1. COVER [u.s.]-3 '02 7/18/02 3:27 PM Page 1
Government Guide For Software Management
2. COVER [u.s.]-3 '02 7/18/02 3:27 PM Page 2
C I B E R N E T
This Guide was prepared by the Family, Industry, and Community Economics group of Nathan Associates Inc.,
with assistance from BDO Seidman, LLP. Nathan Associates is an international economic consulting firm. BDO
Seidman is the U.S. member firm of BDO International, an international accounting and consulting organization.
6. US version Booklet '02 7/18/02 5:00 PM Page 4
clear justification for manag- compliance with the law, on the requirements and
ing software and encourages controlling costs associated restrictions of the usage pol-
organizations not currently with software assets, and icy. Employees responsible
managing their software to improving the performance for software procurement
do so by showing them of the assets, the organiza- require specialized training
how. tion, and its employees. If in licensing requirements
already convinced of the and proper procurement
1.3 benefits, skip to Chapter 3, procedures.
HOW TO USE THIS MANUAL which explains how to man-
The organization and pro- age your software assets. 2. Conduct a software inven-
duction of this manual were The process consists of tory. Next, take inventory of
intended to facilitate its use. three major steps. the software residing on
If you are not yet convinced your computers.The soft-
of the benefits of software 1. Establish an environment ware you find and the ways
asset management, read for success. Begin by articu- in which it is being used
Chapter 2, which identifies lating a software policy must conform to the govern-
the benefits and explains statement that addresses the ment’s software policy.
how the management acquisition, use, and disposal
process will help you of the software used by all 3. Commit to an ongoing
achieve them. Key reasons government agencies. process. Finally, an effective
include ensuring Employees software management plan
should be requires continuing actions.
instructed It is important to follow
sound procurement
procedures, to
maintain a com-
plete and up-to-
date record-
keeping system,
and to take cor-
rective and pre-
ventive actions.
Perhaps most impor-
tant, communicate with
employees to encour-
age participation in
the process and
adherence to policy.
4
7. US version Booklet '02 7/18/02 5:00 PM Page 5
To assist you in getting started,
this manual includes information
and examples of documents that
will be used in or generated by
the management process. Exhibit A
contains a model government
decree on the illegal use of com-
puter software. Exhibit B contains
a sample software policy state-
ment that can be adapted for use
by your agency or organization.
Exhibit C contains an example of
the type of form you could use to
record and disseminate informa-
tion regarding the software
supported by your organization.
Exhibit D contains a sample
software inventory worksheet to
guide your data collection efforts.
Exhibit E presents an analysis of a
few randomly selected software
products that can help you inven-
tory software and meter its use.
Finally, Exhibits F, G, and H con-
tain specific sets of commands for
identifying the software that
resides on your computers if you
are unable to use inventory
application software.The
commands are listed for three
different environments: DOS® on
stand-alone computers, Microsoft
Windows® on stand-alone or net-
worked computers, and Apple®
Macintosh® on stand-alone com-
puters.
5
10. US version Booklet '02 7/18/02 5:00 PM Page 8
2.2.2 2.2.3 2.3
Avoid Costs of Unnecessary Hardware Control Software Support Costs IMPROVE PERFORMANCE
A software management process By identifying your organization s In addition to more effective control
allows an organization to identify and current and future software needs and of costs, which improves the
communicate with its employees the specifying when software will cease performance of all organizations, a
software it currently supports, as well to be supported, you can control the software asset management plan will:
as expected upgrades, substitutions, cost of supporting software and avoid s Ensure software quality and
disposals, and data and program the cost of renewing licenses unnec- reliability;
retention policies. By collecting and essarily or in overly expansive terms. s Maximize IT resource compatibility;
sharing this information, software, Control can be effected by a manage- s Anticipate and take advantage of
data, and program files can be man- ment process that regularly reviews change; and
aged on a systematic basis with a the organization s software needs, s Increase employee productivity.
minimum of disruption. In addition, updates the list of supported software
the non-disruptive removal of soft- periodically, and clearly communi- 2.3.1
ware no longer supported frees space cates in advance when various appli- Ensure Software Quality and Reliability
on existing hardware, thereby helping cations and versions will no longer be An effective software management
organizations avoid the costs of supported and, hence, removed from process will ensure the quality and
unnecessarily upgrading or replacing the organization s computers. reliability of the software. Illegally
hardware. copied software - which can be
2.2.4 defective or infected with a virus,
Avoid Legal Challenges, Penalties, and Fines obsolete, or recently released but not
Your agency or organization can adequately tested - can be identified,
avoid the costs of legal challenges, avoided, and, when found on the
fines, and penalties by implementing organization s computers, removed.
the software asset management Licensed software, on the other hand,
process described here. The process offers the assurance of product
will generate a record of documenta- authenticity and quality, the warranty
tion necessary to avoid these costs. of the software publisher, documenta-
The record will include: tion, instruction manuals, tutorials,
s A written statement of your orga- product support (including upgrade
nization s software policy; information and trouble-shooting ser-
s Evidence of employee acknowl- vices), and training.
edgement and understanding of the
policy, the management process,
and his or her responsibilities;
s A complete and current inventory
of your software assets; and
s Documentation of all actions taken
in support of the management
process.
