Software Licenses - Information for Auditors
email robharm@pcprofile.com web site http://www.pcprofile.com
One of the hardest tasks to manage in the computing department for any organization is licenses for software. Understanding that the software that you have installed is ONLY covered by a "license to use" is a hard concept to grasp. This article covers licenses issues for Windows based desktop and server based platforms.
Open Source Foundation licenses vary significantly to commercial vendor software for Windows based systems so are NOT considered by this article.
The license conditions for each software application need to be read, understood and filed in a secure place with proof of purchase as each and every software license agreement is different even between the same application package. REPEAT!
Each software license or End User License Agreement (EULA) varies from package to package and from vendor to vendor.
The basic rule is that generally for every PC with software installed there needs to be a current software license or end user license, disks/media, and proof of purchase via a valid invoice from a bona fide supplier. Larger organizations MAY have special license arrangements whereby they have a select or open license type agreement or an OEM agreement license. The number and style of licenses varies widely as does their form and content. Again the basic rule is that for every software package installed on a PC there needs to be 1 license per PC. eg; To run a copyrighted software program on two or more computers simultaneously unless the license agreement specifically allow this (ie. a multi-user or site license) is illegal!
There is an un-written "ethic" that exists (whether you like it or not) that because it's "software" and because the big vendors are wealthy and make mega -million$ then it's "OK to copy software". Often, advocates of this approach refer to Microsoft as Micro$oft on chat sites and warez sites.
- One Computer One License
- EULA - Get Used to the term!
- Licenses are amended from time to time
- Upgrading software
- What Types Of Software Licenses Are There?
- Does the 80/20 Rule Still apply for software?
- What Constitutes Copying Of Software?
- Software Licensing Issues - A General Rule
- How To Tell If You're At Risk
- What steps are necessary when looking at the "big picture" of software compliance?
- How can I PROVE that I am legally compliant?
- Not convinced you need to sharpen up your software compliance audit practices?
- How to become Software Compliant
- What should you be doing as "the AUDITOR"?
- How can you detect what has been installed?
- Sample EULA's (End User License Agreements)
- Frequently Asked Questions about Software Licenses
- Software Audit tools
- EULA - Get Used to the term!
One Computer, One License
Operating system licenses are required for each computer using the operating system, and each license is specific to that particular computer. Licenses cannot be sold, transferred or removed from the particular computer to which they are assigned. Concurrent use rights for operating systems are not available, nor are secondary use rights (sometimes referred to as the 80/20 rule) offered for portable or home use.
Hang-on …………..
What’s the issue with licenses?
I OWN the software, don’t I?
Unfortunately NOT! Software is "sold" under Copyright laws right around the world under the provisions of a software "license to use" (but not own) the software due to intellectual property rights and restrictions. Copyright law and international copyright treaties as well as other intellectual property laws and treaties protect ALL computer software. Copyright law and other intellectual property laws in many countries protect the rights of software developers/owners by granting to the developer/owner a number of exclusive rights, including the right to reproduce or "copy" the software. Copying software without the permission of the owner is "copyright infringement," and the law imposes penalties on infringers.
LICENSES ARE AMENDED FROM TIME TO TIMEWhen you install the software there is a typically a EULA (End user Licensing Agreement) included with the software, sometimes as a text file. Sometimes it is readily accessible. Other times (such as in Autocad) it is embedded inside the software. In the new electronic world of software distribution the software license can only be viewed on-line and can’t even be printed in some cases!
Sometimes when you use the Internet to download upgrades, you are asked to "agree to the terms and conditions" before download. Commercial computer software (including shareware and freeware) is licensed directly or indirectly from the original copyright owner (the vendor/manufacturer or software publisher) for use by the end-user customer through an acceptable (within the industry) style of contract. This style of legally binding contract is the "End User License Agreement".
When you upgrade software (eg; via download from "update now sites" the EULA included with the upgrade version often will amend the original EULA installed and will stipulate license rights for both the original product and the upgrade. Typically when you download or install any new upgraded version you will receive a new EULA.
Upgrade versions are treated as part of the entire product, because an upgrade often needs many of the basic components in the original software in order to run. Upgraded software often only upgrades part of the software installed and utilizes existing system and dll files shipped with the original version.
When you upgrade you MUST retain all original prior versions. They cannot be sold or transferred to another user. They are treated as a single software unit, and the retention of all the versions must be retained to continue to be legally licensed. This particular issue will come as a surprise to many sites!
These licenses may be used to upgrade an existing qualified operating system but are not for installation on a computer with no operating system.
WHAT TYPES OF SOFTWARE LICENSES ARE THERE?
- Original equipment manufacturer
(OEM) These licenses cover software for stand-alone PC's and
notebooks and MUST stay bundled with the computer system and NOT
distributed as a separate (or stand-alone) product. This software will
be identified or labeled "For Distribution Only With New Computer
Hardware."
- Not for Resale (NFR) Software License
. These very specific and restricted licenses are made available by Software Vendors directly to the distribution channel software and are typically marked NFR with explicit conditions that it is NOT FOR RESALE. The NFR software is distributed as a promotional or sample product not licensed for normal commercial distribution.- Volume or Site licensing
. Volume or site licensing enables organizations to acquire a license with specific rights to copy and use some software with agreements tailored to the number of products needed at the particular organization. In some instances these agreements are known as concurrent licenses for software and are based on an agreed number of connected users at one time. Often these agreements have a requirement placed on the organization to audit and verify that at all times it is operating within the terms of the license count paid for under the agreement.- Educational or Academic Software
This form of license is issued when software is sold and licensed, with specific marking showing the software is for distribution to educational institutions and students at reduced prices. This software is usually labeled that it is an academic product and for use only by academic or educational institutions.- Upgrade License
. This form of license is issued when organizations upgrade their software. A condition of the software upgrade is that the ORIGINAL versions MUST be retained in order to receive the benefit of protection under the original and upgraded end-user license agreement.- Peer To Peer File Sharing
the Application Service Provider (ASP) market model is based on "renting software and services" across the web. The Microsoft NET model is based on the same approach and the HailStorm technology they announced recently confirms this view. It is now possible to obtain licenses for File Sharing software via web located services that allow Peer to Peer (p2p) file sharing of executable application files.
Does the 80/20 rule still apply for software?
What constitutes "copying of software"?(80% use at work, 20% use at home)
In previous years some vendors including Microsoft worked on an 80/20 rule. This "rule" allowed you to make a copy for home use as long as the amount of time the software used by a SINGLE user was no more than 80% at work, and no more than 20% at home. NOW the general answer to this one is NO. BUT you may still need to check the license agreement which will outline very clearly whether you can or can’t! In all cases software is supplied in accordance with license conditions and the above products are licensed for installation on single machines in most instances.
In the eyes of the Copyright lawyers (and now widely accepted in practice) when you
- load the software into your computer's Random Access Memory (RAM) by executing or running the program from;
- a floppy disk,
- hard disk,
- CD-ROM, or
- other storage media; eg; zip drives / virtual drives / servers / web servers / application servers
- copy the software onto other media such as a floppy disk or your computer's hard disk; or
- execute or run the program on your computer from a network server on which the software is resident or stored.
- Make a backup copy to any kind of storage media
- E-mail the executable files to another site
- Download the executable files by exporting to another location
- Archive the files to other storage media eg; zipped drives, virtual drives. