User-level instructions with man-
ual inspection; and
■ User-level instructions with auto-
mated inspection.
In an exhaustive inspection approach,
disk partition information is inspect-
ed and hidden files and subdirectories
are located and examined. Only com-
petent technicians or systems engi-
neers should attempt this method of
inventorying software.
US version Booklet '02 7/18/02 5:00 PM Page 17
18
User-level instruction with manual
inspection can be used when the
hard disk is not partitioned. It can
also be used to examine the con-
tents of a computer s hard drive
without invoking disk partition soft-
ware that could cause catastrophic
data loss if used improperly.
An automated inspection method
assumes all software information
will be gathered by end users and
forwarded to a centralized location
for inspection. A single hard drive
partition is assumed. Drives with
multiple partitions should be
inspected manually.
Using Windows on Stand-alone or Networked ComputersUsing Windows to inventory soft-
ware is easier but still time consum-
ing. Again, the person taking the
inventory must find all .EXE files
on the computer and invoke the
software to examine licensing infor-
mation. Opening all folders to
determine whether they contain
software can be time consuming,
and, although use of the PRINT
SCRN key to print the information
and images on the desktop is an
excellent way of generating a print-
ed record of the inventory, it too
requires time. However, the job
does not require sophisticated tech-
nical knowledge and experience.
Appendix G contains the instruc-
tions for inventorying your software
if you are using a Windows-based
system.
Using the Macintosh Operating System on Stand-Alone ComputersLike using Windows, the Macintosh
operating system can generate an
inventory of software, but it
requires more time than specialized
inventory application software. The
commands required are contained in
Appendix H.
3.3 TAKE ACTIONThe final major component of the
management process is action. You
must be prepared to take corrective
action when necessary and preven-
tive action to minimize the need for
future corrective action.
3.3.1 Take Corrective Action When NecessaryThere are two breaches requiring
corrective action. Whenever either
is found to have occurred, all
employees must be informed and
reminded of their responsibilities to
the organization s software policy
and management process.
Correct Breaches in Software PolicyWhen an employee is found not to
be in compliance with the organiza-
tion s software policy, he or she
must be informed of the breach,
reminded of his or her acknowledg-
ment of responsibility to the policy,
asked to cease such behavior, and
warned that if future breaches
occur, they could be grounds for
dismissal. A written record of all
such instances should be included in
the employee s personnel file.
Employee notification is important,
and these corrective measures
should be taken only once an
employee has been properly advised
of the software policy and has sub-
sequently been found in violation.
Correct Breaches in Licensing Agreements and Copyright LawWhen the infraction is a breach of
copyright law or the terms of a soft-
ware license, the incident has poten-
tially serious consequences for the
employee and the organization.
If the inventory were to reveal ille-
gal copies of software residing on
the organization s computers, the
copies must be deleted immediately.
If the infraction is severe and found
to be widespread throughout the
organization, senior managers
should be informed. You might also
want to inform the copyright holder
if the discovery revealed informa-
tion (such as the location of an ille-
gal software copying and distribu-
tion operation) that would be of
benefit to the copyright holder. All
efforts should be made to identify
the employee or employees respon-
sible for the violation. The incident
and its final outcome should be
US version Booklet '02 7/18/02 5:00 PM Page 18
19
recorded and maintained with
all other documentation in the
secure repository. All violations
attributed to a specific employee
should be recorded in the
employee s personnel file.
If the inventory were to reveal soft-
ware use not in compliance with
licensing terms, all users of the par-
ticular product must be informed of
the infraction, and, if necessary, a
new licensing agreement must be
struck to include use by those
whose use had previously not been
covered by the license.
3.3.2 Always Take Preventive ActionTo minimize the number and severi-
ty of breaches, you should take pre-
ventive action in three arenas: the
environment for success, taking
inventory, and procurement.
Maintain the Environment for SuccessTo maintain a workplace environ-
ment in which the management
process will succeed you should
strive to stay current by regularly
updating your list of supported soft-
ware and authorized use, modifying
the availability of products to reflect
changing patterns and intensity of
use, and communicating with
employees.
Regularly Review List of Supported Software and UseDemonstrate the organization s
interest in ensuring that its employ-
ees have the software they need by
regularly reviewing the list of sup-
ported software and authorized use.
Seek out the opinions of those who
are more reliant on software. And
strive to understand why some
employees appear to have little need
for software. When necessary, mod-
ify the list, announce the changes,
and distribute the new list through-
out the organization.
When Necessary, Modify the License or Number of CopiesWhen software use changes, modify
the number of copies you support or
the type of license to reflect the new
situation. In times of increasing
demand for a particular product, too
few copies or a license that is too
restrictive places the organization in
greater jeopardy of its employees
violating licensing agreements. And
when demand is declining, you do
not want the organization support-
ing copies or renewing licenses that
are not necessary.
Keep Communication OpenSeek opportunities to communicate
with employees about their software
needs, experiences with specific
products, policy and process
responsibilities, and management
results. Employees must see that
their actions have consequences.