8
11. US version Booklet '02 7/18/02 5:00 PM Page 9
2.3.2 ing anticipated technology sooner
Maximize IT Resource Compatibility rather than later. The process will
With the numerous types and help you avoid the acquisition of
versions of software available in software on the verge of becoming
today s market, issues of compati- obsolete as well as new still unreli-
bility often arise. If employees in able software.
one part of your organization
require documents created by a 2.3.4
specific application, but employees Increase Employee Productivity
in other parts of the organization Computer software has dramatically
use only an incompatible applica- transformed today s business and
tion, you must weigh the decision of organizational environments.
whether to authorize the use of, Because of software, today s workers
support, and training in both are more efficient and businesses
computer programs. By managing are more productive. Software has
the lifecycle of your software assets, reinvented old notions of bringing
you generate the information products and services to customers
necessary to address compatibility and established real-time communi-
issues and weigh tradeoffs on the cation as a cornerstone of organiza-
basis of all costs and benefits. tion effectiveness.
2.3.3 Software asset management ensures
Anticipate and Take Advantage of Change that workers have the tools they
An effective software management need to accomplish their tasks
process will make it easier to efficiently, and the education and
anticipate and take advantage of training they need to use the tools
change - both technological and effectively.
organizational - while minimizing
its potentially adverse consequences.
In the course of the management
process, you will be identifying and
communicating the current and
future software needs of your
organization. Reactions within the
organization will lead to a clearer
understanding of future needs and
additional insight into the advan-
tages and disadvantages of deploy-
9
12. US version Booklet '02 7/18/02 5:00 PM Page 10
How to Manage
Software Assets
14. US version Booklet '02 7/18/02 5:00 PM Page 12
understanding and complying s How to know if software or its s Acquiring academic or other
with the terms of software licens- use is illegal; and restricted or non-retail software,
es, and how to use the software s How to take advantage of the the license for which does not
provided and supported by the software assets supported by the permit sale to, or use by, the
organization. organization. organization; or
s Pay special attention to transi- s Swapping disks in or outside the
tional events such as an employ- In addition to explaining the policy workplace.
ee s hiring or departure. to new employees during their ori-
entation, helping employees under- 2. Client-server overuse is a com-
Specify, Communicate, and stand the policy and their responsi- mon form of end user piracy. A
Require Acknowledgment bilities can be accomplished by reg- client-server configuration links
Initially, generate support by clearly ularly reviewing with all employees multiple computers and permits
specifying and communicating a the results of the management users to access software stored on a
software policy, a chain of com- process and procurement proce- local area network. Client-server
mand, and responsibilities of each dures. An ideal time for review is overuse often occurs because the
employee. Include the information after completion of a software audit organization or its employees fail to
in the employee handbook. or inventory. understand license restrictions in a
Distribute the information at new- network environment. Server soft-
employee orientation. Avoid confu- Training employees to recognize ware licenses generally limit the
sion by requiring each employee to when software or its use is illegal number of users on the server, or
sign a copy of the statement. The begins with an understanding of the may require individual access
signed statement is evidence that many variations of software theft. licenses for users. Certain applica-
each employee has been made The five most common types of tion licenses will authorize use of
aware of, understands, and agrees to theft, and how to help employees one installed copy by multiple
comply with the organization s soft- avoid committing these illegal acts, users, but only within the limits of
ware policy and management are summarized below. the license provisions. Exceeding
process. the permitted number or types of
1. End user piracy occurs when an users constitutes unauthorized use.
Educate and Train individual or organization (the end License overuse can be controlled
Training is an important element of user ) reproduces copies of software by carefully checking software
obtaining employee acceptance. You without authorization. End user licensing agreements at the time
should develop a training program piracy can take the following forms: of purchase and installation and
providing instruction in three general s Using one licensed copy to install educating employees on proper
areas: a program on multiple computers; software use.
s Understanding the organization s s Copying disks for installation and
statement of policy, including the distribution; 3. Counterfeiting is the illegal
management process, procure- s Taking advantage of upgrade duplication and sale of copyrighted
ment procedures, and employee offers without having a legal material with the intent of directly
responsibilities; copy of the version to be upgraded; imitating the copyrighted product.
