C72 b329d6f7e4b46a7467de0151210a1.ashx

Government Guide For Software Management

COVER [u.s.]-3 '02 7/18/02 3:27 PM Page 1

C I B E R N E T

This Guide was prepared by the Family, Industry, and Community Economics group of Nathan Associates Inc.,with assistance from BDO Seidman, LLP. Nathan Associates is an international economic consulting firm. BDOSeidman is the U.S. member firm of BDO International, an international accounting and consulting organization.

COVER [u.s.]-3 '02 7/18/02 3:27 PM Page 2

©

ontents

©C

©

©

1 INTRODUCTION 21.1 A Step-by-Step Guide 31.2 Helping Governments Manage

Their Software Assets 31.3 How to Use this Manual 4

2 WHY MANAGE SOFTWARE ASSETS 62.1 Ensure Compliance with the Law 72.2 Control Costs 72.2.1 Control Costs of Acquisition 72.2.2 Avoid Costs of Unnecessary Hardware 82.2.3 Control Software Support Costs 82.2.4 Avoid Legal Challenges, Penalties,

and Fines 82.3 Improve Performance 82.3.1 Ensure Software Quality and Reliability 82.3.2 Maximize IT Resource Compatibility 92.3.3 Anticipate and Take Advantage

of Change 92.3.4 Increase Employee Productivity 9

3 HOW TO MANAGE SOFTWARE ASSETS 103.1 Create an Environment for Success 113.1.1 Articulate and Communicate a Clear

Statement of Software Policy 113.1.2 Obtain Employee Acceptance 113.1.3 Identify, Distribute, and Regularly

Update a List of Supported Software 143.1.4 Establish a Secure Repository 143.1.5 Develop and Implement Software

Procurement Procedures 14

3.2 Take Inventory 153.2.1 Accomplish Three Tasks 153.2.2 Conduct the Inventory in Accordance

With Four General Standards 163.2.3 Rely on the Element of Surprise,

Yet Include All Computers 163.2.4 Specialized Inventory and Metering

Applications Can Make the Job Easier 173.2.5 Other Options 173.3 Take Action 183.3.1 Take Corrective Action When Necessary 183.3.2 Always Take Preventive Action 19

GLOSSARY 20

APPENDIXA. Model Government Decree 22B. Sample Software Policy Statement 23C. Sample Form for List of Supported Software 26D. Sample Inventory Form 29E. Software Inventory and Metering Applications 30F. DOS® Commands to Inventory Software 31G. Windows® Commands to Inventory Software 36H. Macintosh® Commands to Inventory Software 38

US version Booklet '02 7/18/02 4:59 PM Page 1

Introduction


3

n today’s digital era,software is indispensable. It drivesour computers and allows us tocollect, organize, access, analyze,and share information on a scaleand with efficiency not imagined20 years ago.

Software, like other valuableassets, must be managed through-out its lifecycle to achieve itspotential benefit. An effectivemanagement plan must addressasset acquisition, use, and dispos-al. In addition, the process mustoccur in an environment recep-tive to management actions andcommitted to success.

Governments, as informationorganizations, are especiallydependent on software. Sincegovernments make and imple-ment laws on behalf of those theygovern, they have a clear respon-sibility to demonstrate, throughtheir policies and practices, theimportance of adhering to lawsgoverning the use of software.Legitimate software use by gov-ernments will encourage the pri-vate sector to follow suit, therebyleading to growth of the domesticsoftware industry which createsjobs and generates revenue.

1.1A STEP-BY-STEP GUIDEThis manual provides step-by-stepguidance for managing the

installed software base of govern-mental organizations. For seniorgovernment officials, it explainswhy software asset managementis important. For managers, it pre-sents a complete managementplan, including how to create anenvironment in which manage-ment will succeed, informationrequirements of the plan, aprocess for collecting informa-tion, and how to interpret and acton the information collected.

Although asset management ismore than asset tracking, in thecase of software, which is aportable and decentralized asset,tracking is a key component ofthe management process.Thismanual provides very specificinstructions for tracking software.It explains the importance of tak-ing inventory and how to do so. Itexplains how to identify illegalcopies of software and describesthe steps necessary to verify thatyour organization’s use of soft-ware is in compliance with licens-ing agreements. In addition, help-ful tools for inventorying softwareare identified. Using inventorytools is encouraged, but if you donot have access to inventoryapplication software, you will findhere detailed instructions foridentifying the software thatresides on your computers.

1.2 HELPING GOVERNMENTS MANAGETHEIR SOFTWARE ASSETS Software management is criticalto maximizing the benefit of gov-ernment investment in informa-tion technology (IT) resources.Today desktop computers prolif-erate and software is significantlyupgraded on a regular basis.A single government organizationmight be using hundreds of com-puters deployed at dozens oflocations running numerous typesand versions of operating systemand application software.

The proliferation of desktop com-puters and the portability of soft-ware have created an additionalreason to manage software: toensure its legitimacy.Without anorganization’s knowledge, itsemployees might be using illegal-ly copied software. For example,employees might have installedmore copies of a software pro-gram than the organization’slicense permits (commonlyreferred to as software “overuse”).Or, the organization might haveunknowingly acquired illegal soft-ware from a disreputable reseller.

This manual was written to makesoftware asset management sim-ple, yet effective, and to help gov-ernments avoid the cost of legalchallenges to the legitimacy oftheir software assets. It presents

©I


4

clear justification for manag-ing software and encouragesorganizations not currentlymanaging their software todo so by showing themhow.

1.3 HOW TO USE THIS MANUALThe organization and pro-duction of this manual wereintended to facilitate its use.If you are not yet convincedof the benefits of softwareasset management, readChapter 2, which identifiesthe benefits and explainshow the managementprocess will help youachieve them. Key reasonsinclude ensuring

compliance with the law,controlling costs associatedwith software assets, andimproving the performanceof the assets, the organiza-tion, and its employees. Ifalready convinced of thebenefits, skip to Chapter 3,which explains how to man-age your software assets.The process consists ofthree major steps.

1. Establish an environmentfor success. Begin by articu-lating a software policystatement that addresses theacquisition, use, and disposalof the software used by allgovernment agencies.

Employeesshould be

instructed

on the requirements andrestrictions of the usage pol-icy. Employees responsiblefor software procurementrequire specialized trainingin licensing requirementsand proper procurementprocedures.

2. Conduct a software inven-tory. Next, take inventory ofthe software residing onyour computers.The soft-ware you find and the waysin which it is being usedmust conform to the govern-ment’s software policy.

3. Commit to an ongoingprocess. Finally, an effectivesoftware management planrequires continuing actions.It is important to follow

sound procurementprocedures, to

maintain a com-plete and up-to-date record-keeping system,and to take cor-

rective and pre-ventive actions.

Perhaps most impor-tant, communicate with

employees to encour-age participation inthe process and

adherence to policy.


5

To assist you in getting started,this manual includes informationand examples of documents thatwill be used in or generated bythe management process. Exhibit Acontains a model governmentdecree on the illegal use of com-puter software. Exhibit B containsa sample software policy state-ment that can be adapted for useby your agency or organization.Exhibit C contains an example ofthe type of form you could use torecord and disseminate informa-tion regarding the softwaresupported by your organization.Exhibit D contains a samplesoftware inventory worksheet toguide your data collection efforts.Exhibit E presents an analysis of afew randomly selected softwareproducts that can help you inven-tory software and meter its use.Finally, Exhibits F, G, and H con-tain specific sets of commands foridentifying the software thatresides on your computers if youare unable to use inventoryapplication software.Thecommands are listed for threedifferent environments: DOS® onstand-alone computers, MicrosoftWindows® on stand-alone or net-worked computers, and Apple®

Macintosh® on stand-alone com-puters.


Why Manage

Software Assets


7

n today s dynamic

environment of dispersed desktop

computers and other IT assets,

managing your software assets is

necessary to:

■ Ensure your software is legal and

being used in compliance with

licensing terms;

■ Control costs associated with the

asset; and

■ Improve asset and organization

performance.

2.1ENSURE COMPLIANCE WITH THE LAWComputer software is protected under

copyright law and cannot be used,

reproduced or distributed without the

manufacturer s express authorization.

Copies of computer software are typi-

cally licensed, not sold, to the user.

Accordingly, your right to use, repro-

duce, and distribute a software program

is subject to the terms of the software

license agreement, which constitutes a

valid legal contract between the

licensee and the software publisher.

The software license gives the software

publisher a claim for damages in the

event you fail to comply with its terms.

A licensed copy of software can be

installed and used on only one com-

puter, unless the license agreement

expressly permits use of a second

copy, for example, at home or on a

portable computer. However, a license

agreement typically allows

you to maintain a back up copy of

software for archival purposes.