Conduct Random Spot InventoriesRegrettably, human nature is such
that often the element of surprise is
necessary to obtain a clear picture
of behavior. It is important to peri-
odically take inventory. Select the
computers to be inspected. Targets
could include computers previously
found to be in breach of policy or
law. Announce the results of all
such random spot checks.
Periodically Review SoftwareProcurement RecordsPeriodically review the record of
software procurement to determine
whether those responsible for pro-
curement are adhering to the organi-
zation s procurement policy.
Whenever a legal breach is discov-
ered through the process of invento-
rying software, every attempt
should be made to determine
whether the breach was due at least
in part to a failure to follow the
official procurement procedures.
US version Booklet '02 7/18/02 5:00 PM Page 19
20
©GApplication Software General term for software programs
that perform specific tasks such as
accounting, word processing and
database management.
CD-ROMA type of optical disk capable of
storing large amounts of data - up to
1GB (gigabyte), although the most
common size is 650MB
(megabytes). CD-ROMs are read-
only storage media best suited for
holding reference information
which does not change on a daily
basis and is not subject to being
updated by those who use it.
CopyrightThe legal rights of an author
under federal law to control the
reproduction,distribution, adapta-
tion, and performance of his/her
work, including software. The
copying of a copyrighted work
without the permission of its
author may subject the copier to
both civil and criminal penalties.
DisketteA flat piece of flexible plastic cov-
ered with a magnetic coating which
is used to store data (also called a
floppy disk). The existing standard
for diskette size is 3 1/2 inches.
Unlike hard disks, floppy disks can
be removed from a disk drive and,
thus, are portable.
DownloadTo move a file from a computer at
another site to your computer over a
communications line. The term is
often used to describe the process of
copying a file from the Internet or a
Bulletin Board System (BBS) to a
computer. Downloading can also
refer to copying a file from a net-
work file server to a computer on
the network.
End UserThe final or ultimate user of a com-
puter system and/or product.
FixesCorrections to vendor supplied soft-
ware. The vendor does not necessar-
ily supply these fixes.
Hard DiskA magnetic disk on which you can
store computer data (also called a
hard drive). Unlike floppy disks,
hard disks cannot be easily removed
from the computer and, hence, are
not portable. Hard disks hold more
data and are faster than floppy
disks. A hard disk, for example, can
store anywhere from 10 megabytes
to several gigabytes, whereas most
floppy disks have a maximum stor-
age capacity of 1.4 megabytes.
HardwareThe physical components of a com-
puter system.
Intellectual Property Rights The legal rights persons have to
prevent others from using without
permission certain kinds of intangible
property. The objective of laws pro-
tecting intellectual property rights is
to promote innovation and creativity.
These laws take a number of different
forms, including laws protecting
patents, which govern rights in
inventions; copyright, which governs
rights in software, books, movies,
and music; trademarks , which pro-
tect the reputation of the entity which
owns a mark; and trade secrets,
which safeguard valuable business
information.
LAN Local Area Network. A computer
network that spans a relatively
small area. A LAN lets you share
files as well as devices such as
printers or CD-ROM drives. A
LAN can be connected to other
LANs over any distance via tele-
phone lines and radio waves; a sys-
tem of LANs connected in this way
is called a wide-area network (WAN).
LicenseA legally binding agreement in
which one party grants certain
rights and privileges to another. In
the computer field, a software pub-
lisher will typically grant a non-
exclusive right (license) to a user to
use one copy of its software and
prohibit further copying and
lossary
US version Booklet '02 7/18/02 5:00 PM Page 20
21
distribution of that software to
another user.
ModemA device or program that enables a
computer to transmit data over tele-
phone lines.
Network OperatingAn operating system that includes
special functions for connecting
System computers and devices into
a local-area network (LAN). A net-
work operating system coordinates
a network s primary functions such
as file transfer and print queuing.
Operating SystemThe master control program that
translates the user s commands and
allows application programs to
interact with the computer s hard-
ware. Every general-purpose com-
puter must have an operating sys-
tem to run other programs.
Operating systems perform basic
tasks, such as recognizing input
from the keyboard, sending output
to the display screen, keeping track
of files and directories on the disk,
and controlling peripheral devices
such as disk drives and printers.
Common operating systems include
DOS, Windows, and Mac OS.
PiracyThe illegal use and/or distribution of
property protected under intellectual
property laws. Software piracy can
take many forms. End user piracy
occurs when an individual or organi-
zation reproduces and/or uses unli-
censed copies of software for its oper-
ations. Client-server overuse occurs
when the number of users connected
to or accessing one server exceeds the
total number defined in the license
agreement. Server piracy occurs when
illegal copies of software are loaded
onto one or more servers.
Counterfeiting is the illegal duplica-
tion of software with the intent of
directly imitating the copyrighted
product. Hard-disk loading occurs
when a computer hardware reseller
loads unauthorized copies of software
onto the machines it sells. Online
software theft occurs when individu-
als download or upload unauthorized
copies of software from the Internet
or a Bulletin Board System (BBS).
