Software Asset Management - How to maintain once-established order?

Good afternoon, Habr!

As an introduction, I want to say thank you to the administration of habr, thanks to their support, we have got our own thematic blog - habrahabr.ru/blogs/sam
Thank!

We all know that the main risk group on issues of responsibility for unlicensed software in organizations is the managers (they are somehow responsible in principle for everything that happens in the organization) and the IT department (for which it is easiest for managers to push the problem under the slogan “I did not know about unlicensed, I thought everything was legal, here is a specialist - he said everything was fine ").

If you start from the very first topic of the series - habrahabr.ru/blogs/sam/97343
This will be the fourth step called “development of procedures”, which stated the need to develop internal documents regulating the entire software life cycle in the organization.
')
What are they needed for?
IT does not stand still, and if we once held an inventory and completely got rid of risky software, this does not mean that such an order will be maintained permanently. The next day, a new solitaire downloaded from the network will appear somewhere, then a plug-in for Photoshop, then a new version of the office brought from home, etc.

It also directly intersects with the issue of reducing the responsibility of officials (management, IT department) for possible violations of laws related to software produced by users.

To maintain order in the software, you need to keep track of two global things:
1) The safety of all the documentation accompanying the licenses, so that the existing software would not suddenly become pirated due to the loss of one piece of paper.
2) The inadmissibility of the emergence of new unlicensed software on computers.

The following actions are recommended for this.

1) Development and adoption in the organization of documents approving the procedure for the emergence of new software.

I don’t see any point in giving the templates for these documents - they are highly dependent on the structure of the company. The main thing is to paint everything in as much detail as possible indicating all possible steps and those responsible for each stage.

As a hint for the development of these documents, you can use this simplest scheme:

1. The user has a need for new software (more precisely, he has a need for functionality), he makes an application for the form.
2. The application is considered
3. If the application is confirmed, certain software is selected for the required tasks.
4. After the selection of the program, if it is paid - we look in the registry of licenses if there is a free license for this software or not.
5. If there is a license, we install the user and adjust the lists.
6. If there is no license, go to the procedure for obtaining a license.
7. For paid software, we determine the availability of a budget; for free software, we get it for the minimum price.
8. If there is no budget, we make an application for the budget and wait.
9. In the case of or after the allocation of the budget we determine the supplier.
10. We conclude an agreement with the supplier, waiting for delivery.
11. Get the software, adjust the list of licenses
12. Install the user, adjust the list of licenses.

2) Development of a document regulating the use of software.

We include in it everything that an employee can do in this regard and that it is impossible, among other things, I highly recommend inserting a clause on the preservation of stickers on PC cases.

3) Amendments to the employment contract.

On liability for violation of documents governing the use of software and related assets in the enterprise.

4) Listing installed software on computers.

In steps 2-3.5 of the general plan of action, we give an inventory of installed software on computers and get rid of unnecessary / unnecessary.
After that, we need to make lists of installed software on each computer (for this it is recommended to standardize these kits, about this in a separate topic).
An example of such a document (a separate document is drawn up for each PC).

************************************************** *************

List of software.

Computer - here_write_he_unique_name
Computer location - location_p_pc
Employee - here_a_kem_zakreplen__etot_pk

The following software list is installed on this computer.

number	clear name	title	version	edition	additional info
one	operating system	Microsoft Windows	7	professional	sticker on PC case
2	Office suite	Open office	3.2
3	Antivirus	Kaspersky	6
four	Graphic package	Adobe Creative Suite	CS5	Design Premium
five	ICQ client	QIP	8095
6	Layout Switch	Punto switcher	3.1.1

With his signature, the user confirms that there is a given list of programs at his workplace and that there are no other programs at the time of the listing. Any program is added, removed or modified only in accordance with the policies adopted by the organization using software. Independent action is prohibited.

User signature ___________________ Signature responsible for software accounting _______________________

************************************************** *************
The list includes ABSOLUTELY ALL standalone software that is available on the user's computer in the installed or portable form, regardless of the type of license and the method of distribution.
Each piece of paper in duplicate, for signature and store one copy in a shared folder.

What will help such a document? It will allow to transfer responsibility for the user's actions to him.

Classic example:
Check comes, finds non-licensed, goes to the management with the results of the check. The management makes round eyes and says that in general it does not understand anything about it - there is a responsible person (sysadmin) and all questions to him. The check goes to the IT manager and says that they have found the non-licensor. The admin pulls out a large stack of papers and asks - on which computer and what did they find? On this computer, according to the list of this software, there was no employee initiative, for which he subscribed to this list, as well as on a bunch of software usage rules in the organization. The check takes a sheet and goes to questions to the employee.

I can not say that this example will completely remove the responsibility from everyone except the user - for this I know too little of such practice, but the fact that they will help reduce it is obvious.

Total

Total implementation of this set of documentation will allow us to maintain once the induced order in the software and not be afraid of the arrival of the check at any particular time. And all those who will violate the order - waiting for internal corrective measures.