In addition to licensing agreements,

copyright law protects software

publishers from the unauthorized

copying, distribution, and sale of

software. In today s digital era,

copyright law also prohibits users

from uploading, downloading, or

transmitting unauthorized copies of

software via the Internet or other

electronic media. Violations of these

restrictions are civil and criminal

offenses, exposing the infringer to

significant civil damages, as well as

criminal fines and imprisonment.

Governmental organizations have a

key role to play in supporting the

protection of intellectual property

by ensuring all software and its use

are in compliance with licensing

agreements and copyright law.

Copying, distributing, and using

software illegally deprive

economies of legitimate and taxable

economic activity. Perhaps more

important, use of illegal software

reduces the reward for innovation

and, by doing so, slows economic

growth and development. A govern-

ment decree in support of ensuring

all software and its use are in com-

pliance with licensing agreements

and copyright law sets the stage for

an effective software management

plan. Appendix A contains a sample

government decree.

2.2 CONTROL COSTSThe second major reason for

managing your software assets is to

control all costs associated with the

assets. An effective management

process will:

■ Control software acquisition

costs;

■ Avoid unnecessary hardware

costs;

■ Control software support costs;

and

■ Avoid the costs of legal chal-

lenges and fines or penalties for

use of illegal software and unau-

thorized use of legal software.

2.2.1 Control Costs of AcquisitionAn effective management process

minimizes software acquisition costs

by identifying and communicating

the current and future software needs

of your organization, budgeting for

software acquisition, and purchasing

only what is necessary while doing

so in conformance to clearly defined

procurement procedures.

Budgeting is key. You must identify

planned software expenditures in a

separate line item of your IT budget

and track your actual versus planned

expenditures. By doing so, you can

more accurately evaluate your needs,

ensure that software acquired is legit-

imate, and plan for future acquisition.

Large organizations often devote 25

percent of their IT budgets to software.

©I


8

2.2.2 Avoid Costs of Unnecessary HardwareA software management process

allows an organization to identify and

communicate with its employees the

software it currently supports, as well

as expected upgrades, substitutions,

disposals, and data and program

retention policies. By collecting and

sharing this information, software,

data, and program files can be man-

aged on a systematic basis with a

minimum of disruption. In addition,

the non-disruptive removal of soft-

ware no longer supported frees space

on existing hardware, thereby helping

organizations avoid the costs of

unnecessarily upgrading or replacing

hardware.

2.2.3 Control Software Support CostsBy identifying your organization s

current and future software needs and

specifying when software will cease

to be supported, you can control the

cost of supporting software and avoid

the cost of renewing licenses unnec-

essarily or in overly expansive terms.

Control can be effected by a manage-

ment process that regularly reviews

the organization s software needs,

updates the list of supported software

periodically, and clearly communi-

cates in advance when various appli-

cations and versions will no longer be

supported and, hence, removed from

the organization s computers.

2.2.4 Avoid Legal Challenges, Penalties, and FinesYour agency or organization can

avoid the costs of legal challenges,

fines, and penalties by implementing

the software asset management

process described here. The process

will generate a record of documenta-

tion necessary to avoid these costs.

The record will include:

■ A written statement of your orga-

nization s software policy;

■ Evidence of employee acknowl-

edgement and understanding of the

policy, the management process,

and his or her responsibilities;

■ A complete and current inventory

of your software assets; and

■ Documentation of all actions taken

in support of the management

process.

2.3 IMPROVE PERFORMANCEIn addition to more effective control

of costs, which improves the

performance of all organizations, a

software asset management plan will:

■ Ensure software quality and

reliability;

■ Maximize IT resource compatibility;

■ Anticipate and take advantage of

change; and

■ Increase employee productivity.

2.3.1 Ensure Software Quality and ReliabilityAn effective software management

process will ensure the quality and

reliability of the software. Illegally

copied software - which can be

defective or infected with a virus,

obsolete, or recently released but not

adequately tested - can be identified,

avoided, and, when found on the

organization s computers, removed.

Licensed software, on the other hand,

offers the assurance of product

authenticity and quality, the warranty

of the software publisher, documenta-

tion, instruction manuals, tutorials,

product support (including upgrade

information and trouble-shooting ser-

vices), and training.


9

2.3.2 Maximize IT Resource CompatibilityWith the numerous types and

versions of software available in

today s market, issues of compati-

bility often arise. If employees in

one part of your organization

require documents created by a

specific application, but employees

in other parts of the organization

use only an incompatible applica-

tion, you must weigh the decision of

whether to authorize the use of,

support, and training in both

computer programs. By managing

the lifecycle of your software assets,

you generate the information

necessary to address compatibility

issues and weigh tradeoffs on the

basis of all costs and benefits.

2.3.3 Anticipate and Take Advantage of ChangeAn effective software management

process will make it easier to

anticipate and take advantage of

change - both technological and

organizational - while minimizing

its potentially adverse consequences.

In the course of the management

process, you will be identifying and

communicating the current and

future software needs of your

organization. Reactions within the

organization will lead to a clearer

understanding of future needs and

additional insight into the advan-

tages and disadvantages of deploy-

ing anticipated technology sooner

rather than later. The process will

help you avoid the acquisition of

software on the verge of becoming

obsolete as well as new still unreli-

able software.

2.3.4 Increase Employee ProductivityComputer software has dramatically

transformed today s business and

organizational environments.

Because of software, today s workers

are more efficient and businesses

are more productive. Software has

reinvented old notions of bringing

products and services to customers

and established real-time communi-

cation as a cornerstone of organiza-

tion effectiveness.

Software asset management ensures

that workers have the tools they

need to accomplish their tasks

efficiently, and the education and

training they need to use the tools

effectively.


How to Manage

Software Assets


11

n effective software

management process consists of

three major tasks. First, you need to

create the right organizational envi-

ronment, one in which all employ-

ees are committed to the success of

the process. Next, you need to take

inventory of your assets. You need

to know what you have before you

can manage it. And finally, you must

be prepared to take action - correc-

tive and preventive - and you must

keep policy, procedures, and infor-

mation current.

The right organizational environ-

ment is one in which employees are

receptive to the goals, decisions, and

actions of the management process.

This environment can be created if

you:

■ Articulate and communicate a

clear statement of software policy;

■ Obtain employee understanding

and acknowledgement of the

policy;

■ Identify, distribute, and regularly

update a list of supported soft-

ware and authorized use;

■ Establish a repository for master

disks of purchased software, all

software licenses, software docu-

mentation, purchase invoices if

available, and information gener-

ated by the management process;

and

■ Develop, implement, and regularly

monitor adherence to software

procurement procedures.

Taking inventory of your software is

a critical component of the manage-

ment process. You must identify all

software residing on your organiza-

tion s computers, and collect and

store in a secure repository the

licenses and documentation for the

software your organization supports.

Finally, be prepared to take action.

Corrective action might be neces-

sary to align inventory with policies

and procedures, as well as licensing

agreements. Stay current by regular-

ly updating the list of software sup-

ported by your organization and

updating, as necessary, the terms of

your licensing agreements. And take

preventive action to minimize the

need for future corrective action.

3.1 CREATE AN ENVIRONMENT FOR SUCCESSYou must build out the organization-

al environment in five dimensions.

Remember, no management process

will succeed if its goals are not

clearly defined and achievable, if

responsibilities are unclear, or if

there are no consequences to actions

taken or not taken in the process.

3.1.1 Articulate and Communicate a Clear Software PolicyAn effective management plan

begins with a clear statement of pol-

icy. It should include separate

sections for articulating your organi-

zation s commitment to three goals:

■ Enforcing all applicable copy-

rights;

■ Managing software assets to

obtain maximum benefit; and

■ Acquiring properly licensed soft-

ware through an approved pro-

curement process that minimizes

the risk of acquiring illegal soft-

ware.

Appendix B contains a sample poli-

cy statement for your organization

to consider. The policy statement

you develop should be included in

your organization s employee hand-

book. It should also be posted on

your organization s employee bul-

letin board and made available on

your Intranet.

3.1.2 Obtain Employee AcceptanceTo succeed, employees must under-

stand and accept the management

process. You can enlist their support

by doing three things:

■ Clearly describe, communicate,

and require acknowledgment of the

organization s policy, management

process, procurement procedures,

and employee responsibilities.

■ Educate and train employees to

understand what is expected of

them, how they can contribute

to the success of the management

process by knowing how to

identify illegal software and by

©A


12

understanding and complying

with the terms of software licens-

es, and how to use the software

provided and supported by the

organization.

■ Pay special attention to transi-

tional events such as an employ-

ee s hiring or departure.

Specify, Communicate, and Require AcknowledgmentInitially, generate support by clearly

specifying and communicating a

software policy, a chain of com-

mand, and responsibilities of each

employee. Include the information

in the employee handbook.

Distribute the information at new-

employee orientation. Avoid confu-

sion by requiring each employee to

sign a copy of the statement. The

signed statement is evidence that

each employee has been made

aware of, understands, and agrees to

comply with the organization s soft-

ware policy and management

process.