12
15. US version Booklet '02 7/18/02 5:00 PM Page 13
In the case of packaged software, it s The packaging or materials that as if they had made an authorized
is common to find counterfeit accompany the software have copy from a disk. Although some
copies of the CDs or diskettes been copied or are of inferior manufacturers expressly permit
incorporating the software program, print quality; their software programs to be down-
as well as related packaging, manu- s The CD has a gold, blue or blue- loaded without payment of a licens-
als, license agreements, labels, green appearance, as opposed to ing fee, these programs are still sub-
registration cards, and security the silver appearance that charac- ject to a licensing agreement. Pay
features. You can guard against the terizes legitimate product; careful attention to educate all
unwitting purchase of counterfeit s The CD contains software from employees to the fact that software
product by: more than one manufacturer or should not be downloaded from the
s Carefully checking the authentic- programs that are not typically Internet without express authoriza-
ity of any product you acquire; sold as a suite ; or tion by the official, department or
s Purchasing from resellers with a s The software is distributed via group in charge of software
reputation for integrity and hon- mail order or online by resellers procurement.
est business practices; and who fail to provide appropriate
s Ensuring that all user materials guarantees of legitimate product. The final element of your training
and a licensing agreement are program is conventional training.
included with software at the 4. Hard-disk loading occurs when a One of your more challenging tasks
time of its acquisition. computer hardware reseller loads will be to obtain acceptance of the
unauthorized copies of software list of software supported by your
Any department or groups autho- onto the machines they sell to make organization. Everyone will have a
rized to acquire software should be purchase of the machine more software preference and someone is
aware of the following warning attractive. You can avoid purchasing likely to want an application your
signs that often signify counterfeit such software by ensuring that all organization has chosen not to sup-
software: hardware and software purchases port. To minimize the likelihood of
s The price of the software is are centrally coordinated through such outcomes and their
deeply discounted or otherwise your organization and all purchases potentially disruptive impact, it is
appears too good to be true ; are made through reputable suppliers. critical to offer regular training in
s The software is distributed in a Most important, require receipt of the software supported by your
CD jewel case without the pack- all original software licenses, disks, organization.
aging and materials that typically and documentation with every hard-
accompany a legitimate product; ware purchase. Pay Special Attention to
s The software lacks the manufac- Employee Transitions
turer s standard security features; 5. Online software theft has become Employee transitions are critical
s The software lacks an original more prevalent with the rise in times in the software management
license or other materials that Internet popularity. Employees who process. Exiting employees need to
typically accompany legitimate download unauthorized copies of be debriefed. Their computers
products (e.g., original registra- software via an Internet site are in should be checked for installed soft-
tion card or manual); violation of the copyright law, just ware. They should be asked whether
13
16. US version Booklet '02 7/18/02 5:00 PM Page 14
they have illegally copied onto a 1. Begin by determining all classes your software needs at least three
diskette or other portable storage and subclasses of software your years into the future. It is important
medium any software licensed or organization deems necessary to to look ahead to anticipate software
controlled by the organization. If accomplish its mission. Different upgrades, additions, and disposals.
they had installed copies of the classes include operating systems, The future schedule of such events,
organization s software on their communications, utilities, word though preliminary and subject to
home computers, they should be processors, graphic, database, change, should be included in the
reminded of their responsibility to spreadsheet, network, and others. list of supported software.
delete the programs. The computer Subclasses are, for example, a disk
previously assigned to the exiting operating system and network oper- 3.1.4
employee must be reconfigured ating system, data compression util- Establish a Secure Repository
with the software required of the ities, presentation graphics, etc. All licenses and documentation for
employee(s) to whom the computer the organization s authorized and
will be reassigned. 2. Within each class and subclass, supported software, as well as the
decide which product and version original diskettes or CDs, should be
3.1.3 will be supported and the employees collected and stored in a secure cen-
Identify, Distribute, and Regularly Update who will be using it. tral location. By providing secure
a List of Supported Software storage for the original diskettes or
You must identify with specificity 3. Once the number of employees CDs, you will minimize the risk of
the software supported by your requiring use of the software is iden- software theft and unauthorized
organization. The list, a sample tified, determine the number of duplication of software programs.
form of which is contained in copies to be authorized and supported Leaving original disks or CDs lying
Appendix C, must contain informa- by the organization. Of course this around often leads employees to
tion in three broad categories: will depend on the licensing terms mistakenly believe they are spare
s Software currently supported, available for the software. Specify copies that can be loaded onto their
terms of the license, and autho- the terms of the license chosen. computers.
rized number of users;
s Location of the software; and 4. Finally, decide how to distribute 3.1.5
s Future plans to add, upgrade, and the software. Specify the serial num- Develop and Implement Software
dispose of software. ber(s) of the computer(s) on which Procurement Procedures
the software is installed, and, when Your organization should develop
By following the four steps applicable, the organizational unit or and implement an official software
described below, the list you devel- department and the employee(s) to procurement process. Any depart-
op will include the information nec- whom the computer is assigned. ment or group authorized to pur-
essary to fully specify the current chase software should be trained in
state of your organization s autho- In addition to developing the list of general licensing requirements and
rized and supported software assets. currently supported software and proper procurement procedures.
authorized use, you must project The process begins with a formal-
ized request for authorization to
14
17. US version Booklet '02 7/18/02 5:00 PM Page 15
purchase software, an evaluation and statement. To ensure compliance s Identification of illegal and
justification of need, and identifica- with the process, periodically review unsupported software residing on
tion of the channels through which records of software purchases. your organization s computers;
the software must be purchased. and
Additional procedures that should 3.2 s Identification of software use that
be part of the process are listed TAKE INVENTORY is not in compliance with the
below. The second major task of an effec- organization s policies and proce-
s Require that all purchases of tive software asset management dures, copyright law, or licensing
software be made through a process is inventorying all software agreements.