License misuse occurs when software
is distributed in channels outside
those allowed by the license, or used
in ways restricted by the license.
ServerA computer or device on a network
that manages network resources.
For example, a file server is a com-
puter and storage device dedicated
to storing files. Any user on the
network can store files on the serv-
er. A print server is a computer that
manages one or more printers, and a
network server is a computer that
manages network traffic. A data-
base server is a computer system
that processes database queries.
SoftwareComputer instructions or data.
Anything that can be stored elec-
tronically is software. A piece of
software is also known as a program.
System software products Software program packages, other
than application program packages,
that manage systems resources (e.g.,
operating systems, database man-
agement systems, etc.).
UpgradeA new version of a software or
hardware product designed to
replace an older version of the same
product. Typically, software com-
panies sell upgrades at a discount.
In most cases, you must prove you
own an older version of the product
to qualify for the upgrade price.
UploadTo move a file from your computer
to another computer; the opposite of
download.
WAN Wide-Area Network. A computer
network that spans a relatively large
geographical area. Typically, a
WAN consists of two or more local-
area networks (LANs). Computers
connected to a wide-area network
are often connected through public
networks, such as the telephone sys-
tem. They can also be connected
through leased lines or satellites.
US version Booklet '02 7/18/02 5:00 PM Page 21
Appendix
US version Booklet '02 7/18/02 5:00 PM Page 22
23
EXHIBIT AMODEL GOVERNMENT DECREE ON LEGAL SOFTWARE USE
WHEREAS the use of proprietary computer software has become essential to the mission and operation ofthe executive agencies of the Government, and the Government is a major user of information technology;
WHEREAS proper software management is critical to ensuring that the Government receive the full benefitsof its software use and operate in compliance with its own and all relevant copyright laws;
WHEREAS the unlicensed copying and sale of computer software are illegal and seriously undermineemployment opportunities and tax revenues generated by the computer software industry;
WHEREAS the Government must set an example for other public and private entities regarding proper soft-ware management by ensuring that it is not a party to computer software piracy.
It shall be the policy of the Government that:
1. Each executive agency shall work diligently to prevent and combat computer software piracy in order togive effect to intellectual property rights associated with computer software by observing the relevant provi-sions of international agreements, including the Word Trade Organization Agreement on Trade-Related Aspectsof Intellectual Property and the Berne Convention for the Protection of Literary and Artistic Works, as well asthe relevant provisions of national law.
2. Each executive agency shall ensure that budget proposals relating to computer software and data process-ing needs include adequate resources for the purchase of sufficient computer software to meet those needs.These resources should be delineated as a separate line-item in the agency’s budget.
3. Each executive agency shall establish systems and controls to ensure that the agency has present on itscomputers and uses only computer software in compliance with applicable copyrights. These systems andcontrols shall include:
a) appointment of a responsible Chief Information Officer (CIO) for each executive agency, who shallcertify that agency’s compliance with software management policies annually to the appropriate centraloffice;
b) completion of an initial inventory of the software present of the agency’s computers and the numberof copies of each program for which the agency has valid licenses;
c) following completion of the initial inventory, deletion of any software programs in numbers exceedingthe valid licenses held;
US version Booklet '02 7/18/02 5:00 PM Page 23
24
d) development and maintenance of adequate record-keeping systems to record the results of the initialinventory and thereafter track the acquisition of additional software licenses and the installation or useof additional copies of software permitted under such additional licenses, ensuring that such records atall times indicate licenses sufficient to cover all software in use and maintain all license documentationin a single place;
e) channeling all software purchase requests through a single point monitored by the CIO;
f) institution of periodic inventories of each executive agency’s computers to determine the continuedaccuracy of the agency’s software record-keeping systems; and
g) implementation of an agency-wide information and training program for employees regarding thenecessity of legal computer software use, including signature of a written compliance notice andestablishment of disciplinary offenses and penalties for non-compliance.
4. In connection with the acquisition and use of computer software, the head of each executive agency shall:
a) establish and maintain a comprehensive software management policy and an effective program to ensureproper acquisition, distribution, management, use, and disposition of all computer software products;
b) ensure that the policies, procedures, and practices of the agency related to intellectual property rightsprotecting computer software are adequate and fully implement the policies set forth in this order;
c) ensure agency compliance with the intellectual property rights protecting computer software and theprovisions of this order by establishing agency-wide management structures and processes to ensurethat only legal computer software is acquired for and used on the agency’s computers;
d) establish performance measures to assess the agency’s compliance with intellectual property rightsassociated with computer software acquired, distributed, or used by the agency and with the provisionsof this order;
e) direct and support appropriate training of agency personnel regarding intellectual property rights asso-ciated with computer software and the policies and procedures adopted by the agency to honor them.