Educate and TrainTraining is an important element of

obtaining employee acceptance. You

should develop a training program

providing instruction in three general

areas:

■ Understanding the organization s

statement of policy, including the

management process, procure-

ment procedures, and employee

responsibilities;

■ How to know if software or its

use is illegal; and

■ How to take advantage of the

software assets supported by the

organization.

In addition to explaining the policy

to new employees during their ori-

entation, helping employees under-

stand the policy and their responsi-

bilities can be accomplished by reg-

ularly reviewing with all employees

the results of the management

process and procurement proce-

dures. An ideal time for review is

after completion of a software audit

or inventory.

Training employees to recognize

when software or its use is illegal

begins with an understanding of the

many variations of software theft.

The five most common types of

theft, and how to help employees

avoid committing these illegal acts,

are summarized below.

1. End user piracy occurs when an

individual or organization (the end

user ) reproduces copies of software

without authorization. End user

piracy can take the following forms:

■ Using one licensed copy to install

a program on multiple computers;

■ Copying disks for installation and

distribution;

■ Taking advantage of upgrade

offers without having a legal

copy of the version to be upgraded;

■ Acquiring academic or other

restricted or non-retail software,

the license for which does not

permit sale to, or use by, the

organization; or

■ Swapping disks in or outside the

workplace.

2. Client-server overuse is a com-

mon form of end user piracy. A

client-server configuration links

multiple computers and permits

users to access software stored on a

local area network. Client-server

overuse often occurs because the

organization or its employees fail to

understand license restrictions in a

network environment. Server soft-

ware licenses generally limit the

number of users on the server, or

may require individual access

licenses for users. Certain applica-

tion licenses will authorize use of

one installed copy by multiple

users, but only within the limits of

the license provisions. Exceeding

the permitted number or types of

users constitutes unauthorized use.

License overuse can be controlled

by carefully checking software

licensing agreements at the time

of purchase and installation and

educating employees on proper

software use.

3. Counterfeiting is the illegal

duplication and sale of copyrighted

material with the intent of directly

imitating the copyrighted product.


13

In the case of packaged software, it

is common to find counterfeit

copies of the CDs or diskettes

incorporating the software program,

as well as related packaging, manu-

als, license agreements, labels,

registration cards, and security

features. You can guard against the

unwitting purchase of counterfeit

product by:

■ Carefully checking the authentic-

ity of any product you acquire;

■ Purchasing from resellers with a

reputation for integrity and hon-

est business practices; and

■ Ensuring that all user materials

and a licensing agreement are

included with software at the

time of its acquisition.

Any department or groups autho-

rized to acquire software should be

aware of the following warning

signs that often signify counterfeit

software:

■ The price of the software is

deeply discounted or otherwise

appears too good to be true ;

■ The software is distributed in a

CD jewel case without the pack-

aging and materials that typically

accompany a legitimate product;

■ The software lacks the manufac-

turer s standard security features;

■ The software lacks an original

license or other materials that

typically accompany legitimate

products (e.g., original registra-

tion card or manual);

■ The packaging or materials that

accompany the software have

been copied or are of inferior

print quality;

■ The CD has a gold, blue or blue-

green appearance, as opposed to

the silver appearance that charac-

terizes legitimate product;

■ The CD contains software from

more than one manufacturer or

programs that are not typically

sold as a suite ; or

■ The software is distributed via

mail order or online by resellers

who fail to provide appropriate

guarantees of legitimate product.

4. Hard-disk loading occurs when a

computer hardware reseller loads

unauthorized copies of software

onto the machines they sell to make

purchase of the machine more

attractive. You can avoid purchasing

such software by ensuring that all

hardware and software purchases

are centrally coordinated through

your organization and all purchases

are made through reputable suppliers.

Most important, require receipt of

all original software licenses, disks,

and documentation with every hard-

ware purchase.

5. Online software theft has become

more prevalent with the rise in

Internet popularity. Employees who

download unauthorized copies of

software via an Internet site are in

violation of the copyright law, just

as if they had made an authorized

copy from a disk. Although some

manufacturers expressly permit

their software programs to be down-

loaded without payment of a licens-

ing fee, these programs are still sub-

ject to a licensing agreement. Pay

careful attention to educate all

employees to the fact that software

should not be downloaded from the

Internet without express authoriza-

tion by the official, department or

group in charge of software

procurement.

The final element of your training

program is conventional training.

One of your more challenging tasks

will be to obtain acceptance of the

list of software supported by your

organization. Everyone will have a

software preference and someone is

likely to want an application your

organization has chosen not to sup-

port. To minimize the likelihood of

such outcomes and their

potentially disruptive impact, it is

critical to offer regular training in

the software supported by your

organization.

Pay Special Attention to Employee TransitionsEmployee transitions are critical

times in the software management

process. Exiting employees need to

be debriefed. Their computers

should be checked for installed soft-

ware. They should be asked whether


14

they have illegally copied onto a

diskette or other portable storage

medium any software licensed or

controlled by the organization. If

they had installed copies of the

organization s software on their

home computers, they should be

reminded of their responsibility to

delete the programs. The computer

previously assigned to the exiting

employee must be reconfigured

with the software required of the

employee(s) to whom the computer

will be reassigned.

3.1.3 Identify, Distribute, and Regularly Updatea List of Supported SoftwareYou must identify with specificity

the software supported by your

organization. The list, a sample

form of which is contained in

Appendix C, must contain informa-

tion in three broad categories:

■ Software currently supported,

terms of the license, and autho-

rized number of users;

■ Location of the software; and

■ Future plans to add, upgrade, and

dispose of software.

By following the four steps

described below, the list you devel-

op will include the information nec-

essary to fully specify the current

state of your organization s autho-

rized and supported software assets.

1. Begin by determining all classes

and subclasses of software your

organization deems necessary to

accomplish its mission. Different

classes include operating systems,

communications, utilities, word

processors, graphic, database,

spreadsheet, network, and others.

Subclasses are, for example, a disk

operating system and network oper-

ating system, data compression util-

ities, presentation graphics, etc.

2. Within each class and subclass,

decide which product and version

will be supported and the employees

who will be using it.

3. Once the number of employees

requiring use of the software is iden-

tified, determine the number of

copies to be authorized and supported

by the organization. Of course this

will depend on the licensing terms

available for the software. Specify

the terms of the license chosen.

4. Finally, decide how to distribute

the software. Specify the serial num-

ber(s) of the computer(s) on which

the software is installed, and, when

applicable, the organizational unit or

department and the employee(s) to

whom the computer is assigned.

In addition to developing the list of

currently supported software and

authorized use, you must project

your software needs at least three

years into the future. It is important

to look ahead to anticipate software

upgrades, additions, and disposals.

The future schedule of such events,

though preliminary and subject to

change, should be included in the

list of supported software.

3.1.4 Establish a Secure RepositoryAll licenses and documentation for

the organization s authorized and

supported software, as well as the

original diskettes or CDs, should be

collected and stored in a secure cen-

tral location. By providing secure

storage for the original diskettes or

CDs, you will minimize the risk of

software theft and unauthorized

duplication of software programs.

Leaving original disks or CDs lying

around often leads employees to

mistakenly believe they are spare

copies that can be loaded onto their

computers.

3.1.5 Develop and Implement SoftwareProcurement ProceduresYour organization should develop

and implement an official software

procurement process. Any depart-

ment or group authorized to pur-

chase software should be trained in

general licensing requirements and

proper procurement procedures.

The process begins with a formal-

ized request for authorization to


15

purchase software, an evaluation and

justification of need, and identifica-

tion of the channels through which

the software must be purchased.

Additional procedures that should

be part of the process are listed

below.

■ Require that all purchases of

software be made through a

purchasing department or group

designated with such responsibil-

ity for the organization;

■ Require that all requests be sub-

mitted in writing and approved

by the department manager with

budgetary signing authority;

■ Disallow reimbursement of any

employee expense charged to an

employee expense account that

was expended for software acqui-

sition;

■ Require that all software purchases

be made through reputable,

authorized resellers;

■ Require that all software purchas-

es be accompanied by related

user materials (e.g., manuals, reg-

istration cards, etc.) and all prop-

er licenses and receipts evidenc-

ing legal acquisition and use; and

■ Disallow purchase of software

not included in the organization s

list of supported software.

Part 3 of the sample software policy

statement in Appendix B contains a

suggested procurement process

statement. To ensure compliance

with the process, periodically review

records of software purchases.

3.2 TAKE INVENTORYThe second major task of an effec-

tive software asset management

process is inventorying all software

residing on all the organization s

computers, the original licenses for

all software supported and autho-

rized for use by your organization,

and all software documentation

(including purchase invoices if

available). You must know what

you have before you can manage it.

By comparing the results of this

initial baseline inventory to the

organization s software policy and

list of supported software, you will

be able to identify and delete illegal

software and software you no

longer officially support, and identi-

fy and stop use in violation of your

software licensing agreements.

