Welcome back! Following on from my previous post, here are my next top tips for Software Asset Management.
Tip 3: Read the EULA!
The EULA, or End User License Agreement is that little box that pops up as you are installing a shiny new program or app. It looks something like this.
Hands up here who reads it? *Looks guilty* Hands up who just hits accept and hopes for the best?
The second option simply isn’t acceptable any more. Read and understand the EULA before signing your life away. If it’s a nightmare to understand complicated, ask someone from your Legal team to look at it and translate it in to plain English, then add it to your SAM database or CMS for all to see.
Tip 4: Watch the edges!
Otherwise known as know and understand the scope of your SAM process and how it links to its supporting players. Remember, you can’t operate in your own little bubble, you need support from other processes.
Licenses bought for one environment don’t necessarily cover others in your organisation, for example test or DR. Check the T&Cs and know what to do if the license isn’t transferable. An example could be, have a step in your process to engage with Change and Release Management to put quality gates in place to ensure test software doesn’t get deployed into a production environment by mistake.
Know your process contact points to ensure you’re not working in your own little bubble or silo. Work with your Service Desk to ensure all software requests are processed centrally via a defined Request Fulfilment process. Work with the Purchasing / Procurement teams to ensure an audit trail exists for requests to retirement / disposal.
Work with IT Security to ensure your policies are in sync. Again, let’s not re-invent the wheel – does SAM need its own policy, or can it be made part of the overall IT Security Management policy? Your Security Manager will be a good source of knowledge and support for your SAM process. IT Security Management will provide practical guidance on how to enforce your SAM policy and will support you in your audit activities. Establish a good relationship with your IT Security Manager as they will be there to help you if you find something you shouldn’t!
The Configuration Management manager will support the SAM process and provide you with relevant information from the CMS. If your SAM Database and CMS are separate databases then you need to establish a process for sharing information so that you can ensure the relationship between licensed software and the hardware it is installed on remains correct and up to date.
Tip 5: Work with Change Management
Make friends with your Change Manager because Change Management is the process that protects the company. They are the gatekeepers to the live environment if you like. If you don’t attend CAB, get invited and turn up!
Review the FSC in advance so that you are prepared to ask questions about the licensing implications of software Changes. It is important to note that some hardware Changes can also have licensing implications as some software is licensed by CPU usage.
Questions to ask at CAB could include:
- What version of the software is being installed?
- Have we checked the CMS / SAM database / with the Procurement team that we have the appropriate number of licences?
- Who is the software being deployed to?
- Are there any dependencies?
- Are there any hardware requirements?
Tip 6: Know how you will respond to an audit
First, what not to do! Don’t panic or run screaming from the building! Define the process for audits in your SAM procedures. Build up a bank of templates for things like response e-mails, meeting requests and communications.
Ensure only authorised personnel with the appropriate training talk to software vendors / external auditors to prevent any confusion.
Run a “practice” audit first with support from other departments / teams. If you have an internal audit department use them! That way, if you have missed something, you can put it right immediately.
Ensure that all your process & procedure documentation is up to date, been reviewed recently and is in a central location. Ensure that everyone knows where to go for the documentation and for any questions.
Make everyone aware that an audit is going on. Prior to the start of the audit, it is useful to communicate the nature of the audit, what to do if asked a question and who to refer the auditor to if you don’t know or are unsure.
Tip 7: Software installation is a key control point
Ensure software is installed from a central, authorised source. Use a DML if possible to ensure that the correct software is deployed to the right person and that the correct licensing is in place. Another reason for using a DML is if support teams are using their own media (disks / CDs / USB keys) to install software, mistakes could be made or the correct software or update may not be installed. Also from an audit perspective, installation disks and CDs scattered away and not linked to a DML or secure safe is a major red flag. When accepting delivery of new software, make sure it is delivered to a control point and not to the end users.
Your techies will be your key allies in the fight against unauthorised software. They will support SAM at the point of installation ensuring that only authorised, appropriately licensed software is installed on the PC estate and that end user PCs are locked down appropriately. Techies are your friends so treat them well and ensure that as part of your SAM process, you hand them any new licence keys / installation instructions.
Tip 8: It’s good to talk
SAM gets better the more people are involved. One of my favourite measures of success is if everyone in an organisation accepts it as part of their day job; from end users understanding the basic dos and don’ts at induction to the SAM team running the process.
End users will need to understand that they cannot install software at will. There must be a solid Service Request process to ensure a quick turnaround, prevent unnecessary delays and to prevent your Service Desk from becoming overloaded. Ensure that your SAM process has strong touch points and communication with the Request Fulfilment process. Consider creating models for frequently requested software.