5. In connection with all third-party contractors and applicants for funds administered by the agency, eachexecutive agency shall:
US version Booklet '02 7/18/02 5:00 PM Page 24
25
a) require the applicants to certify, as a condition of approval of any funding application, that they haveappropriate systems and controls in place to ensure that agency funds are not used to acquire, operateor maintain computer software without proper authorization, including: (1) the institution of reason-able inventory procedures to ascertain that the computer software present on the computers acquiredor operated with agency funds is legal and (2) the provision of the inventory results to the agency;
b) withhold agency funds, as it deems appropriate, from any applicant found to be using illegal comput-er software with respect to any program supported by the funds, until such time as it has been estab-lished to the satisfaction of the agency’s auditors that reasonable steps have been taken to ensure thatillegal software is no longer present on that applicant’s computers used with respect to any such pro-gram;
6. Each agency shall cooperate fully in implementing this order and shall share information as appropriatethat may be useful in combating the use of computer software without proper authorization.
US version Booklet '02 7/18/02 5:00 PM Page 25
26
EXHIBIT BSAMPLE STATEMENT OF ORGANIZATION’S SOFTWARE MANAGEMENT POLICY
Part 1. General ResponsibilitiesThe Policy of [organization] is to manage its software assets to derive maximum benefit to [organization]and its employees and, especially, to ensure that [organization] and its employees:■ Acquire, reproduce, distribute, transmit, and use computer software in compliance with international
treaty obligations and [insert country name] laws, including the [insert specific key laws]; and■ Maintain only legal software on [organization’s] computers and computer networks.
All software is protected under [country specific] copyright laws from the time of its creation.[Organization] has licensed copies of computer software from a variety of publishers to help fulfill its mis-sion. Unless otherwise provided in the software license, duplication of copyrighted software, except forbackup and archival purposes, is a violation of the [applicable law] and this Policy.
You may not knowingly use software for which [organization] lacks the appropriate license. If you becomeaware of the use or distribution of unauthorized software in this organization, notify your supervisor or theOffice of the Chief information Officer (CIO).
You may not loan or give to anyone any software licensed to this organization.
The licenses for some of this organization’s software permit employees of the organization to make a copyof the software for home use.The CIO may approve such use by employees that can demonstrate a need toconduct the organization’s business from their homes. Under no circumstances, however, may an employeeuse the organization’s software for purposes other than the business of this organization.
No employee may use or distribute personally-owned software on the organization’s computers or networks.Such software threatens the integrity and security of the organization’s computers and networks.
A variety of software is available on the Internet. Some of this software, called “freeware” or “shareware,” isavailable free of charge for limited use and may be downloaded to your computer with the prior writtenapproval of your supervisor. Other software available on the Internet and from other electronic sources,however, requires the user to obtain a license for its use, sometimes for a fee. No employee shall downloadsuch software to his or her computer without the prior written approval of the CIO.
Part 2. The Software Asset Management Process[Organization] is committed to managing its software assets for maximum benefit to the organization and itsemployees.The process consists of three areas of focus: (1) Creating an environment in which the processwill succeed, (2) Reviewing the software assets residing on the organization’s computers, and (3) Acting to
US version Booklet '02 7/18/02 5:00 PM Page 26
27
correct breaches in policy and the law, keep the Policy and its procedures current, and prevent futurebreaches.
[Organization] will strive to create an environment for success by communicating this policy; educatingemployees about their responsibilities; training employees in the software supported by this organization;identifying and modifying as necessary the software employees need to fulfill their job responsibilities; estab-lishing a secure repository for original storage media, software licenses, and software documentation; andrequiring that all software be procured through official and clearly defined procedures.
As part of this organization’s software management process, the CIO shall conduct periodic, random reviewsof all organization computers and networks to determine the software resident on such systems andwhether the organization has the appropriate licenses for all such software.The CIO also shall conduct peri-odic, planned reviews, in which the CIO may ask you to complete a Software User Survey.This Survey willbe used to determine your existing and future use and need of particular software programs.Your coopera-tion with all reviews and Software User Surveys is greatly appreciated.The CIO will endeavor to conduct itswork with the least possible disruption of your workday.
You may be held responsible for the existence of any software on your computer for which the organizationlacks the appropriate licenses. Consequences for such unauthorized use of software range from a reprimandfor minor offenses to termination of employment for repeated, willful offenses.
Part 3. Software Procurement and Installation ProceduresAll requests for software and software upgrades shall be submitted to the Office of the Chief InformationOfficer (CIO), where possible.
Any software and software upgrades not acquired by the CIO shall be documented and identifiedto the CIO, who will verify that the Agency has an appropriate license for the use of such software.
All acquisitions of hardware that include bundled software shall be documented and identified to the CIO,who will verify that the Agency has an appropriate license for the use of such bundled software.
The CIO shall store in a secure, central location all original software licenses, disks, CD-Roms, and documen-tation upon receipt of all new software, including copies of completed registration cards.
The CIO shall designate those employees authorized to install software on the organization’s computers.
No employee shall install or distribute software for which this organization lacks the appropriate license.
No employee shall install any software upgrade on a computer that does not already have resident on it the
US version Booklet '02 7/18/02 5:00 PM Page 27
28
original version of the software.The CIO or designated employee shall destroy the original version’s backupcopy of the upgraded software in its place.