Your organization s progress in this

effort should then be monitored

through subsequent periodic audits

or inventories.

3.2.1 Accomplish Three TasksThe software inventory must gener-

ate information that allows you to

accomplish three tasks:

■ Identification of all software

residing on your organization s

computers;

■ Identification of illegal and

unsupported software residing on

your organization s computers;

and

■ Identification of software use that

is not in compliance with the

organization s policies and proce-

dures, copyright law, or licensing

agreements.

Identify Software Residing on theOrganization’s ComputersThe inventory begins with identifi-

cation of all software found on the

organization s computers. The

process consists of the following

tasks:

■ Record the serial number of the

computer, workstation, or server

being analyzed.

■ Record the organizational depart-

ment to which the computer is

assigned.

■ Record the name of the employ-

ee(s) to whom the computer is

assigned.

■ Inspect the contents of the com-

puter or workstation s hard disk

and, if networked, the server and

other locations where software

might be found.

■ Identify any hidden files and

directories and record the details

of any such occurrences for sub-

sequent investigation.

■ For software with single user

licenses, record the serial

number of each. For networked


16

computers, record the licensing

information for the software

found on the workstation and

server.

■ Ask the manager and staff if any

software is maintained on floppy

diskettes, and, if so, inspect the

diskettes.

■ Inspect the computer and user

areas for evidence of any photo-

copied material such as user

guides.

■ Ask the manager and staff if any

unauthorized software is used in

the department.

■ Review the findings and compare

them with the list of supported

software, and the licenses and

documentation stored in the

repository.

Appendix D contains a sample form

for recording the information that

must be collected in the software

inventory. Specialized inventory

application software, which is dis-

cussed later, can be used to make

the inventory job relatively easy.

Identify Illegal and Unsupported SoftwareThe identification of illegal and

unsupported software is accom-

plished by comparing the results of

your inventory to the list of soft-

ware supported by your organiza-

tion. Although the task is straight-

forward, it can involve additional

analysis. Some executable files

found on the computers might

appear to be a software program not

supported while, in fact, they are

components of supported software or

otherwise legitimate instruction sets.

Identify Unauthorized UseThe identification of unauthorized

use is accomplished by comparing

the terms of the licensing agree-

ments you have for your supported

software with the number of com-

puters on which the software was

found and the number of users hav-

ing access to the computers.

Software metering applications,

which are discussed later along with

other inventory application soft-

ware, can help to ensure that soft-

ware use is in compliance with the

software license.

3.2.2 Conduct the Inventory in Accordance withFour General StandardsYou should conduct the software

inventory in accordance with stan-

dards regarding the qualifications of

people who will take the inventory,

the independence of these people

and their organization, their exercise

of professional care in conducting

the inventory and preparing inven-

tory reports, and the presence of

quality controls.

A person or team that collectively

possesses adequate professional

proficiency for the tasks required

should take the inventory. Look for

the following qualifications:

■ Knowledge of and experience

with the methods and techniques

applicable to inventorying

software;

■ Knowledge of the programs,

activities, and functions of your

organization; and

■ Good communication skills.

The person or team should be free

from personal and external impair-

ments to independence. In addition,

an independent attitude and appear-

ance must be maintained. It is

important that the opinions, conclu-

sions, judgments, and recommenda-

tions of the person or team be

impartial and viewed as impartial

by knowledgeable third parties.

Due professional care must be used

to conduct the inventory and prepare

inventory reports. The person or

team should use sound judgment in

establishing the scope and timing of

the inventory, selecting the method-

ology and specific procedures, and

evaluating and reporting the results.

3.2.3 Rely on the Element of Surprise, YetInclude All ComputersOnce the organization s entire soft-

ware base has been examined in

the initial baseline inventory,

the organization should conduct

periodic inventories to monitor

compliance. For these subsequent


17

inventories, it might not be practical

to include all computers in a single

procedure. In such circumstances, a

sample of computers should be

inspected, but over the course of a

year, every computer should be re-

inspected and its installed software

included in the inventory.

3.2.4 Specialized Inventory and MeteringApplications Can Make the Job EasierSpecialized application software can

inventory and meter the use of your

organization s software. When possi-

ble, these tools should be used. They

will make the inventory process

more efficient and help you more

accurately manage software use.

Evaluate specific products available

in your market by answering the

following questions:

■ Is the application effective for an

organization this size;

■ Does the application work in a

networked or stand-alone envi-

ronment;

■ How does the application recog-

nize software and, if by compar-

ing to known products included

in a database, how often is the

database updated;

■ How is the application deployed;

■ What is the application s user

interface;

■ What are its reporting capabilities,

■ What support is available;

and

■ What is the cost of the

application?

Appendix E contains a matrix sum-

marizing five randomly chosen

inventory applications and two ran-

domly chosen metering applica-

tions. Please do not interpret the

inclusion of these specific products

as indication of support for them

over the dozens of others that are on

the market today or about to be

brought to the market.

3.2.5 Other OptionsYou can conduct the software

inventory without the use of spe-

cialized application software. The

process will take additional time

and, with respect to monitoring

software use, the information gener-

ated is likely to be less precise.

Nevertheless, the process will gen-

erate the information you need to

guard against the possibility of ille-

gal software and illegal use of soft-

ware in your organization.

Appendixes F, G, and H contain

command sets for inventorying your

software without the benefit of a

specialized application within the

following three environments:

■ Stand-alone computers running

DOS;

■ Stand-alone or networked com-

puters running Windows; and

■ Stand-alone Macintosh computers.

The key to identifying software on

DOS and Windows systems is to

find all files suffixed with .EXE,

which is short for executable.

All software must have at least one

executable file. The challenge is to

weed through numerous executable

files that might be small subsets of

instructions embedded in legitimate

software to find the executable file

of an illegal program.

Using DOS on Stand-Alone ComputersIt is best to use specialized invento-

ry application software. An inven-

tory can be performed without such

software, but you must commit a

significant amount of time to the

inventory process. You must inspect

the contents of each computer s

hard drive using only DOS-based

command instructions. There are

three alternative ways to undertake

the effort, and the commands to fol-

low in each approach are contained

in Appendix F.

■ Exhaustive inspection;

■ User-level instructions with man-

ual inspection; and

■ User-level instructions with auto-

mated inspection.

In an exhaustive inspection approach,

disk partition information is inspect-

ed and hidden files and subdirectories

are located and examined. Only com-

petent technicians or systems engi-

neers should attempt this method of

inventorying software.


18

User-level instruction with manual

inspection can be used when the

hard disk is not partitioned. It can

also be used to examine the con-

tents of a computer s hard drive

without invoking disk partition soft-

ware that could cause catastrophic

data loss if used improperly.

An automated inspection method

assumes all software information

will be gathered by end users and

forwarded to a centralized location

for inspection. A single hard drive

partition is assumed. Drives with

multiple partitions should be

inspected manually.

Using Windows on Stand-alone or Networked ComputersUsing Windows to inventory soft-

ware is easier but still time consum-

ing. Again, the person taking the

inventory must find all .EXE files

on the computer and invoke the

software to examine licensing infor-

mation. Opening all folders to

determine whether they contain

software can be time consuming,

and, although use of the PRINT

SCRN key to print the information

and images on the desktop is an

excellent way of generating a print-

ed record of the inventory, it too

requires time. However, the job

does not require sophisticated tech-

nical knowledge and experience.

Appendix G contains the instruc-

tions for inventorying your software

if you are using a Windows-based

system.

Using the Macintosh Operating System on Stand-Alone ComputersLike using Windows, the Macintosh

operating system can generate an

inventory of software, but it

requires more time than specialized

inventory application software. The

commands required are contained in

Appendix H.

3.3 TAKE ACTIONThe final major component of the

management process is action. You

must be prepared to take corrective

action when necessary and preven-

tive action to minimize the need for

future corrective action.

3.3.1 Take Corrective Action When NecessaryThere are two breaches requiring

corrective action. Whenever either

is found to have occurred, all

employees must be informed and

reminded of their responsibilities to

the organization s software policy

and management process.

Correct Breaches in Software PolicyWhen an employee is found not to

be in compliance with the organiza-

tion s software policy, he or she

must be informed of the breach,

reminded of his or her acknowledg-

ment of responsibility to the policy,

asked to cease such behavior, and

warned that if future breaches

occur, they could be grounds for

dismissal. A written record of all

such instances should be included in

the employee s personnel file.

Employee notification is important,

and these corrective measures

should be taken only once an

employee has been properly advised

of the software policy and has sub-

sequently been found in violation.

Correct Breaches in Licensing Agreements and Copyright LawWhen the infraction is a breach of

copyright law or the terms of a soft-

ware license, the incident has poten-

tially serious consequences for the

employee and the organization.

If the inventory were to reveal ille-

gal copies of software residing on

the organization s computers, the

copies must be deleted immediately.