purchasing department or group residing on all the organization s
designated with such responsibil- computers, the original licenses for Identify Software Residing on the
ity for the organization; all software supported and autho- Organization’s Computers
s Require that all requests be sub- rized for use by your organization, The inventory begins with identifi-
mitted in writing and approved and all software documentation cation of all software found on the
by the department manager with (including purchase invoices if organization s computers. The
budgetary signing authority; available). You must know what process consists of the following
s Disallow reimbursement of any you have before you can manage it. tasks:
employee expense charged to an By comparing the results of this s Record the serial number of the
employee expense account that initial baseline inventory to the computer, workstation, or server
was expended for software acqui- organization s software policy and being analyzed.
sition; list of supported software, you will s Record the organizational depart-
s Require that all software purchases be able to identify and delete illegal ment to which the computer is
be made through reputable, software and software you no assigned.
authorized resellers; longer officially support, and identi- s Record the name of the employ-
s Require that all software purchas- fy and stop use in violation of your ee(s) to whom the computer is
es be accompanied by related software licensing agreements. assigned.
user materials (e.g., manuals, reg- Your organization s progress in this s Inspect the contents of the com-
istration cards, etc.) and all prop- effort should then be monitored puter or workstation s hard disk
er licenses and receipts evidenc- through subsequent periodic audits and, if networked, the server and
ing legal acquisition and use; and or inventories. other locations where software
s Disallow purchase of software might be found.
not included in the organization s 3.2.1 s Identify any hidden files and
list of supported software. Accomplish Three Tasks directories and record the details
The software inventory must gener- of any such occurrences for sub-
ate information that allows you to sequent investigation.
Part 3 of the sample software policy accomplish three tasks: s For software with single user
statement in Appendix B contains a s Identification of all software licenses, record the serial
suggested procurement process residing on your organization s number of each. For networked
computers;
15
18. US version Booklet '02 7/18/02 5:00 PM Page 16
computers, record the licensing appear to be a software program not the following qualifications:
information for the software supported while, in fact, they are s Knowledge of and experience
found on the workstation and components of supported software or with the methods and techniques
server. otherwise legitimate instruction sets. applicable to inventorying
s Ask the manager and staff if any software;
software is maintained on floppy Identify Unauthorized Use s Knowledge of the programs,
diskettes, and, if so, inspect the The identification of unauthorized activities, and functions of your
diskettes. use is accomplished by comparing organization; and
s Inspect the computer and user the terms of the licensing agree- s Good communication skills.
areas for evidence of any photo- ments you have for your supported
copied material such as user software with the number of com- The person or team should be free
guides. puters on which the software was from personal and external impair-
s Ask the manager and staff if any found and the number of users hav- ments to independence. In addition,
unauthorized software is used in ing access to the computers. an independent attitude and appear-
the department. Software metering applications, ance must be maintained. It is
s Review the findings and compare which are discussed later along with important that the opinions, conclu-
them with the list of supported other inventory application soft- sions, judgments, and recommenda-
software, and the licenses and ware, can help to ensure that soft- tions of the person or team be
documentation stored in the ware use is in compliance with the impartial and viewed as impartial
repository. software license. by knowledgeable third parties.
Appendix D contains a sample form 3.2.2 Due professional care must be used
for recording the information that Conduct the Inventory in Accordance with to conduct the inventory and prepare
must be collected in the software Four General Standards inventory reports. The person or
inventory. Specialized inventory You should conduct the software team should use sound judgment in
application software, which is dis- inventory in accordance with stan- establishing the scope and timing of
cussed later, can be used to make dards regarding the qualifications of the inventory, selecting the method-
the inventory job relatively easy. people who will take the inventory, ology and specific procedures, and
the independence of these people evaluating and reporting the results.
Identify Illegal and Unsupported Software and their organization, their exercise
The identification of illegal and of professional care in conducting 3.2.3
unsupported software is accom- the inventory and preparing inven- Rely on the Element of Surprise, Yet
plished by comparing the results of tory reports, and the presence of Include All Computers
your inventory to the list of soft- quality controls. Once the organization s entire soft-
ware supported by your organiza- ware base has been examined in
tion. Although the task is straight- A person or team that collectively the initial baseline inventory,
forward, it can involve additional possesses adequate professional the organization should conduct
analysis. Some executable files proficiency for the tasks required periodic inventories to monitor
found on the computers might should take the inventory. Look for compliance. For these subsequent
16
19. US version Booklet '02 7/18/02 5:00 PM Page 17
inventories, it might not be practical s What is the cost of the The key to identifying software on
to include all computers in a single application? DOS and Windows systems is to
procedure. In such circumstances, a find all files suffixed with .EXE,
sample of computers should be Appendix E contains a matrix sum- which is short for executable.
inspected, but over the course of a marizing five randomly chosen All software must have at least one
year, every computer should be re- inventory applications and two ran- executable file. The challenge is to
inspected and its installed software domly chosen metering applica- weed through numerous executable
included in the inventory. tions. Please do not interpret the files that might be small subsets of
inclusion of these specific products instructions embedded in legitimate
3.2.4 as indication of support for them software to find the executable file
Specialized Inventory and Metering over the dozens of others that are on of an illegal program.