The CIO or designated employees shall destroy all copies of software that is obsolete or for which the orga-nization lacks the appropriate license.Alternatively, the CIO may obtain the license(s) necessary to maintainunauthorized software on organization computers.
The organization’s department with procurement responsibility must establish and maintain a recordkeep-ing system for software licenses, hardware, original CD-ROMs and diskettes, user information, and reviewinformation. Maintain this information in a secure, central location. Consider the use of software manage-ment computer programs to automate such recordkeeping.
*************
The organization is commited to communicating this Policy with its employees. The organization will:■ Include the Policy Statement in the employee handbook. Distribute the updated handbook to all employees.■ Train new employees during their initial orientation on how to comply with the Policy.■ Hold seminars on the Software Policy for existing employees to inform them of the types of software
licenses, how to detect and prevent piracy, how to implement the Software Policy, and consequences ofviolating the Policy and relevant law.
■ Require new and existing employees whose responsibilities include the installation, maintenance, or over-sight of information technology systems to acknowledge and sign the Software Policy Statement.
■ Circulate reminders of the Policy on a regular basis (at least annually) or remind employees of the Policyin other ways (at least annually), for example, through notices in agency newsletters.
■ Inform employees where they can get additional information on the Policy and software theft prevention.
If you have any questions concerning this Policy or your obligations under it, you may direst them to eitheryou supervisor or the CIO (provide phone numbers, office locations, and e-mail addresses).
EMPLOYEE ACKNOWLEDGMENT OF UNDERSTANDING AND RESPONSIBILITY:
__________________________________________Printed Employee Name
__________________________________________ __________________________________________Employee Signature Date
US version Booklet '02 7/18/02 5:00 PM Page 28
29
30
31
32
EXHIBIT F-1COMPREHENSIVE INSPECTION IN A DOS® ENVIRONMENT
1. Boot machine to be examined.
2..At the DOS prompt, type “VER” and hit ENTER.
3. This command displays the current DOS version information. Record and compare with knowndepartmental standards.
4.. Set the system path to the DOS subdirectory by entering the command “PATH=C:\DOS” and hitting ENTER.
5. Enter the command “FDISK” and hit ENTER.This will start a program that examines a system’s hard drive forpartition information.
6. Select the choice from FDISK’s menu that displays current partition information. If a single partition isshown of type DOS, then this represents drive “C” of your system. If multiple partitions are displayed, theneach partition represents an area of storage that will have to be examined.
7. Inspect the drive partition information for non-standard partition information. If partition information is dis-played of a non-standard nature, then make a note that the system may have another operating systeminstalled other than DOS.
8. After viewing disk partition information, exit FDISK by hitting ESC and following instructions echoed to thescreen.
9. Change your file system default to the first partition by entering the drive letter followed by a colon and hit-ting ENTER. On most computers, this would be accomplished by entering the command “C:” and hittingENTER.
10. Go to the root directory of the drive partition by entering the command “CD\” and hitting ENTER.
11..At the ROOT directory of the drive partition you are inspecting, look for installed software applications byfinding their main system executable files. Entering “DIR *.EXE /S | MORE” displays the files on-screen. Thefiles can be printed by entering the command “DIR *.EXE /S >PRN” to send a list of these files and the subdi-rectories where they are located to a local printer attached to LPT1, the first parallel printer port. If a printer isnot connected to the computer, then save the directory information as a file on a floppy disk for later inspec-tion.This is accomplished by entering the command “DIR *.EXE /S >A:filespec” where filespec is an 8-charac-ter filename assigned by the user.
US version Booklet '02 7/18/02 5:00 PM Page 32
33
12. Compare the subdirectory names and contained executable files (*.EXE files) to those of known names,creation time, creation date, and file size [This information should be found in the organization’s list of autho-rized and supported software.]. If executable files other than departmental standards are encountered, thenthese applications will have to be further scrutinized for legality.
13.. Invoke each application and inspect for licensing information.This is accomplished by navigating to thesubdirectory listed and typing in the name of the executable and then hitting ENTER. For example, to inspecta program named 123.EXE in a subdirectory named LOTUS enter the following:“CD\LOTUS” and then hitENTER. Next type “123” and hit ENTER. Upon loading, the program should display software-licensing informa-tion such as Serial Number, Registered Username, and Registered Company Name. Note this information,record it, and compare it later with the list of authorized and supported software and licenses. If the informa-tion is blank or lists another company’s name, then assume the software is either illegal or improperly regis-tered.
14.. Once all subdirectories containing executable files have been scrutinized, return to the root directory byentering the command “CD\” and then hitting ENTER.At the root’s DOS prompt, enter the command “ATTRIB*.* /P” and hit enter.This will display all file and directory information. Look for subdirectories showing theattribute “H” as this denotes hidden subdirectories. If found, note these subdirectory names. Once noted, visitthese hidden subdirectories by first making them visible.This is accomplished using the command “ATTRIBfilespec -H” where filespec is the subdirectory name.