If the infraction is severe and found

to be widespread throughout the

organization, senior managers

should be informed. You might also

want to inform the copyright holder

if the discovery revealed informa-

tion (such as the location of an ille-

gal software copying and distribu-

tion operation) that would be of

benefit to the copyright holder. All

efforts should be made to identify

the employee or employees respon-

sible for the violation. The incident

and its final outcome should be


19

recorded and maintained with

all other documentation in the

secure repository. All violations

attributed to a specific employee

should be recorded in the

employee s personnel file.

If the inventory were to reveal soft-

ware use not in compliance with

licensing terms, all users of the par-

ticular product must be informed of

the infraction, and, if necessary, a

new licensing agreement must be

struck to include use by those

whose use had previously not been

covered by the license.

3.3.2 Always Take Preventive ActionTo minimize the number and severi-

ty of breaches, you should take pre-

ventive action in three arenas: the

environment for success, taking

inventory, and procurement.

Maintain the Environment for SuccessTo maintain a workplace environ-

ment in which the management

process will succeed you should

strive to stay current by regularly

updating your list of supported soft-

ware and authorized use, modifying

the availability of products to reflect

changing patterns and intensity of

use, and communicating with

employees.

Regularly Review List of Supported Software and UseDemonstrate the organization s

interest in ensuring that its employ-

ees have the software they need by

regularly reviewing the list of sup-

ported software and authorized use.

Seek out the opinions of those who

are more reliant on software. And

strive to understand why some

employees appear to have little need

for software. When necessary, mod-

ify the list, announce the changes,

and distribute the new list through-

out the organization.

When Necessary, Modify the License or Number of CopiesWhen software use changes, modify

the number of copies you support or

the type of license to reflect the new

situation. In times of increasing

demand for a particular product, too

few copies or a license that is too

restrictive places the organization in

greater jeopardy of its employees

violating licensing agreements. And

when demand is declining, you do

not want the organization support-

ing copies or renewing licenses that

are not necessary.

Keep Communication OpenSeek opportunities to communicate

with employees about their software

needs, experiences with specific

products, policy and process

responsibilities, and management

results. Employees must see that

their actions have consequences.

Conduct Random Spot InventoriesRegrettably, human nature is such

that often the element of surprise is

necessary to obtain a clear picture

of behavior. It is important to peri-

odically take inventory. Select the

computers to be inspected. Targets

could include computers previously

found to be in breach of policy or

law. Announce the results of all

such random spot checks.

Periodically Review SoftwareProcurement RecordsPeriodically review the record of

software procurement to determine

whether those responsible for pro-

curement are adhering to the organi-

zation s procurement policy.

Whenever a legal breach is discov-

ered through the process of invento-

rying software, every attempt

should be made to determine

whether the breach was due at least

in part to a failure to follow the

official procurement procedures.


20

©GApplication Software General term for software programs

that perform specific tasks such as

accounting, word processing and

database management.

CD-ROMA type of optical disk capable of

storing large amounts of data - up to

1GB (gigabyte), although the most

common size is 650MB

(megabytes). CD-ROMs are read-

only storage media best suited for

holding reference information

which does not change on a daily

basis and is not subject to being

updated by those who use it.

CopyrightThe legal rights of an author

under federal law to control the

reproduction,distribution, adapta-

tion, and performance of his/her

work, including software. The

copying of a copyrighted work

without the permission of its

author may subject the copier to

both civil and criminal penalties.

DisketteA flat piece of flexible plastic cov-

ered with a magnetic coating which

is used to store data (also called a

floppy disk). The existing standard

for diskette size is 3 1/2 inches.

Unlike hard disks, floppy disks can

be removed from a disk drive and,

thus, are portable.

DownloadTo move a file from a computer at

another site to your computer over a

communications line. The term is

often used to describe the process of

copying a file from the Internet or a

Bulletin Board System (BBS) to a

computer. Downloading can also

refer to copying a file from a net-

work file server to a computer on

the network.

End UserThe final or ultimate user of a com-

puter system and/or product.

FixesCorrections to vendor supplied soft-

ware. The vendor does not necessar-

ily supply these fixes.

Hard DiskA magnetic disk on which you can

store computer data (also called a

hard drive). Unlike floppy disks,

hard disks cannot be easily removed

from the computer and, hence, are

not portable. Hard disks hold more

data and are faster than floppy

disks. A hard disk, for example, can

store anywhere from 10 megabytes

to several gigabytes, whereas most

floppy disks have a maximum stor-

age capacity of 1.4 megabytes.

HardwareThe physical components of a com-

puter system.

Intellectual Property Rights The legal rights persons have to

prevent others from using without

permission certain kinds of intangible

property. The objective of laws pro-

tecting intellectual property rights is

to promote innovation and creativity.

These laws take a number of different

forms, including laws protecting

patents, which govern rights in

inventions; copyright, which governs

rights in software, books, movies,

and music; trademarks , which pro-

tect the reputation of the entity which

owns a mark; and trade secrets,

which safeguard valuable business

information.

LAN Local Area Network. A computer

network that spans a relatively

small area. A LAN lets you share

files as well as devices such as

printers or CD-ROM drives. A

LAN can be connected to other

LANs over any distance via tele-

phone lines and radio waves; a sys-

tem of LANs connected in this way

is called a wide-area network (WAN).

LicenseA legally binding agreement in

which one party grants certain

rights and privileges to another. In

the computer field, a software pub-

lisher will typically grant a non-

exclusive right (license) to a user to

use one copy of its software and

prohibit further copying and

lossary


21

distribution of that software to

another user.

ModemA device or program that enables a

computer to transmit data over tele-

phone lines.

Network OperatingAn operating system that includes

special functions for connecting

System computers and devices into

a local-area network (LAN). A net-

work operating system coordinates

a network s primary functions such

as file transfer and print queuing.

Operating SystemThe master control program that

translates the user s commands and

allows application programs to

interact with the computer s hard-

ware. Every general-purpose com-

puter must have an operating sys-

tem to run other programs.

Operating systems perform basic

tasks, such as recognizing input

from the keyboard, sending output

to the display screen, keeping track

of files and directories on the disk,

and controlling peripheral devices

such as disk drives and printers.

Common operating systems include

DOS, Windows, and Mac OS.

PiracyThe illegal use and/or distribution of

property protected under intellectual

property laws. Software piracy can

take many forms. End user piracy

occurs when an individual or organi-

zation reproduces and/or uses unli-

censed copies of software for its oper-

ations. Client-server overuse occurs

when the number of users connected

to or accessing one server exceeds the

total number defined in the license

agreement. Server piracy occurs when

illegal copies of software are loaded

onto one or more servers.

Counterfeiting is the illegal duplica-

tion of software with the intent of

directly imitating the copyrighted

product. Hard-disk loading occurs

when a computer hardware reseller

loads unauthorized copies of software

onto the machines it sells. Online

software theft occurs when individu-

als download or upload unauthorized

copies of software from the Internet

or a Bulletin Board System (BBS).

License misuse occurs when software

is distributed in channels outside

those allowed by the license, or used

in ways restricted by the license.

ServerA computer or device on a network

that manages network resources.

For example, a file server is a com-

puter and storage device dedicated

to storing files. Any user on the

network can store files on the serv-

er. A print server is a computer that

manages one or more printers, and a

network server is a computer that

manages network traffic. A data-

base server is a computer system

that processes database queries.

SoftwareComputer instructions or data.

Anything that can be stored elec-

tronically is software. A piece of

software is also known as a program.

System software products Software program packages, other

than application program packages,

that manage systems resources (e.g.,

operating systems, database man-

agement systems, etc.).

UpgradeA new version of a software or

hardware product designed to

replace an older version of the same

product. Typically, software com-

panies sell upgrades at a discount.

In most cases, you must prove you

own an older version of the product

to qualify for the upgrade price.

UploadTo move a file from your computer

to another computer; the opposite of

download.

WAN Wide-Area Network. A computer

network that spans a relatively large

geographical area. Typically, a

WAN consists of two or more local-

area networks (LANs). Computers

connected to a wide-area network

are often connected through public

networks, such as the telephone sys-

tem. They can also be connected

through leased lines or satellites.


Appendix


23

EXHIBIT AMODEL GOVERNMENT DECREE ON LEGAL SOFTWARE USE

WHEREAS the use of proprietary computer software has become essential to the mission and operation ofthe executive agencies of the Government, and the Government is a major user of information technology;

WHEREAS proper software management is critical to ensuring that the Government receive the full benefitsof its software use and operate in compliance with its own and all relevant copyright laws;

WHEREAS the unlicensed copying and sale of computer software are illegal and seriously undermineemployment opportunities and tax revenues generated by the computer software industry;

WHEREAS the Government must set an example for other public and private entities regarding proper soft-ware management by ensuring that it is not a party to computer software piracy.