Applications Can Make the Job Easier the market today or about to be
Specialized application software can brought to the market. Using DOS on Stand-Alone Computers
inventory and meter the use of your It is best to use specialized invento-
organization s software. When possi- 3.2.5 ry application software. An inven-
ble, these tools should be used. They Other Options tory can be performed without such
will make the inventory process You can conduct the software software, but you must commit a
more efficient and help you more inventory without the use of spe- significant amount of time to the
accurately manage software use. cialized application software. The inventory process. You must inspect
Evaluate specific products available process will take additional time the contents of each computer s
in your market by answering the and, with respect to monitoring hard drive using only DOS-based
following questions: software use, the information gener- command instructions. There are
s Is the application effective for an ated is likely to be less precise. three alternative ways to undertake
organization this size; Nevertheless, the process will gen- the effort, and the commands to fol-
s Does the application work in a erate the information you need to low in each approach are contained
networked or stand-alone envi- guard against the possibility of ille- in Appendix F.
ronment; gal software and illegal use of soft- s Exhaustive inspection;
s How does the application recog- ware in your organization. s User-level instructions with man-
nize software and, if by compar- Appendixes F, G, and H contain ual inspection; and
ing to known products included command sets for inventorying your s User-level instructions with auto-
in a database, how often is the software without the benefit of a mated inspection.
database updated; specialized application within the
s How is the application deployed; following three environments: In an exhaustive inspection approach,
s What is the application s user s Stand-alone computers running disk partition information is inspect-
interface; DOS; ed and hidden files and subdirectories
s What are its reporting capabilities, s Stand-alone or networked com- are located and examined. Only com-
s What support is available; puters running Windows; and petent technicians or systems engi-
and s Stand-alone Macintosh computers. neers should attempt this method of
inventorying software.
17
20. US version Booklet '02 7/18/02 5:00 PM Page 18
User-level instruction with manual if you are using a Windows-based asked to cease such behavior, and
inspection can be used when the system. warned that if future breaches
hard disk is not partitioned. It can occur, they could be grounds for
also be used to examine the con- Using the Macintosh Operating System dismissal. A written record of all
tents of a computer s hard drive on Stand-Alone Computers such instances should be included in
without invoking disk partition soft- Like using Windows, the Macintosh the employee s personnel file.
ware that could cause catastrophic operating system can generate an Employee notification is important,
data loss if used improperly. inventory of software, but it and these corrective measures
requires more time than specialized should be taken only once an
An automated inspection method inventory application software. The employee has been properly advised
assumes all software information commands required are contained in of the software policy and has sub-
will be gathered by end users and Appendix H. sequently been found in violation.
forwarded to a centralized location
for inspection. A single hard drive 3.3 Correct Breaches in Licensing
partition is assumed. Drives with TAKE ACTION Agreements and Copyright Law
multiple partitions should be The final major component of the When the infraction is a breach of
inspected manually. management process is action. You copyright law or the terms of a soft-
must be prepared to take corrective ware license, the incident has poten-
Using Windows on Stand-alone action when necessary and preven- tially serious consequences for the
or Networked Computers tive action to minimize the need for employee and the organization.
Using Windows to inventory soft- future corrective action.
ware is easier but still time consum- If the inventory were to reveal ille-
ing. Again, the person taking the 3.3.1 gal copies of software residing on
inventory must find all .EXE files Take Corrective Action When Necessary the organization s computers, the
on the computer and invoke the There are two breaches requiring copies must be deleted immediately.
software to examine licensing infor- corrective action. Whenever either If the infraction is severe and found
mation. Opening all folders to is found to have occurred, all to be widespread throughout the
determine whether they contain employees must be informed and organization, senior managers
software can be time consuming, reminded of their responsibilities to should be informed. You might also
and, although use of the PRINT the organization s software policy want to inform the copyright holder
SCRN key to print the information and management process. if the discovery revealed informa-
and images on the desktop is an tion (such as the location of an ille-
excellent way of generating a print- Correct Breaches in Software Policy gal software copying and distribu-
ed record of the inventory, it too When an employee is found not to tion operation) that would be of
requires time. However, the job be in compliance with the organiza- benefit to the copyright holder. All
does not require sophisticated tech- tion s software policy, he or she efforts should be made to identify
nical knowledge and experience. must be informed of the breach, the employee or employees respon-
Appendix G contains the instruc- reminded of his or her acknowledg- sible for the violation. The incident
tions for inventorying your software ment of responsibility to the policy, and its final outcome should be
18
21. US version Booklet '02 7/18/02 5:00 PM Page 19
recorded and maintained with Regularly Review List of results. Employees must see that
all other documentation in the Supported Software and Use their actions have consequences.
