Software licensing audit

Last updated

A software licensing audit or software compliance audit is an important sub-set of software asset management and component of corporate risk management. When a company is unaware of what software is installed and being used on its machines, it can result in multiple layers of exposure. [1]

Contents

The primary benefits a corporation receives from performing a software licensing audit are greater control and various forms of cost savings. The audit is used both as an efficiency mechanism to improve software distribution within an organization and as a preventative mechanism to avoid copyright infringement prosecution by software companies. Software licensing audits are an important part of software asset management, but also serve as a method of corporate reputation management by ensuring that the company is operating within legal and ethical guidelines.

Software audits should not be confused with code audits, which are carried out on the source code of a software project.

Challenges

If the auditing company self-dependently scans the code base, one of the serious challenges is the license changes between versions. Some software libraries start with one license and later switch into another. The typical examples are switching from the single permissive license to the dual licensing model (the choice between strong reciprocal or paid commercial) as for iText, switching from more reciprocal to more permissive license (as for Qt Extended) and open sourcing the previously commercial code (as for OpenJDK). In such cases it is not enough to detect that some library or code fragment has been used - an exact used version must be correctly identified. Further difficulties may arise if the library owner removes the obsolete versions (that were under different license) from the public sources.

Some licenses (like LGPL) have very different conditions for the simple linking and creating of the derivative works. In such case the proper audit must take into consideration if the library has been linked or the derivative work (custom branch) has been created.

Finally, some software packages may internally contain fragments of the source code (such as source code of the Oracle Java) that may be provided only for reference or have various other licenses, not necessary compatible with the internal policies of the company. If the software team actually does not use (or even is not aware) about such fragments, this must be viewed differently from the case if they would be directly linked.

All these issues are relatively easy to resolve if the auditing group cooperates with the software team that normally should know the used versions and so on. If the software team is not trusted, an incompetent audit may find many "inconsistencies" and "violations" where there are not any.

Software asset management

Software asset management is an organization process, which is outlined in ISO/IEC 19770-1. It is also now embraced within ISO/IEC 27001:2005 Information Technology - Security Techniques - Information Security Management Systems - Requirements [2] and ISO/IEC 17799:2005 Information Technology - Security Techniques - Code of Practice for Information Security Management. [3]

Software asset management is a comprehensive strategy that has to be addressed from top to bottom in an organization to be effective, to minimize risk. A software compliance audit is an important sub-set of software asset management and is covered in the above referenced standards. At its simplest it involves the following:

  1. Identification of Software Assets.
  2. Verifying the Software Assets including licenses, usage, and rights.
  3. Identifying gaps that may exist between what exists on the installations, and the licenses possessed, and the rights of usage.
  4. Taking action to close any gaps.
  5. Recording the results in a centralized location with Proof Of Purchase records.

The audit process itself should be a continuing action, and modern SAM software identifies what is installed, where it is installed, its usage, and provides a reconciliation of this discovery against usage. This is a very useful means of controlling software installations and lowering the costs of licensing. Large organizations could not do this without discovery and inventory applications.

From time to time internal or external (by major accounting firms) audits may take a forensic approach to establish what is installed on the computers in an organization with the purpose of ensuring that it is all legal and authorized and to ensure that its process of processing transactions or events is correct. Though one might be confronted with a software vendor audit by fair contractual and legal means, one should know and reserve one's crucial rights in an audit situation as well. [4]

Software audits are a component of corporate risk management, and they certainly minimize the risk of prosecution for copyright infringement due to use of unlicensed software. Most vendors permit the company to settle without prosecution though in serious cases, prosecutions certainly occur. In addition with a strict software usage policy the risk of computer viruses are minimized by preventing uncontrolled software copying.

Organizations

Vendors subscribe to organizations such as the Federation Against Software Theft (FAST) and the Business Software Alliance (BSA) as a means of providing an industry approach to control piracy, counterfeiting, and illegal use of software. They publicize campaigns against illegal use of software and reward any employees who notify them of any breaches which result in successful prosecution and/or recovery of license fees.

See also

Related Research Articles

BS 7799 was a British standard "Code of Practice for Information Security Management", first published as such by the British Standards Institution (BSI) in February 1995. Read about the origins of BS 7799 here.

Information security standards or cyber security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

<span class="mw-page-title-main">Standard of Good Practice for Information Security</span>

The Standard of Good Practice for Information Security (SOGP), published by the Information Security Forum (ISF), is a business-focused, practical and comprehensive guide to identifying and managing information security risks in organizations and their supply chains.

Information Technology Security Assessment is an explicit study to locate IT security vulnerabilities and risks.