It shall be the policy of the Government that:

1. Each executive agency shall work diligently to prevent and combat computer software piracy in order togive effect to intellectual property rights associated with computer software by observing the relevant provi-sions of international agreements, including the Word Trade Organization Agreement on Trade-Related Aspectsof Intellectual Property and the Berne Convention for the Protection of Literary and Artistic Works, as well asthe relevant provisions of national law.

2. Each executive agency shall ensure that budget proposals relating to computer software and data process-ing needs include adequate resources for the purchase of sufficient computer software to meet those needs.These resources should be delineated as a separate line-item in the agency’s budget.

3. Each executive agency shall establish systems and controls to ensure that the agency has present on itscomputers and uses only computer software in compliance with applicable copyrights. These systems andcontrols shall include:

a) appointment of a responsible Chief Information Officer (CIO) for each executive agency, who shallcertify that agency’s compliance with software management policies annually to the appropriate centraloffice;

b) completion of an initial inventory of the software present of the agency’s computers and the numberof copies of each program for which the agency has valid licenses;

c) following completion of the initial inventory, deletion of any software programs in numbers exceedingthe valid licenses held;


24

d) development and maintenance of adequate record-keeping systems to record the results of the initialinventory and thereafter track the acquisition of additional software licenses and the installation or useof additional copies of software permitted under such additional licenses, ensuring that such records atall times indicate licenses sufficient to cover all software in use and maintain all license documentationin a single place;

e) channeling all software purchase requests through a single point monitored by the CIO;

f) institution of periodic inventories of each executive agency’s computers to determine the continuedaccuracy of the agency’s software record-keeping systems; and

g) implementation of an agency-wide information and training program for employees regarding thenecessity of legal computer software use, including signature of a written compliance notice andestablishment of disciplinary offenses and penalties for non-compliance.

4. In connection with the acquisition and use of computer software, the head of each executive agency shall:

a) establish and maintain a comprehensive software management policy and an effective program to ensureproper acquisition, distribution, management, use, and disposition of all computer software products;

b) ensure that the policies, procedures, and practices of the agency related to intellectual property rightsprotecting computer software are adequate and fully implement the policies set forth in this order;

c) ensure agency compliance with the intellectual property rights protecting computer software and theprovisions of this order by establishing agency-wide management structures and processes to ensurethat only legal computer software is acquired for and used on the agency’s computers;

d) establish performance measures to assess the agency’s compliance with intellectual property rightsassociated with computer software acquired, distributed, or used by the agency and with the provisionsof this order;

e) direct and support appropriate training of agency personnel regarding intellectual property rights asso-ciated with computer software and the policies and procedures adopted by the agency to honor them.

5. In connection with all third-party contractors and applicants for funds administered by the agency, eachexecutive agency shall:


25

a) require the applicants to certify, as a condition of approval of any funding application, that they haveappropriate systems and controls in place to ensure that agency funds are not used to acquire, operateor maintain computer software without proper authorization, including: (1) the institution of reason-able inventory procedures to ascertain that the computer software present on the computers acquiredor operated with agency funds is legal and (2) the provision of the inventory results to the agency;

b) withhold agency funds, as it deems appropriate, from any applicant found to be using illegal comput-er software with respect to any program supported by the funds, until such time as it has been estab-lished to the satisfaction of the agency’s auditors that reasonable steps have been taken to ensure thatillegal software is no longer present on that applicant’s computers used with respect to any such pro-gram;

6. Each agency shall cooperate fully in implementing this order and shall share information as appropriatethat may be useful in combating the use of computer software without proper authorization.


26

EXHIBIT BSAMPLE STATEMENT OF ORGANIZATION’S SOFTWARE MANAGEMENT POLICY

Part 1. General ResponsibilitiesThe Policy of [organization] is to manage its software assets to derive maximum benefit to [organization]and its employees and, especially, to ensure that [organization] and its employees:■ Acquire, reproduce, distribute, transmit, and use computer software in compliance with international

treaty obligations and [insert country name] laws, including the [insert specific key laws]; and■ Maintain only legal software on [organization’s] computers and computer networks.

All software is protected under [country specific] copyright laws from the time of its creation.[Organization] has licensed copies of computer software from a variety of publishers to help fulfill its mis-sion. Unless otherwise provided in the software license, duplication of copyrighted software, except forbackup and archival purposes, is a violation of the [applicable law] and this Policy.

You may not knowingly use software for which [organization] lacks the appropriate license. If you becomeaware of the use or distribution of unauthorized software in this organization, notify your supervisor or theOffice of the Chief information Officer (CIO).

You may not loan or give to anyone any software licensed to this organization.

The licenses for some of this organization’s software permit employees of the organization to make a copyof the software for home use.The CIO may approve such use by employees that can demonstrate a need toconduct the organization’s business from their homes. Under no circumstances, however, may an employeeuse the organization’s software for purposes other than the business of this organization.

No employee may use or distribute personally-owned software on the organization’s computers or networks.Such software threatens the integrity and security of the organization’s computers and networks.

A variety of software is available on the Internet. Some of this software, called “freeware” or “shareware,” isavailable free of charge for limited use and may be downloaded to your computer with the prior writtenapproval of your supervisor. Other software available on the Internet and from other electronic sources,however, requires the user to obtain a license for its use, sometimes for a fee. No employee shall downloadsuch software to his or her computer without the prior written approval of the CIO.

Part 2. The Software Asset Management Process[Organization] is committed to managing its software assets for maximum benefit to the organization and itsemployees.The process consists of three areas of focus: (1) Creating an environment in which the processwill succeed, (2) Reviewing the software assets residing on the organization’s computers, and (3) Acting to


27

correct breaches in policy and the law, keep the Policy and its procedures current, and prevent futurebreaches.

[Organization] will strive to create an environment for success by communicating this policy; educatingemployees about their responsibilities; training employees in the software supported by this organization;identifying and modifying as necessary the software employees need to fulfill their job responsibilities; estab-lishing a secure repository for original storage media, software licenses, and software documentation; andrequiring that all software be procured through official and clearly defined procedures.

As part of this organization’s software management process, the CIO shall conduct periodic, random reviewsof all organization computers and networks to determine the software resident on such systems andwhether the organization has the appropriate licenses for all such software.The CIO also shall conduct peri-odic, planned reviews, in which the CIO may ask you to complete a Software User Survey.This Survey willbe used to determine your existing and future use and need of particular software programs.Your coopera-tion with all reviews and Software User Surveys is greatly appreciated.The CIO will endeavor to conduct itswork with the least possible disruption of your workday.

You may be held responsible for the existence of any software on your computer for which the organizationlacks the appropriate licenses. Consequences for such unauthorized use of software range from a reprimandfor minor offenses to termination of employment for repeated, willful offenses.

Part 3. Software Procurement and Installation ProceduresAll requests for software and software upgrades shall be submitted to the Office of the Chief InformationOfficer (CIO), where possible.

Any software and software upgrades not acquired by the CIO shall be documented and identifiedto the CIO, who will verify that the Agency has an appropriate license for the use of such software.

All acquisitions of hardware that include bundled software shall be documented and identified to the CIO,who will verify that the Agency has an appropriate license for the use of such bundled software.

The CIO shall store in a secure, central location all original software licenses, disks, CD-Roms, and documen-tation upon receipt of all new software, including copies of completed registration cards.

The CIO shall designate those employees authorized to install software on the organization’s computers.

No employee shall install or distribute software for which this organization lacks the appropriate license.

No employee shall install any software upgrade on a computer that does not already have resident on it the


28

original version of the software.The CIO or designated employee shall destroy the original version’s backupcopy of the upgraded software in its place.

The CIO or designated employees shall destroy all copies of software that is obsolete or for which the orga-nization lacks the appropriate license.Alternatively, the CIO may obtain the license(s) necessary to maintainunauthorized software on organization computers.

The organization’s department with procurement responsibility must establish and maintain a recordkeep-ing system for software licenses, hardware, original CD-ROMs and diskettes, user information, and reviewinformation. Maintain this information in a secure, central location. Consider the use of software manage-ment computer programs to automate such recordkeeping.

*************

The organization is commited to communicating this Policy with its employees. The organization will:■ Include the Policy Statement in the employee handbook. Distribute the updated handbook to all employees.■ Train new employees during their initial orientation on how to comply with the Policy.■ Hold seminars on the Software Policy for existing employees to inform them of the types of software

licenses, how to detect and prevent piracy, how to implement the Software Policy, and consequences ofviolating the Policy and relevant law.

■ Require new and existing employees whose responsibilities include the installation, maintenance, or over-sight of information technology systems to acknowledge and sign the Software Policy Statement.

■ Circulate reminders of the Policy on a regular basis (at least annually) or remind employees of the Policyin other ways (at least annually), for example, through notices in agency newsletters.

■ Inform employees where they can get additional information on the Policy and software theft prevention.

If you have any questions concerning this Policy or your obligations under it, you may direst them to eitheryou supervisor or the CIO (provide phone numbers, office locations, and e-mail addresses).