15.. Change your path to these subdirectories by entering the command “CD\filespec” where filespec is thesubdirectory name. Next enter the command “DIR *.EXE” to display executable files. If displayed, invoke thelargest *.EXE file by typing the filename and hitting ENTER.
16.. If an application starts, note all information concerning the name of the application and all registrationinformation displayed to the screen. Compare later with the list of known organization standards and registra-tion information.
EXHIBIT F-2. USER LEVEL INSTRUCTIONS AND MANUAL INSPECTION IN A DOS ENVIRONMENT
1. Boot machine to be examined.
2. At the DOS prompt, type “VER” and hit ENTER.
3. This command displays the current DOS version information. Record and compare with known organiza-tion standards.
US version Booklet '02 7/18/02 5:00 PM Page 33
34
4. Go to the root directory of the drive partition by entering the command “CD\” and hitting ENTER.
5. At the ROOT directory of the drive partition you are inspecting, look for installed software applications byfinding their main system executable files.This is accomplished by entering the command “DIR *.EXE /S>PRN” to send a list of these files and the subdirectories where they are located to a local printer attached toLPT1, the first parallel printer port. If a printer is not connected to the computer, then save the directoryinformation as a file on a floppy disk for later inspection.This is accomplished by entering the command “DIR*.EXE /S >A:filespec” where filespec is an 8-character filename assigned by the user. Entering “DIR *.EXE /S |MORE” displays the files on-screen.
6. Compare the subdirectory names and contained executable files (*.EXE files) to those of known name, cre-ation time, creation date, and file size. [See the list of authorized and supported software.] If executable filesother than those authorized are encountered, then these applications will have to be further scrutinized forlegality.
7. Invoke each application and inspect for licensing information.This is accomplished by navigating to thesubdirectory listed and typing in the name of the executable and then hitting ENTER. For example, to inspecta program named 123.EXE in a subdirectory named LOTUS enter the following:“CD\LOTUS” and then hitENTER. Next type “123” and hit ENTER. Upon loading, the program should display software-licensing informa-tion such as Serial Number, Registered Username, and Registered Company Name. Note this information andrecord manually. If the information is blank or lists another company’s name, then assume the software iseither illegal or improperly registered.
EXHIBIT F-3. USER-LEVEL INSTRUCTIONS AND AUTOMATED INSPECTION IN DOS ENVIRONMENT
PHASE 11. Prepare an inspection diskette by creating a bootable floppy.This is accomplished by inserting a blank diskin drive A, setting the system path to the DOS subdirectory by typing “PATH=C:\DOS” and hitting ENTER.Then type the command “FORMAT A:/S” and hit ENTER.
2. Once completed, create the file “AUTOEXEC.BAT” by typing the following commands at the DOS:COPY CON A:AUTOEXEC.BATC:CD\DIR *.EXE /S >SOFTLIST.TXTCLSECHO PROCESS COMPLETED!
3. Place and end-of-file marker at this point by hitting the F6 key, which displays a Control-Z to the screen.
US version Booklet '02 7/18/02 5:00 PM Page 34
35
Upon hitting ENTER, the file is created on the floppy.
4. Boot machine to be examined with the examination floppy in Drive A.
5. Once the PROCESS COMPLETED message is displayed,At the DOS prompt, type “VER” and hit ENTER.Thiscommand displays the current DOS version information. Record and compare with known departmentalstandards.
6. Route the floppy clearly labeled with information identifying the computer it came from to a centralizedtechnical resource familiar with software identification.
PHASE 2To be completed by a technician familiar with software identification.
1. Copy the file SOFTLIST.TXT from each user’s floppy to a centralized directory by using the command“COPY A:SOFTLIST.TXT C:filespec” and hitting ENTER, where filespec is a unique filename in a meaningfulformat identifying the computer inspected.
2. Using visual inspection or automated means, compare the names and subdirectory locations of executablefiles found on each computer with a known list of files reflecting departmental standards. Investigate fur-ther or report those files of unknown or suspicious nature.
3. If no departmental standards exist, then every machine will later have to be visited by a technician andeach application represented by executables in subdirectories will have to be manually invoked and inspect-ed for licensing information.This is accomplished by navigating to the subdirectory listed and typing in thename of the executable and then hitting ENTER. For example, to inspect a program named 123.EXE in asubdirectory named LOTUS enter the following: “CD\LOTUS” and then hit ENTER. Next type “123” and hitENTER. Upon loading, the program should display software-licensing information such as Serial Number,Registered Username, Registered and Company Name. Note this information and record manually. If theinformation is blank or lists another company’s name, then assume the software is either illegal or improper-ly registered.
US version Booklet '02 7/18/02 5:00 PM Page 35
36
EXHIBIT G. WINDOWS® COMMANDS TO INVENTORY SOFTWARE
The best way to produce a complete listing of installed software is to use an auditing tool, such as the BSA’sversion of the software GASP (available at http://www.bsa.org/usa/freetools/gasp/). Using such an auditingprogram not only saves time, but also ensures that every nook and cranny of a computer is checked.