secure repository. All violations Demonstrate the organization s
attributed to a specific employee interest in ensuring that its employ- Conduct Random Spot Inventories
should be recorded in the ees have the software they need by Regrettably, human nature is such
employee s personnel file. regularly reviewing the list of sup- that often the element of surprise is
ported software and authorized use. necessary to obtain a clear picture
If the inventory were to reveal soft- Seek out the opinions of those who of behavior. It is important to peri-
ware use not in compliance with are more reliant on software. And odically take inventory. Select the
licensing terms, all users of the par- strive to understand why some computers to be inspected. Targets
ticular product must be informed of employees appear to have little need could include computers previously
the infraction, and, if necessary, a for software. When necessary, mod- found to be in breach of policy or
new licensing agreement must be ify the list, announce the changes, law. Announce the results of all
struck to include use by those and distribute the new list through- such random spot checks.
whose use had previously not been out the organization.
covered by the license. Periodically Review Software
When Necessary, Modify the License Procurement Records
3.3.2 or Number of Copies Periodically review the record of
Always Take Preventive Action When software use changes, modify software procurement to determine
To minimize the number and severi- the number of copies you support or whether those responsible for pro-
ty of breaches, you should take pre- the type of license to reflect the new curement are adhering to the organi-
ventive action in three arenas: the situation. In times of increasing zation s procurement policy.
environment for success, taking demand for a particular product, too Whenever a legal breach is discov-
inventory, and procurement. few copies or a license that is too ered through the process of invento-
restrictive places the organization in rying software, every attempt
Maintain the Environment for Success greater jeopardy of its employees should be made to determine
To maintain a workplace environ- violating licensing agreements. And whether the breach was due at least
ment in which the management when demand is declining, you do in part to a failure to follow the
process will succeed you should not want the organization support- official procurement procedures.
strive to stay current by regularly ing copies or renewing licenses that
updating your list of supported soft- are not necessary.
ware and authorized use, modifying
the availability of products to reflect Keep Communication Open
changing patterns and intensity of Seek opportunities to communicate
use, and communicating with with employees about their software
employees. needs, experiences with specific
products, policy and process
responsibilities, and management
19
23. US version Booklet '02 7/18/02 5:00 PM Page 21
distribution of that software to occurs when an individual or organi- Software
another user. zation reproduces and/or uses unli- Computer instructions or data.
censed copies of software for its oper- Anything that can be stored elec-
Modem ations. Client-server overuse occurs tronically is software. A piece of
A device or program that enables a when the number of users connected software is also known as a program.
computer to transmit data over tele- to or accessing one server exceeds the
phone lines. total number defined in the license System software products
agreement. Server piracy occurs when Software program packages, other
Network Operating illegal copies of software are loaded than application program packages,
An operating system that includes onto one or more servers. that manage systems resources (e.g.,
special functions for connecting Counterfeiting is the illegal duplica- operating systems, database man-
System computers and devices into tion of software with the intent of agement systems, etc.).
a local-area network (LAN). A net- directly imitating the copyrighted
work operating system coordinates product. Hard-disk loading occurs Upgrade
a network s primary functions such when a computer hardware reseller A new version of a software or
as file transfer and print queuing. loads unauthorized copies of software hardware product designed to
onto the machines it sells. Online replace an older version of the same
Operating System software theft occurs when individu- product. Typically, software com-
The master control program that als download or upload unauthorized panies sell upgrades at a discount.
translates the user s commands and copies of software from the Internet In most cases, you must prove you
allows application programs to or a Bulletin Board System (BBS). own an older version of the product
interact with the computer s hard- License misuse occurs when software to qualify for the upgrade price.
ware. Every general-purpose com- is distributed in channels outside
puter must have an operating sys- those allowed by the license, or used Upload
tem to run other programs. in ways restricted by the license. To move a file from your computer
Operating systems perform basic to another computer; the opposite of
tasks, such as recognizing input Server download.
from the keyboard, sending output A computer or device on a network
to the display screen, keeping track that manages network resources. WAN
of files and directories on the disk, For example, a file server is a com- Wide-Area Network. A computer
and controlling peripheral devices puter and storage device dedicated network that spans a relatively large
such as disk drives and printers. to storing files. Any user on the geographical area. Typically, a
Common operating systems include network can store files on the serv- WAN consists of two or more local-
DOS, Windows, and Mac OS. er. A print server is a computer that area networks (LANs). Computers
manages one or more printers, and a connected to a wide-area network
Piracy network server is a computer that are often connected through public
The illegal use and/or distribution of manages network traffic. A data- networks, such as the telephone sys-
property protected under intellectual base server is a computer system tem. They can also be connected
property laws. Software piracy can that processes database queries. through leased lines or satellites.
take many forms. End user piracy
21
25. US version Booklet '02 7/18/02 5:00 PM Page 23
EXHIBIT A
MODEL GOVERNMENT DECREE ON LEGAL SOFTWARE USE
WHEREAS the use of proprietary computer software has become essential to the mission and operation of
the executive agencies of the Government, and the Government is a major user of information technology;
WHEREAS proper software management is critical to ensuring that the Government receive the full benefits
of its software use and operate in compliance with its own and all relevant copyright laws;
WHEREAS the unlicensed copying and sale of computer software are illegal and seriously undermine
employment opportunities and tax revenues generated by the computer software industry;
WHEREAS the Government must set an example for other public and private entities regarding proper soft-
ware management by ensuring that it is not a party to computer software piracy.