EMPLOYEE ACKNOWLEDGMENT OF UNDERSTANDING AND RESPONSIBILITY:

__________________________________________Printed Employee Name

__________________________________________ __________________________________________Employee Signature Date


29

30

31

32

EXHIBIT F-1COMPREHENSIVE INSPECTION IN A DOS® ENVIRONMENT

1. Boot machine to be examined.

2..At the DOS prompt, type “VER” and hit ENTER.

3. This command displays the current DOS version information. Record and compare with knowndepartmental standards.

4.. Set the system path to the DOS subdirectory by entering the command “PATH=C:\DOS” and hitting ENTER.

5. Enter the command “FDISK” and hit ENTER.This will start a program that examines a system’s hard drive forpartition information.

6. Select the choice from FDISK’s menu that displays current partition information. If a single partition isshown of type DOS, then this represents drive “C” of your system. If multiple partitions are displayed, theneach partition represents an area of storage that will have to be examined.

7. Inspect the drive partition information for non-standard partition information. If partition information is dis-played of a non-standard nature, then make a note that the system may have another operating systeminstalled other than DOS.

8. After viewing disk partition information, exit FDISK by hitting ESC and following instructions echoed to thescreen.

9. Change your file system default to the first partition by entering the drive letter followed by a colon and hit-ting ENTER. On most computers, this would be accomplished by entering the command “C:” and hittingENTER.

10. Go to the root directory of the drive partition by entering the command “CD\” and hitting ENTER.

11..At the ROOT directory of the drive partition you are inspecting, look for installed software applications byfinding their main system executable files. Entering “DIR *.EXE /S | MORE” displays the files on-screen. Thefiles can be printed by entering the command “DIR *.EXE /S >PRN” to send a list of these files and the subdi-rectories where they are located to a local printer attached to LPT1, the first parallel printer port. If a printer isnot connected to the computer, then save the directory information as a file on a floppy disk for later inspec-tion.This is accomplished by entering the command “DIR *.EXE /S >A:filespec” where filespec is an 8-charac-ter filename assigned by the user.


33

12. Compare the subdirectory names and contained executable files (*.EXE files) to those of known names,creation time, creation date, and file size [This information should be found in the organization’s list of autho-rized and supported software.]. If executable files other than departmental standards are encountered, thenthese applications will have to be further scrutinized for legality.

13.. Invoke each application and inspect for licensing information.This is accomplished by navigating to thesubdirectory listed and typing in the name of the executable and then hitting ENTER. For example, to inspecta program named 123.EXE in a subdirectory named LOTUS enter the following:“CD\LOTUS” and then hitENTER. Next type “123” and hit ENTER. Upon loading, the program should display software-licensing informa-tion such as Serial Number, Registered Username, and Registered Company Name. Note this information,record it, and compare it later with the list of authorized and supported software and licenses. If the informa-tion is blank or lists another company’s name, then assume the software is either illegal or improperly regis-tered.

14.. Once all subdirectories containing executable files have been scrutinized, return to the root directory byentering the command “CD\” and then hitting ENTER.At the root’s DOS prompt, enter the command “ATTRIB*.* /P” and hit enter.This will display all file and directory information. Look for subdirectories showing theattribute “H” as this denotes hidden subdirectories. If found, note these subdirectory names. Once noted, visitthese hidden subdirectories by first making them visible.This is accomplished using the command “ATTRIBfilespec -H” where filespec is the subdirectory name.

15.. Change your path to these subdirectories by entering the command “CD\filespec” where filespec is thesubdirectory name. Next enter the command “DIR *.EXE” to display executable files. If displayed, invoke thelargest *.EXE file by typing the filename and hitting ENTER.

16.. If an application starts, note all information concerning the name of the application and all registrationinformation displayed to the screen. Compare later with the list of known organization standards and registra-tion information.

EXHIBIT F-2. USER LEVEL INSTRUCTIONS AND MANUAL INSPECTION IN A DOS ENVIRONMENT

1. Boot machine to be examined.

2. At the DOS prompt, type “VER” and hit ENTER.

3. This command displays the current DOS version information. Record and compare with known organiza-tion standards.


34

4. Go to the root directory of the drive partition by entering the command “CD\” and hitting ENTER.

5. At the ROOT directory of the drive partition you are inspecting, look for installed software applications byfinding their main system executable files.This is accomplished by entering the command “DIR *.EXE /S>PRN” to send a list of these files and the subdirectories where they are located to a local printer attached toLPT1, the first parallel printer port. If a printer is not connected to the computer, then save the directoryinformation as a file on a floppy disk for later inspection.This is accomplished by entering the command “DIR*.EXE /S >A:filespec” where filespec is an 8-character filename assigned by the user. Entering “DIR *.EXE /S |MORE” displays the files on-screen.

6. Compare the subdirectory names and contained executable files (*.EXE files) to those of known name, cre-ation time, creation date, and file size. [See the list of authorized and supported software.] If executable filesother than those authorized are encountered, then these applications will have to be further scrutinized forlegality.

7. Invoke each application and inspect for licensing information.This is accomplished by navigating to thesubdirectory listed and typing in the name of the executable and then hitting ENTER. For example, to inspecta program named 123.EXE in a subdirectory named LOTUS enter the following:“CD\LOTUS” and then hitENTER. Next type “123” and hit ENTER. Upon loading, the program should display software-licensing informa-tion such as Serial Number, Registered Username, and Registered Company Name. Note this information andrecord manually. If the information is blank or lists another company’s name, then assume the software iseither illegal or improperly registered.

EXHIBIT F-3. USER-LEVEL INSTRUCTIONS AND AUTOMATED INSPECTION IN DOS ENVIRONMENT

PHASE 11. Prepare an inspection diskette by creating a bootable floppy.This is accomplished by inserting a blank diskin drive A, setting the system path to the DOS subdirectory by typing “PATH=C:\DOS” and hitting ENTER.Then type the command “FORMAT A:/S” and hit ENTER.

2. Once completed, create the file “AUTOEXEC.BAT” by typing the following commands at the DOS:COPY CON A:AUTOEXEC.BATC:CD\DIR *.EXE /S >SOFTLIST.TXTCLSECHO PROCESS COMPLETED!

3. Place and end-of-file marker at this point by hitting the F6 key, which displays a Control-Z to the screen.


35

Upon hitting ENTER, the file is created on the floppy.

4. Boot machine to be examined with the examination floppy in Drive A.

5. Once the PROCESS COMPLETED message is displayed,At the DOS prompt, type “VER” and hit ENTER.Thiscommand displays the current DOS version information. Record and compare with known departmentalstandards.

6. Route the floppy clearly labeled with information identifying the computer it came from to a centralizedtechnical resource familiar with software identification.

PHASE 2To be completed by a technician familiar with software identification.

1. Copy the file SOFTLIST.TXT from each user’s floppy to a centralized directory by using the command“COPY A:SOFTLIST.TXT C:filespec” and hitting ENTER, where filespec is a unique filename in a meaningfulformat identifying the computer inspected.

2. Using visual inspection or automated means, compare the names and subdirectory locations of executablefiles found on each computer with a known list of files reflecting departmental standards. Investigate fur-ther or report those files of unknown or suspicious nature.

3. If no departmental standards exist, then every machine will later have to be visited by a technician andeach application represented by executables in subdirectories will have to be manually invoked and inspect-ed for licensing information.This is accomplished by navigating to the subdirectory listed and typing in thename of the executable and then hitting ENTER. For example, to inspect a program named 123.EXE in asubdirectory named LOTUS enter the following: “CD\LOTUS” and then hit ENTER. Next type “123” and hitENTER. Upon loading, the program should display software-licensing information such as Serial Number,Registered Username, Registered and Company Name. Note this information and record manually. If theinformation is blank or lists another company’s name, then assume the software is either illegal or improper-ly registered.


36

EXHIBIT G. WINDOWS® COMMANDS TO INVENTORY SOFTWARE

The best way to produce a complete listing of installed software is to use an auditing tool, such as the BSA’sversion of the software GASP (available at http://www.bsa.org/usa/freetools/gasp/). Using such an auditingprogram not only saves time, but also ensures that every nook and cranny of a computer is checked.

Even without a program such as GASP, it is relatively easy to check what is installed on a given computer.

Steps to inventory software are provided in the following order: 1) identifying the operating system; 2) identi-fying applications using the Programs option; 3) identifying applications more thoroughly using the Findoption; 4) other methods for identifying applications; and 5) identifying fonts.

1. Identifying Operating System Information

1.1 Information on the Windows operating system can be obtained by clicking on the Start button, going toSettings, and then clicking on Control Panel. Once in the Control Panel, double click on the System icon toview the licensing information and product numbers. Record this information.

2. Identifying Applications Using the Programs Option

2.1 You can obtain a listing of programs that can be run on the computer by clicking on the Start button in thelower left corner of the screen and then going to the Programs option. If networked, some of the programs onthe menu might be running on your server(s).

