Software is an asset and, as all assets go, must be managed. Unfortunately, software is purchased out of a sense of necessity and then forgotten, due to its intangible form. When forgotten, it can just grow
Organizations can get their SAM programs certified once required controls and processes are implemented. ISO19770 specifically addresses the issues related to software asset management (SAM). Implementation of a SAM program requires a special approach that includes technology and process assessments using automated tools. It demands relevant policies and procedures to be supported with tools and an ongoing management of the program. Given below are five critical steps for a smooth SAM implementation.
>> See also: What SAM delivers
To start with, get visibility on the current state by carrying out a discovery exercise. This constitutes activities like:
- Obtaining a complete view of inventory of the software assets from the organization's purchase history.
- Identifying the license terms for these assets.
- Identifying current status of software -- number of installations, number of active users, installed versions, updates and patches, availability of vendor support and maintenance.
- Carrying out a physical inventory of all computers, across the organization, listing installed software with details about license number, version, updates and patches.
Following this, analyze the information on software inventory to reconcile purchases with the installed software -- licenses, number of users and locations. This will show the gaps in software asset utilization whether the inventory is over- or underutilized and bring visibility about rogue users / installations, expired trialware, etc.
The next step is to remediate issues that have been discovered. For remediation, --
- Create and deploy SAM related policies and procedures for continuous management
- Recover unused licenses or deploy additional licenses in case of overuse
- Ensure compliance with license terms in terms of number of users, processors, etc., and
establish monitoring program
Implementing SAM program helps manage software assets keeping non-compliance or mismanagement issues, such as litigation and penalties, at bay.
A SAM program rollout provides visibility in terms of:
- Software installed across the organization
- Validity of the licenses and effectiveness of their deployment
- Level and appropriateness of use of licensed and free software
- Suboptimal utilization of software licenses
- Tracking unauthorized software installations
SAM offers benefits such as management of investment in software assets, compliance with complex software licensing terms and protection from anti-piracy litigation, protection from unintentional overuse of licenses, control on enterprise-wide systems to avoid installation of rogue software or malware, and enhanced security with proactive management of versions, patches, and updates.
- Review and enforce vendor / OEM license obligations, maintenance / support SLAs.
- Update installed versions with latest updates, patches, service packs and security settings.
- Retire old software versions.
- Confirm backups of old versions, patches, etc.
- Uninstall unauthorized software.
- Enforce system level policies (user / admin) through deployment of network monitoring systems.
Install automated systems to monitor the network and continuously pull information necessary to manage the software assets across the organization. If this is not done diligently, earlier efforts are bound to fail since data / system sprawl is not easy to contain.
Tracking the metrics
Finally, track the metrics and identify tangible ROI. This involves focusing on aspects such as number of unused licenses, better pricing for future purchases based on compliance assurance to vendors, savings in purchases due to precise knowledge of user requirements, etc.
With these steps you can implement your SAM program smoothly, which, in turn, will eliminate non-compliance concerns and assure savings on software assets. A well-designed and implemented SAM program will provide early ROI to an organization and protect against strict anti-piracy laws.
About the author: Dinesh Bareja, CISA, CISM, ITIL, is an information security consultant specializing in strategic and customized IS solutions, MSS, SOCs, PCI, ISMS, ITSM, and more. He is involved in training and conducts regular online mentoring sessions. Bareja also maintains thefaqproject.com for InfoSec certifications.
This was first published in August 2012