Even without a program such as GASP, it is relatively easy to check what is installed on a given computer.
Steps to inventory software are provided in the following order: 1) identifying the operating system; 2) identi-fying applications using the Programs option; 3) identifying applications more thoroughly using the Findoption; 4) other methods for identifying applications; and 5) identifying fonts.
1. Identifying Operating System Information
1.1 Information on the Windows operating system can be obtained by clicking on the Start button, going toSettings, and then clicking on Control Panel. Once in the Control Panel, double click on the System icon toview the licensing information and product numbers. Record this information.
2. Identifying Applications Using the Programs Option
2.1 You can obtain a listing of programs that can be run on the computer by clicking on the Start button in thelower left corner of the screen and then going to the Programs option. If networked, some of the programs onthe menu might be running on your server(s).
2.2 Double click on one of the programs.
2.3 Once in program, click on the Help pull down menu.There you will find an option referencing “About________ (program name).” Select that option.
2.4 This screen will tell you the application that is running with any supplied Service Packs that have beeninstalled. It also provides licensing information: to whom the application is licensed, the company to which theapplication is licensed, and the Product ID/Serial Number. Record this information.
2.5 This procedure will work for almost all Windows-based software.A more thorough search, however, can beperformed that would identify any applications that are not listed by using the Programs option. To performthe more comprehensive search, follow the steps below.
US version Booklet '02 7/18/02 5:00 PM Page 36
37
3. Identifying Applications Using the Find Option
3.1 Click on the Start button in the lower left corner of the screen, go to Find, and then click on Find Filesor Folders.
3.2 Click on the Advanced tab and select Application from the pull down menu for the type of file to befound on the “Of type” line. The search can be limited by seeking applications of a minimum size by select-ing “at least” from the pull down menu on the “Size is” line and specifying applications greater than a certainsize (perhaps 1,000 K).
3.3 For the list of files shown, double click on each file to open it, and then go to the Help pull down menuand select the option “About ________ (program name) to determine licensing information. Record thisinformation.
4. Other Methods for Identifying Applications
4.1 Information on applications installed on a hard drive can also be found through the Control Panel’s Addand Remove Programs function and Windows Explorer. The Control Panel can be accessed by clicking onthe Start button, going to Settings, and then clicking on Control Panel. Once in the Control Panel, doubleclick on the Add and Remove Programs icon to view a listing of installed programs.
Explorer can be accessed by clicking on the Start button, going to Programs, and clickingon Windows Explorer.
5. Identifying Font Information
5.1 Fonts can be found in one of two ways: 1) by running Adobe® Type Manager® and viewing installedfonts, or 2) by using the Find feature to search for Type1 fonts which have the extension “*.pfb.”
5.2 To use Adobe Type Manager to identify installed fonts, click on the Start button in the lower left cornerof the screen, go to Programs, then click on Adobe, and then select Adobe Type Manager.
5.3 Once in Adobe Type Manager, click on Font List to view the installed fonts.
5.4 To use the Find feature, click on the Start button in the lower left corner of the screen, go to Find, andthen click on File.
5.5 Then search for “*.pf?” to find PostScript Type 1 outline (and related metrics) files.
US version Booklet '02 7/18/02 5:00 PM Page 37
38
EXHIBIT H. MACINTOSH® COMMANDS TO INVENTORY SOFTWARE
The best way to produce a complete listing of software installed on an Apple® Macintosh® computer is touse an auditing tool,such as the BSA’s version of GASP for Mac (available at http://www.bsa.org/usa/freetools/gasp/).Using such an auditing program not only saves time, but also ensures that every nook and cranny of a com-puter is checked.
Even without a program such as MacScan, it is relatively easy to check what is installed on a given Macintosh®
computer.
Steps to inventory software on Macintosh computers are provided in the following order: 1) identifying theMacintosh operating system (Mac® OS); 2) identifying applications on Macintosh computers, including thosewith older Mac OS versions; 3) identifying applications using the Apple System Profiler on newer Mac OSversions (For newer Macintosh computers, this is likely to be an easier method and should be tried first);and 4) identifying fonts.
1. Identifying the Macintosh Operating System (Mac OS)
1.1 Information on the Macintosh operating system (Mac OS) can be obtained by clicking on the pull downApple menu (the small apple symbol in the upper left-hand corner) and clicking on About This Computer.Record this information.
2. Identifying Applications (including computers with older Mac OS versions)
2.1 To obtain information on applications used on a Macintosh computer, follow the steps described belowto search in the Preferences and Extensions folders. Each method should identify files related to major soft-ware programs, and used together, files related to all or nearly all application programs should be identified.
2.2 To view the list of programs in the Preferences folder, double click on the hard drive icon, then doubleclick on the System folder, and finally double click on the Preferences folder.This should provide a list ofmany files related to major software programs on the hard drive. Opening each program, clicking on the pulldown Apple menu (the small apple symbol in the upper left-hand corner), and selecting the About optionmay provide additional information about each program.