2.2 Double click on one of the programs.

2.3 Once in program, click on the Help pull down menu.There you will find an option referencing “About________ (program name).” Select that option.

2.4 This screen will tell you the application that is running with any supplied Service Packs that have beeninstalled. It also provides licensing information: to whom the application is licensed, the company to which theapplication is licensed, and the Product ID/Serial Number. Record this information.

2.5 This procedure will work for almost all Windows-based software.A more thorough search, however, can beperformed that would identify any applications that are not listed by using the Programs option. To performthe more comprehensive search, follow the steps below.


37

3. Identifying Applications Using the Find Option

3.1 Click on the Start button in the lower left corner of the screen, go to Find, and then click on Find Filesor Folders.

3.2 Click on the Advanced tab and select Application from the pull down menu for the type of file to befound on the “Of type” line. The search can be limited by seeking applications of a minimum size by select-ing “at least” from the pull down menu on the “Size is” line and specifying applications greater than a certainsize (perhaps 1,000 K).

3.3 For the list of files shown, double click on each file to open it, and then go to the Help pull down menuand select the option “About ________ (program name) to determine licensing information. Record thisinformation.

4. Other Methods for Identifying Applications

4.1 Information on applications installed on a hard drive can also be found through the Control Panel’s Addand Remove Programs function and Windows Explorer. The Control Panel can be accessed by clicking onthe Start button, going to Settings, and then clicking on Control Panel. Once in the Control Panel, doubleclick on the Add and Remove Programs icon to view a listing of installed programs.

Explorer can be accessed by clicking on the Start button, going to Programs, and clickingon Windows Explorer.

5. Identifying Font Information

5.1 Fonts can be found in one of two ways: 1) by running Adobe® Type Manager® and viewing installedfonts, or 2) by using the Find feature to search for Type1 fonts which have the extension “*.pfb.”

5.2 To use Adobe Type Manager to identify installed fonts, click on the Start button in the lower left cornerof the screen, go to Programs, then click on Adobe, and then select Adobe Type Manager.

5.3 Once in Adobe Type Manager, click on Font List to view the installed fonts.

5.4 To use the Find feature, click on the Start button in the lower left corner of the screen, go to Find, andthen click on File.

5.5 Then search for “*.pf?” to find PostScript Type 1 outline (and related metrics) files.


38

EXHIBIT H. MACINTOSH® COMMANDS TO INVENTORY SOFTWARE

The best way to produce a complete listing of software installed on an Apple® Macintosh® computer is touse an auditing tool,such as the BSA’s version of GASP for Mac (available at http://www.bsa.org/usa/freetools/gasp/).Using such an auditing program not only saves time, but also ensures that every nook and cranny of a com-puter is checked.

Even without a program such as MacScan, it is relatively easy to check what is installed on a given Macintosh®

computer.

Steps to inventory software on Macintosh computers are provided in the following order: 1) identifying theMacintosh operating system (Mac® OS); 2) identifying applications on Macintosh computers, including thosewith older Mac OS versions; 3) identifying applications using the Apple System Profiler on newer Mac OSversions (For newer Macintosh computers, this is likely to be an easier method and should be tried first);and 4) identifying fonts.

1. Identifying the Macintosh Operating System (Mac OS)

1.1 Information on the Macintosh operating system (Mac OS) can be obtained by clicking on the pull downApple menu (the small apple symbol in the upper left-hand corner) and clicking on About This Computer.Record this information.

2. Identifying Applications (including computers with older Mac OS versions)

2.1 To obtain information on applications used on a Macintosh computer, follow the steps described belowto search in the Preferences and Extensions folders. Each method should identify files related to major soft-ware programs, and used together, files related to all or nearly all application programs should be identified.

2.2 To view the list of programs in the Preferences folder, double click on the hard drive icon, then doubleclick on the System folder, and finally double click on the Preferences folder.This should provide a list ofmany files related to major software programs on the hard drive. Opening each program, clicking on the pulldown Apple menu (the small apple symbol in the upper left-hand corner), and selecting the About optionmay provide additional information about each program.

2.3 To view the list of programs in the Extensions folder, double click on the hard drive icon, then doubleclick on the System folder, and finally double click on the Extensions folder.This should provide a list ofmany files related to major software programs on the hard drive. Opening each program, clicking on the pulldown Apple menu (the small Apple symbol in the upper left-hand corner), and selecting the About optionmay provide additional information about each program.


39

2.4 Additionally, application programs can be identified using the Find function.To do this, click on the pulldown File menu and select Find. Once in Find, many, but perhaps not all, applications can be identified bysearching for files whose “kind is”“application” or “control panel.” Application files can also be identifiedusing the Find function by searching by the name of the software publisher (e.g.Autodesk®, or Novell®) orby the name of the application (e.g. Norton Utilities®). Finally, you might check to see if the user has a fold-er labeled Applications on his or her hard disk. While programs may reside most anywhere on a hard drive,many programs install themselves in this folder by default.

3. Identifying Applications Using Apple System Profiler

3.1 For new Macintosh computers, a utility called Apple System Profiler can be easily used to identifyinstalled software applications. To launch it, select it from the Apple menu in the upper-left corner of thescreen. Once the Apple System Profiler Application has launched, click on the Applications tab. After a fewmoments (while the necessary information is gathered), an alphabetical list of every application installed onthe Macintosh will be displayed. Clicking on the names of programs will usually reveal more information.

3.2 To print this list, choose Print... from the File menu. Two factors to keep in mind in evaluating the con-tents of the applications listing: many software packages install multiple separate applications, while otherapplications are part of the Mac OS itself. Thus, in all likelihood, you will not be able to match each applica-tion listed to an individual software license or serial number.

3.3 Next, click on the Control Panels tab in the Apple System Profiler, and you will see a similar list of all theControl Panels installed on the computer and whether Apple provided them. Most (but not all) Apple con-trol panels are part of the Mac OS and do not require a separate license.

4. Identifying Fonts

4.1 One final place to check is the Fonts folder inside the System folder. Fonts are small computer pro-grams in and of themselves, are usually copyrighted, and their use is subject to specific license agreement.Fonts installed on a given computer are usually placed in the Fonts folder, and it is prudent to check that allthe fonts there are properly licensed for use on that particular machine. Note that fonts are often legiti-mately installed along with the Mac OS and various application packages, and so may not come with theirown separate licenses. One easy way to get copyright information on a given font: select it with the mousein the Macintosh Finder™ and then choose Get Info from the File menu.


©

©

©

40

United States1150 18th Street, NWSuite 700Washington, DC 20036phone: 202.872.5500fax: 202.872.5501anti-piracy hotline: 1.888.NO PIRACYe-mail: [email protected]

Asia300 Beach Road#32-07 The ConcourseSingapore 199555phone: 65.292.2072fax: 65.292.6369

Europe79 KnightsbridgeLondon SW1X 7RBEngland, United Kingdomphone: 44.207.245.0304fax: 44.207.245.0310

oftware asset

management is simply a set of tech-

niques designed and implemented to

obtain the potential benefit of

investments in software, and reduce

the risk of exposure to and use of

illegal software. You can accom-

plish these goals if you focus on

creating a workplace environment

receptive to the management

process, commit to regularly taking

inventory of your software and its

use, and demonstrate that actions

have consequences.

For further assistance, contact the

Business Software Alliance (BSA)

at 1-888-NO-PIRACY or visit its

Web site: www.bsa.org

Since 1988, BSA has been the voice

of the world s leading software

companies before governments and

with consumers in the international

marketplace. BSA initiatives

include educating computer users

on software copyrights and assisting

governments and businesses estab-

lish effective software management

programs.

BSA grants permission to reproduce

this guide and encourages you to

distribute it widely within your

organization. Copies may also be

obtained via its Web site:

www.bsa.org.

©S


BSA Members

Adobe Systems Incorporatedwww.adobe.com

Apple Computer, Inc.www.apple.com

Autodesk, Inc.www.autodesk.com

Bentley Systems, Inc.www.bentley.com

Borland Software Corporationwww.borland.com

CNC Software / Mastercamwww.mastercam.com

Compaq Computer Corporationwww.compaq.com

Dellwww.dell.com

Entrustwww.entrust.com

IBM Corporationwww.ibm.com

Intel Corporationwww.intel.com

Intuit Inc.www.intuit.com

Macromedia, Inc.www.macromedia.com

Microsoft Corporationwww.microsoft.com

Network Associates, Inc.www.nai.com

Novell, Inc.www.novell.com

Sybase, Inc.www.sybase.com

Symantec Corporationwww.symantec.com

Unigraphics Solutions (an EDS Company)www.eds.com

COVER [u.s.]-3 '02 7/18/02 3:27 PM Page 3

COVER [u.s.]-3 '02 7/18/02 3:27 PM Page 4

C72 b329d6f7e4b46a7467de0151210a1.ashx

Technology

parallel printer

small apple

lower left

pay special

apple system

local printer

macintosh

intellectual