It shall be the policy of the Government that:
1. Each executive agency shall work diligently to prevent and combat computer software piracy in order to
give effect to intellectual property rights associated with computer software by observing the relevant provi-
sions of international agreements, including the Word Trade Organization Agreement on Trade-Related Aspects
of Intellectual Property and the Berne Convention for the Protection of Literary and Artistic Works, as well as
the relevant provisions of national law.
2. Each executive agency shall ensure that budget proposals relating to computer software and data process-
ing needs include adequate resources for the purchase of sufficient computer software to meet those needs.
These resources should be delineated as a separate line-item in the agency’s budget.
3. Each executive agency shall establish systems and controls to ensure that the agency has present on its
computers and uses only computer software in compliance with applicable copyrights. These systems and
controls shall include:
a) appointment of a responsible Chief Information Officer (CIO) for each executive agency, who shall
certify that agency’s compliance with software management policies annually to the appropriate central
office;
b) completion of an initial inventory of the software present of the agency’s computers and the number
of copies of each program for which the agency has valid licenses;
c) following completion of the initial inventory, deletion of any software programs in numbers exceeding
the valid licenses held;
23
26. US version Booklet '02 7/18/02 5:00 PM Page 24
d) development and maintenance of adequate record-keeping systems to record the results of the initial
inventory and thereafter track the acquisition of additional software licenses and the installation or use
of additional copies of software permitted under such additional licenses, ensuring that such records at
all times indicate licenses sufficient to cover all software in use and maintain all license documentation
in a single place;
e) channeling all software purchase requests through a single point monitored by the CIO;
f) institution of periodic inventories of each executive agency’s computers to determine the continued
accuracy of the agency’s software record-keeping systems; and
g) implementation of an agency-wide information and training program for employees regarding the
necessity of legal computer software use, including signature of a written compliance notice and
establishment of disciplinary offenses and penalties for non-compliance.
4. In connection with the acquisition and use of computer software, the head of each executive agency shall:
a) establish and maintain a comprehensive software management policy and an effective program to ensure
proper acquisition, distribution, management, use, and disposition of all computer software products;
b) ensure that the policies, procedures, and practices of the agency related to intellectual property rights
protecting computer software are adequate and fully implement the policies set forth in this order;
c) ensure agency compliance with the intellectual property rights protecting computer software and the
provisions of this order by establishing agency-wide management structures and processes to ensure
that only legal computer software is acquired for and used on the agency’s computers;
d) establish performance measures to assess the agency’s compliance with intellectual property rights
associated with computer software acquired, distributed, or used by the agency and with the provisions
of this order;
e) direct and support appropriate training of agency personnel regarding intellectual property rights asso-
ciated with computer software and the policies and procedures adopted by the agency to honor them.
5. In connection with all third-party contractors and applicants for funds administered by the agency, each
executive agency shall:
24
27. US version Booklet '02 7/18/02 5:00 PM Page 25
a) require the applicants to certify, as a condition of approval of any funding application, that they have
appropriate systems and controls in place to ensure that agency funds are not used to acquire, operate
or maintain computer software without proper authorization, including: (1) the institution of reason-
able inventory procedures to ascertain that the computer software present on the computers acquired
or operated with agency funds is legal and (2) the provision of the inventory results to the agency;
b) withhold agency funds, as it deems appropriate, from any applicant found to be using illegal comput-
er software with respect to any program supported by the funds, until such time as it has been estab-
lished to the satisfaction of the agency’s auditors that reasonable steps have been taken to ensure that
illegal software is no longer present on that applicant’s computers used with respect to any such pro-
gram;
6. Each agency shall cooperate fully in implementing this order and shall share information as appropriate
that may be useful in combating the use of computer software without proper authorization.
25
28. US version Booklet '02 7/18/02 5:00 PM Page 26
EXHIBIT B
SAMPLE STATEMENT OF ORGANIZATION’S SOFTWARE MANAGEMENT POLICY
Part 1. General Responsibilities
The Policy of [organization] is to manage its software assets to derive maximum benefit to [organization]
and its employees and, especially, to ensure that [organization] and its employees:
s Acquire, reproduce, distribute, transmit, and use computer software in compliance with international
treaty obligations and [insert country name] laws, including the [insert specific key laws]; and
s Maintain only legal software on [organization’s] computers and computer networks.
All software is protected under [country specific] copyright laws from the time of its creation.
[Organization] has licensed copies of computer software from a variety of publishers to help fulfill its mis-
sion. Unless otherwise provided in the software license, duplication of copyrighted software, except for
backup and archival purposes, is a violation of the [applicable law] and this Policy.
