Company Software Use Legit?

In years of completing due diligence activities with small companies we have run into a number of situations where rapidly growing companies have spent more time on growth and less time on ensuring that they are complying with the rules of software use and licensing. It’s an expensive strategy as twelve companies recently found out.

Go directly to jail

In a recent press announcement the Business Software Alliance (BSA) announced it had reached a settlement with twelve small companies over infractions of software use. While the actual fines received were not huge, they represent a loss that some companies would have difficulties in dealing with. The major cost to many small companies is the legal representation and the resources required to complete a reactive audit and the related corrective measures.

What to do?

Companies need to have a controlled process to managed software distribution, installation and control. Here are a few points to consider;

At the desktop / laptop

  1. Maintain Proof of Purchase records for all software,
  2. Standardize all desktop/laptop software by user group,
  3. Distribute all computing devices with appropriate software installed,
  4. Establish and utilize an update server for recommended updates and upgrades,
  5. Allow the installation of required (unique) software through a management approval process,
  6. Use a server based scanning tool to audit compliance,
  7. Take action immediately upon finding non-compliant applications.

For servers and developers

  1. Apply all of the rules that are used by desktop / laptop,
  2. Develop a process to integrate open source applications or code (if required),
  3. Understand the rules which apply to open source software,
  4. Establish processes to ensure compliance while using open source,

What the experts say

The process of Software Asset Management and is covered in a number of standards;

# ISO 27001:2005 Information Technology - Security Techniques - Information Security Management Systems - Requirements and ISO/IEC 17799:2005 Information Technology - Security Techniques - Code of Practice for Information Security Management.

At its basic level it involves the following:

  1. Identification of all software applications and code.
  2. Verifying the software including licenses, usage, and rights.
  3. Identifying gaps that may exist between what exists on the installations, and the licenses or use authority, and the rights of usage.
  4. Taking action to close any gaps.
  5. Recording the results in a centralized location with Proof Of Purchase records.

Some resources you can use to assist in audits can be found at the BSA website.

Is your company compliant?

Don’t wait for some outside party to knock on your door before you take that first step. If you are responsible for any part of software licensing or management in your company act now.

Send this article to:
  • Digg
  • Facebook
  • Tumblr
  • Google
  • StumbleUpon
  • Technorati
  • E-mail this story to a friend!
  • Print this article!

Leave a comment