Auditing Software Licensing
Dealing with software licensing risks can be one of the overlooked items when conducting internal IT audits.
It happens frequently: a co-worker feverishly completes his latest proposal with an image editor that isn't listed among the organization's authorized applications. When asked where he got it, he responds he borrowed it from his son, who obtained a bootlegged copy from his roommate. He asks, "Isn't it cool?" With this application he can include illustrations he scanned from magazines that will add 'punch' to his proposal. "Is there a problem?" he asks.
IT asset risk management isn't just an exercise, it is a matter of law with far-reaching consequences. Software and related documentation are copyrighted and protected by civil and criminal laws. Unauthorized duplication, distribution and sales are subject to legal actions resulting in fines and financial settlements, and may even result in incarceration. Organizations can be held responsible for the actions of their employees who install and use software in any willy-nilly fashion they please.
End User Agreements
Conditions governing the use of programs are defined in the end user license agreements that are usually executed as part of the software installation process. It is wise to read the text before accepting their terms, as these agreements are very carefully crafted and detail the conditions under which the client may install and use the vendor's programs. In these licensing agreements, vendors may require their customers to audit their software assets and report to the vendor whether they have the correct number of licenses for their software installations. The choice of the matter is relatively simple: if you don't agree, don't install the application. However, if you execute the licensing agreement you are bound by it. Consider the public embarrassment and possible legal action resulting from a former employee alleging that software valued at thousands of dollars was not licensed, but pirated.
Formulate a simple, understandable software policy. Legal, regulatory and business objectives must be considered when creating and implementing this document. In consultation with the organization's human resources and legal units, it is important that each employee and contractor execute an acknowledgement of policy understanding and acceptance. Policies must address such processes as software procurement, individual and business unit accountability for IT assets, configuration and change controls, installation of shareware or personally owned software on the organization's computers, and official use of personally owned hardware. IT asset policies should include the understanding that auditing individual workstations, PDAs and notebooks will take place at unannounced times and include hardware/software used for the organization's purposes. Policy compliance auditing offers secondary benefits by eliminating unauthorized software incompatible with the organization's security goals.
Determine what software is installed and the location where it is in use. These are two critical steps in software license compliance: how many licenses, including their versions, were purchased and how many copies across the enterprise have been installed? Without complete answers to both questions, the number of legally owned programs cannot be accurately determined.
Obviously, there should be an equal number of licenses as there are installations. In the event of disparities, it is incumbent upon the auditor to quickly report his or her findings to the unit manager with solid recommendations. Managers must rapidly take steps to achieve compliance, because the clock is ticking. A license-compliance audit is motivated by the possibility of irregularities forming the basis of future legal actions.
There are federal statutes in the United States requiring organizations to safeguard assets, and punishing those who ignore internal controls over their assets. It is interesting to note these laws may be applied to the enterprise as a whole as well as its employees. Enforcement ranges from civil actions sought by software producers, investors and regulatory agencies, to criminal indictments.
Dealing with internal controls intended to protect assets, the 1934 Securities Exchange Act requires that publicly owned companies maintain internal controls over assets, thereby protecting the corporation's investors (15 United States Code Section 78m).
Copyright laws protect works of original authorship that include: literary works (including software and related documentation), musical works, motion pictures, sound recordings, dramatic works, pictorial and sculptural works, and architectural works. Some specific copyright protections are these: preparation of derivative works based upon the copyrighted work, distribution of copies of the copyrighted work to the public, including sale or other transfer of ownership (17 United States Code Section 106, and similar laws worldwide).
Under current U.S. law, the term for copyright protection is the life of the author and an additional 70 years. The period of copyright for "works for hire" is 95 years from the first date of publication, or 120 years from the date of creation, whichever date expires first. These are important tenets if businesses decide the copyright may have expired on their installed applications.
Internationally, authors receive copyright protection in countries that signed the following: Berne Convention for the Protection of Literary and Artistic Works or the Universal Copyright Convention. Signers of these two international conventions agree to provide nationals of member countries the same level of copyright protection as they afford their own citizens.
Preserving IT assets is part of an organization's best practices where legal and policy compliance is assured by timely and careful internal audit procedures. If managers are negligent in safeguarding IT assets, and executing their own due diligence, the business organization and its employees may be liable for civil and criminal prosecutions.
Alan B. Sterneckert, CISSP, CISA, CFE, CCCI, is a retired special agent, Federal Bureau of Investigation. He is an information security consultant, lecturer and author. He may be contacted at firstname.lastname@example.org.