You may not knowingly use software for which [organization] lacks the appropriate license. If you become
aware of the use or distribution of unauthorized software in this organization, notify your supervisor or the
Office of the Chief information Officer (CIO).
You may not loan or give to anyone any software licensed to this organization.
The licenses for some of this organization’s software permit employees of the organization to make a copy
of the software for home use.The CIO may approve such use by employees that can demonstrate a need to
conduct the organization’s business from their homes. Under no circumstances, however, may an employee
use the organization’s software for purposes other than the business of this organization.
No employee may use or distribute personally-owned software on the organization’s computers or networks.
Such software threatens the integrity and security of the organization’s computers and networks.
A variety of software is available on the Internet. Some of this software, called “freeware” or “shareware,” is
available free of charge for limited use and may be downloaded to your computer with the prior written
approval of your supervisor. Other software available on the Internet and from other electronic sources,
however, requires the user to obtain a license for its use, sometimes for a fee. No employee shall download
such software to his or her computer without the prior written approval of the CIO.
Part 2. The Software Asset Management Process
[Organization] is committed to managing its software assets for maximum benefit to the organization and its
employees.The process consists of three areas of focus: (1) Creating an environment in which the process
will succeed, (2) Reviewing the software assets residing on the organization’s computers, and (3) Acting to
26
29. US version Booklet '02 7/18/02 5:00 PM Page 27
correct breaches in policy and the law, keep the Policy and its procedures current, and prevent future
breaches.
[Organization] will strive to create an environment for success by communicating this policy; educating
employees about their responsibilities; training employees in the software supported by this organization;
identifying and modifying as necessary the software employees need to fulfill their job responsibilities; estab-
lishing a secure repository for original storage media, software licenses, and software documentation; and
requiring that all software be procured through official and clearly defined procedures.
As part of this organization’s software management process, the CIO shall conduct periodic, random reviews
of all organization computers and networks to determine the software resident on such systems and
whether the organization has the appropriate licenses for all such software.The CIO also shall conduct peri-
odic, planned reviews, in which the CIO may ask you to complete a Software User Survey.This Survey will
be used to determine your existing and future use and need of particular software programs.Your coopera-
tion with all reviews and Software User Surveys is greatly appreciated.The CIO will endeavor to conduct its
work with the least possible disruption of your workday.
You may be held responsible for the existence of any software on your computer for which the organization
lacks the appropriate licenses. Consequences for such unauthorized use of software range from a reprimand
for minor offenses to termination of employment for repeated, willful offenses.
Part 3. Software Procurement and Installation Procedures
All requests for software and software upgrades shall be submitted to the Office of the Chief Information
Officer (CIO), where possible.
Any software and software upgrades not acquired by the CIO shall be documented and identified
to the CIO, who will verify that the Agency has an appropriate license for the use of such software.
All acquisitions of hardware that include bundled software shall be documented and identified to the CIO,
who will verify that the Agency has an appropriate license for the use of such bundled software.
The CIO shall store in a secure, central location all original software licenses, disks, CD-Roms, and documen-
tation upon receipt of all new software, including copies of completed registration cards.
The CIO shall designate those employees authorized to install software on the organization’s computers.
No employee shall install or distribute software for which this organization lacks the appropriate license.
No employee shall install any software upgrade on a computer that does not already have resident on it the
27
30. US version Booklet '02 7/18/02 5:00 PM Page 28
original version of the software.The CIO or designated employee shall destroy the original version’s backup
copy of the upgraded software in its place.
The CIO or designated employees shall destroy all copies of software that is obsolete or for which the orga-
nization lacks the appropriate license.Alternatively, the CIO may obtain the license(s) necessary to maintain
unauthorized software on organization computers.
The organization’s department with procurement responsibility must establish and maintain a recordkeep-
ing system for software licenses, hardware, original CD-ROMs and diskettes, user information, and review
information. Maintain this information in a secure, central location. Consider the use of software manage-
ment computer programs to automate such recordkeeping.
*************
The organization is commited to communicating this Policy with its employees. The organization will:
s Include the Policy Statement in the employee handbook. Distribute the updated handbook to all employees.
s Train new employees during their initial orientation on how to comply with the Policy.
s Hold seminars on the Software Policy for existing employees to inform them of the types of software
licenses, how to detect and prevent piracy, how to implement the Software Policy, and consequences of
violating the Policy and relevant law.
s Require new and existing employees whose responsibilities include the installation, maintenance, or over-
sight of information technology systems to acknowledge and sign the Software Policy Statement.
s Circulate reminders of the Policy on a regular basis (at least annually) or remind employees of the Policy
in other ways (at least annually), for example, through notices in agency newsletters.
s Inform employees where they can get additional information on the Policy and software theft prevention.
If you have any questions concerning this Policy or your obligations under it, you may direst them to either
you supervisor or the CIO (provide phone numbers, office locations, and e-mail addresses).
EMPLOYEE ACKNOWLEDGMENT OF UNDERSTANDING AND RESPONSIBILITY:
__________________________________________
Printed Employee Name
__________________________________________ __________________________________________
Employee Signature Date
28