• United States



by Laura DiDio

Software Compliance Pays, Sooner or Later

Jun 09, 20034 mins
CSO and CISOData and Information Security

Software non-compliance and software piracy have reached epidemic proportions. Anecdotally, 90 percent of organizations have at least some violation of non-compliance. And nearly 50 percent have a potentially significant risk of licensing non-compliance, according to the latest Yankee Group and Sunbelt Software Microsoft Licensing 6.0 Survey. These respondents said their firms have either “significant” or “severe” software non-compliance issues.

The overwhelming majority of companies are not deliberately trying to defraud or deprive Microsoft, IBM, Oracle, Sun or any other software vendor of their rightful licensing revenue. Much of the non-compliance in corporate environments is unintentional and occurs because of sloppy or non-existent tracking and enforcement measures.

The chief culprits in non-compliance are as follows:

  • Lack of centralized procurement or sloppy procurement practices.
  • Lack of asset management tracking software.
  • Failure to perform regular software audits. This results in a lack of detailed knowledge of what software packages (and which versions of software) are installed across the enterprise.
  • Failure of various purchasing officers within a firm to communicate with their peers-leading to over- and under-buying.
  • Bad record keeping (for example, many companies have purchased the licenses but lose the proofs of purchase; see below for definition of proof of purchase).
  • Over-buying certain server licenses but not purchasing enough client access licenses.
  • Failure to comprehend the terms and conditions of the licensing contracts.
  • Many corporations have various versions of a software package. This leads to confusion regarding expiration dates and rights, and results in some firms unwittingly being out of compliance.

But ignorance of the law-or ignorance of the legally binding terms and conditions of your licensing contracts-is no excuse for non-compliance. Many enterprises preparing to negotiate new Microsoft licensing contracts over the last 12 months received a nasty surprise when they realized they had significant non-compliance issues. Having even minimal non-compliance issues leaves companies open to true-up costs and penalties, and undermines their chances of getting the best deal on new licensing agreements. Beyond the very real threat and risk of vendor-imposed penalties, software non-compliance also raises the risk of security breaches, heightened network downtime and increased operational costs as a result of not knowing what software is running on the network.

Conclusions and Recommendations

Achieving and maintaining compliance on a daily, monthly and yearly basis is a daunting task that requires vigilance. However, the Yankee Group and Sunbelt Software have identified a number of practices that help organizations to go a long way toward reducing the risk of an audit:

  • Centralize procurement. Corporations should designate an employee to supervise and track license purchases. Wherever possible, centralize procurement.
  • Schedule regular audits. Quarterly audits are optimal but may not be feasible for over-burdened IT departments; bi-annual audits are preferable. At the least, companies should annually self-audit. This will give you a detailed view of your purchasing costs and actual usage, and will ultimately be more secure.
  • Maintain detailed proofs of purchase and documentation. The single biggest mistake organizations make is sloppiness. IT asset management is 20 percent tools and 80 percent business. This typically takes the form of bad records or no records. If you cannot prove that you bought or own it, you may end up having to pay twice for the same software and penalties if you cannot prove your innocence.
  • Have a disaster recovery or back-up plan in place. This will enable your firm to retrieve your licensing records and other important data in the event of a natural disaster. If your firm is not large enough to store its data offsite, it should at least provide corporate attorneys with copies of all licensing agreements and insist they are stored either at the attorney’s office or in another offsite location such as a bank safety deposit box.
  • Have a corporate policy in place and enforce it. Every company should have a detailed software usage plan that sets forth Dos and Don’ts, and expressly prohibits users from installing unlicensed software or downloading freeware and shareware. The policy should be distributed throughout the organization in both hard copy and e-mail. The policies and procedures should also contain an explicit list of penalties for violating the rules. Finally, your company will have to diligently enforce the policy or it will be meaningless.

In summary, corporations are well advised to be proactive, prepared andin the event of an auditpatient. An audit by your software vendor or the BSA is not an appealing prospect. But the consequences will be far worse if your firm attempts to hide, deceive or deliberately destroy evidence. If your firm thinks or knows it has a software non-compliance issue, it should move swiftly and decisively to address it.