2.3 To view the list of programs in the Extensions folder, double click on the hard drive icon, then doubleclick on the System folder, and finally double click on the Extensions folder.This should provide a list ofmany files related to major software programs on the hard drive. Opening each program, clicking on the pulldown Apple menu (the small Apple symbol in the upper left-hand corner), and selecting the About optionmay provide additional information about each program.
US version Booklet '02 7/18/02 5:00 PM Page 38
39
2.4 Additionally, application programs can be identified using the Find function.To do this, click on the pulldown File menu and select Find. Once in Find, many, but perhaps not all, applications can be identified bysearching for files whose “kind is”“application” or “control panel.” Application files can also be identifiedusing the Find function by searching by the name of the software publisher (e.g.Autodesk®, or Novell®) orby the name of the application (e.g. Norton Utilities®). Finally, you might check to see if the user has a fold-er labeled Applications on his or her hard disk. While programs may reside most anywhere on a hard drive,many programs install themselves in this folder by default.
3. Identifying Applications Using Apple System Profiler
3.1 For new Macintosh computers, a utility called Apple System Profiler can be easily used to identifyinstalled software applications. To launch it, select it from the Apple menu in the upper-left corner of thescreen. Once the Apple System Profiler Application has launched, click on the Applications tab. After a fewmoments (while the necessary information is gathered), an alphabetical list of every application installed onthe Macintosh will be displayed. Clicking on the names of programs will usually reveal more information.
3.2 To print this list, choose Print... from the File menu. Two factors to keep in mind in evaluating the con-tents of the applications listing: many software packages install multiple separate applications, while otherapplications are part of the Mac OS itself. Thus, in all likelihood, you will not be able to match each applica-tion listed to an individual software license or serial number.
3.3 Next, click on the Control Panels tab in the Apple System Profiler, and you will see a similar list of all theControl Panels installed on the computer and whether Apple provided them. Most (but not all) Apple con-trol panels are part of the Mac OS and do not require a separate license.
4. Identifying Fonts
4.1 One final place to check is the Fonts folder inside the System folder. Fonts are small computer pro-grams in and of themselves, are usually copyrighted, and their use is subject to specific license agreement.Fonts installed on a given computer are usually placed in the Fonts folder, and it is prudent to check that allthe fonts there are properly licensed for use on that particular machine. Note that fonts are often legiti-mately installed along with the Mac OS and various application packages, and so may not come with theirown separate licenses. One easy way to get copyright information on a given font: select it with the mousein the Macintosh Finder™ and then choose Get Info from the File menu.
US version Booklet '02 7/18/02 5:00 PM Page 39
©
©
©
40
United States1150 18th Street, NWSuite 700Washington, DC 20036phone: 202.872.5500fax: 202.872.5501anti-piracy hotline: 1.888.NO PIRACYe-mail: [email protected]
Asia300 Beach Road#32-07 The ConcourseSingapore 199555phone: 65.292.2072fax: 65.292.6369
Europe79 KnightsbridgeLondon SW1X 7RBEngland, United Kingdomphone: 44.207.245.0304fax: 44.207.245.0310
oftware asset
management is simply a set of tech-
niques designed and implemented to
obtain the potential benefit of
investments in software, and reduce
the risk of exposure to and use of
illegal software. You can accom-
plish these goals if you focus on
creating a workplace environment
receptive to the management
process, commit to regularly taking
inventory of your software and its
use, and demonstrate that actions
have consequences.
For further assistance, contact the
Business Software Alliance (BSA)
at 1-888-NO-PIRACY or visit its
Web site: www.bsa.org
Since 1988, BSA has been the voice
of the world s leading software
companies before governments and
with consumers in the international
marketplace. BSA initiatives
include educating computer users
on software copyrights and assisting
governments and businesses estab-
lish effective software management
programs.
BSA grants permission to reproduce
this guide and encourages you to
distribute it widely within your
organization. Copies may also be
obtained via its Web site:
www.bsa.org.
©S
US version Booklet '02 7/18/02 5:00 PM Page 40
BSA Members
Adobe Systems Incorporatedwww.adobe.com
Apple Computer, Inc.www.apple.com
Autodesk, Inc.www.autodesk.com
Bentley Systems, Inc.www.bentley.com
Borland Software Corporationwww.borland.com
CNC Software / Mastercamwww.mastercam.com
Compaq Computer Corporationwww.compaq.com
Dellwww.dell.com
Entrustwww.entrust.com
IBM Corporationwww.ibm.com
Intel Corporationwww.intel.com
Intuit Inc.www.intuit.com
Macromedia, Inc.www.macromedia.com
Microsoft Corporationwww.microsoft.com
Network Associates, Inc.www.nai.com
Novell, Inc.www.novell.com
Sybase, Inc.www.sybase.com
Symantec Corporationwww.symantec.com
Unigraphics Solutions (an EDS Company)www.eds.com
COVER [u.s.]-3 '02 7/18/02 3:27 PM Page 3
COVER [u.s.]-3 '02 7/18/02 3:27 PM Page 4