Software asset management (SAM) is a business practice that involves managing and optimizing the purchase, deployment, maintenance, utilization, and disposal of software applications within an organization. According to ITIL, SAM is defined as “…all of the infrastructure and processes necessary for the effective management, control, and protection of the software assets…throughout all stages of their lifecycle.” Fundamentally intended to be part of an organization's information technology business strategy, the goals of SAM are to reduce information technology (IT) costs and limit business and legal risk related to the ownership and use of software, while maximizing IT responsiveness and end-user productivity. SAM is particularly important for large corporations regarding redistribution of licenses and managing legal risks associated with software ownership and expiration. SAM technologies track license expiration, thus allowing the company to function ethically and within software compliance regulations. This can be important for both eliminating legal costs associated with license agreement violations and as part of a company's reputation management strategy. Both are important forms of risk management and are critical for large corporations' long-term business strategies.

ISO/IEC 27000 is one of the ISO/IEC technical standards in the ISO/IEC 27000 series of Information Security Management Systems (ISMS)-related standards. The formal title for ISO/IEC 27000 is Information technology — Security techniques — Information security management systems — Overview and vocabulary.

Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. In the field of information security, such controls protect the confidentiality, integrity and availability of information.

International standards in the ISO/IEC 19770 family of standards for IT asset management address both the processes and technology for managing software assets and related IT assets. Broadly speaking, the standard family belongs to the set of Software Asset Management standards and is integrated with other Management System Standards.

Information security management (ISM) defines and manages controls that an organization needs to implement to ensure that it is sensibly protecting the confidentiality, availability, and integrity of assets from threats and vulnerabilities. The core of ISM includes information risk management, a process that involves the assessment of the risks an organization must deal with in the management and protection of assets, as well as the dissemination of the risks to all appropriate stakeholders. This requires proper asset identification and valuation steps, including evaluating the value of confidentiality, integrity, availability, and replacement of assets. As part of information security management, an organization may implement an information security management system and other best practices found in the ISO/IEC 27001, ISO/IEC 27002, and ISO/IEC 27035 standards on information security.

ISO/IEC 27002 is an information security standard published by the International Organization for Standardization (ISO) and by the International Electrotechnical Commission (IEC), titled Information security, cybersecurity and privacy protection — Information security controls.

The ISO/IEC 27000-series comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

MEHARI is a free, open-source information risk analysis assessment and risk management method, for the use of information security professionals.

ISO/IEC 27006 is an information security standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Part of the ISO/IEC 27000 series of ISO/IEC Information Security Management System (ISMS) standards, it is titled Information technology - Security techniques - Requirements for bodies providing audit and certification of information security management systems.

ISO/IEC 27007 is a standard on Information security, cybersecurity and privacy protection that provides guidance on managing an information security management system (ISMS) audit programme, on conducting audits, and on the competence of ISMS auditors, in addition to the guidance contained in ISO 19011. This standard is applicable to those needing to understand or conduct internal or external audits of an ISMS or to manage an ISMS audit programme. It was published on November 14, 2011, and revised on January 21, 2020.

Information technology risk, IT risk, IT-related risk, or cyber risk is any risk relating to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to catastrophic in scale.

Factor analysis of information risk (FAIR) is a taxonomy of the factors that contribute to risk and how they affect each other. It is primarily concerned with establishing accurate probabilities for the frequency and magnitude of data loss events. It is not a methodology for performing an enterprise risk assessment.

<span class="mw-page-title-main">IT risk management</span>

IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.:

ISO/IEC 27001 is an international standard to manage information security. The standard was originally published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, revised in 2013, and again most recently in 2022. There are also numerous recognized national variants of the standard. It details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS) – the aim of which is to help organizations make the information assets they hold more secure. Organizations that meet the standard's requirements can choose to be certified by an accredited certification body following successful completion of an audit. The effectiveness of the ISO/IEC 27001 certification process and the overall standard has been addressed in a large-scale study conducted in 2020.

ISO/IEC 27018 is a security standard part of the ISO/IEC 27000 family of standards. It was the first international standard about the privacy in cloud computing services which was promoted by the industry. It was created in 2014 as an addendum to ISO/IEC 27001, the first international code of practice for cloud privacy. It helps cloud service providers who process personally identifiable information (PII) to assess risk and implement controls for protecting PII. It was published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) under the joint ISO and IEC subcommittee, ISO/IEC JTC 1/SC 27.

References

  1. "Software License Management". Dell KACE. Retrieved 2012-07-06.
  2. "ISO/IEC 27001:2005". 2005. Retrieved 2008-03-23.
  3. "ISO/IEC 17799:2005". 2005. Retrieved 2008-03-23.
  4. "Vendor Audit – Top 10 Customer Rights From Announcement To Settlement". OMTCO Operations Management Technology Consulting GmbH. Retrieved 4 June 2013.