Don’t forget about Outsourcers or Managed Service partners. By using supporting organisations with a proven track record in SAM processes, you can reduce your risk of being under licensed. It is important to note that while you can outsource your SAP process, you cannot transfer your accountability, a major disadvantage of outsourcing.
Ensure you incentivise your partners accordingly. Some outsourcing organisations charge by number of assets in your estate so there is no incentive to retire unused software!
Tip 9: Asking for help
The key message here is that you are not alone. There are a set of standards and frameworks you can use to guide you and organisation that will provide advice and guidance.
Useful standards and frameworks for SAM include:
- ISO/IEC 19770
- ISO/IEC 20000
ITIL is a global framework for IT Service Management. It provides guidance for SAM including:
- Potential issues
- The SAM business case
- Organisation, roles & responsibilities
- Process & procedures
- Implementation guidelines
- Tools & technology
- Working with internal & external stakeholders
ISO/IEC 19770 is the international standard for SAM and consists of three main parts:
- ISO/IEC 19770-1 is a process framework to enable an organization to prove that it is performing SAM to a standard sufficient to satisfy corporate governance requirements and ensure effective support for IT service management overall.
- ISO/IEC 19770-2 provides a SAM data standard for software identification tags.
- ISO/IEC 19770-3 will provide a SAM data standard for software licensing entitlement tags.
For more information on ISO/IEC 19770 check out this article written by ITAM Review’s very own Martin Thompson.
COBIT is a comprehensive framework to achieve governance and management objectives for enterprise IT. COBIT can be used to link strategic enterprise goals back to the day job via processes and procedures. The following COBIT processes could be used to map the maturity of your SAM processes:
- ME3 Monitor compliance with external regulations
- DS2 Manage third party services
- DS9 Manage the configuration
- PO5 Manage the IT investments
- AI6 Manage changes
- AI7 Install & accredit solutions & changes
One of the most useful things about COBIT is that it includes a maturity framework that you can use to understand where you are in your SAN journey, The matrix goes from 0 (non existent) to 5 (optimised). ISO/IEC 20000 is the international standard for IT Service Management and provide set standards for the supporting players of SAM.
The above standards and frameworks compliment each other and I like to think of them as follows: The ISO standards tell you what you must do and what proof is needed, ITIL tells you how to do it and COBIT tells you how good you are.
Useful organisations for advise, resources and templates include:
- The itSMF
The itSMF is a global organisation that promotes IT Service Management best practice. The UK chapter has a Special Interest Group (SIG) dedicated to Service Transition & SAM called the Transition Mgt SIG. The Irish chapter has recently hosted a conference on governance and SAM – you can check out the SAM presentation here.
ISACA provides practical guidance, benchmarks and other effective tools for all enterprises that use information systems and is the owner of the COBIT framework. Like the itSMF, they have local chapters that provide help, support and training.
FAST is the Federation Against Software Theft. They champion the professional management of software and provide support and guidance of software licensing. One of the aims of FAST is to improve the licensing and cost management process for software users. To this end, the Software Industry Research Board (SIRB) was set up in 2008 to promote best practices around software & license management.
Tip 10: Trust yourself
Your SAM process will improve and mature over time. Build in CSI checks into your SAM process so that you can build in improvements at the operational, tactical and strategic levels. In the words of Walt Disney ““Around here, however, we don’t look backwards for very long. We keep moving forward, opening up new doors and doing new things, because we’re curious…and curiosity keeps leading us down new paths.”
Ensure that your metrics map all the way back to your process goals via KPIs and CSFs so that when you measure SAM performance you get clear tangible results rather than a confused set of metrics that no one ever reads let alone takes into account when reviewing operational performance.
As your process matures, look to other frameworks such as Agile and Lean to make efficiency savings. The quicker and easier your process is to use, the more people will use it and the safer your organisation will be!
I’d like to conclude by saying that SAM is a key process for any organisation to meet its legal, financial and reputational duties. The more it is neglected, the higher the risk for the organisation. Once the data has been collected, maintaining it is not difficult as long as you keep on top of it.
The key message is to just keep moving forwards. Communicate how high that risk is to the Board so that you get support & buy in. Develop a strong process, which interlocks with existing processes for Request Fulfilment, Procurement, and Change & Release Management. Get people onside, from your end users requesting the software to the techies that install it to IT Security who will help keep you honest, Centralise your process as much as possible and ensure that you are collecting all the data necessary to provide software license validation.
Finally, do not try to do it all at once. Start small and work your way through all the software licenses relevant to the organisation. Ask for help when needed, trust but verify your data and use the industry standards, frameworks and organisations to keep getting better.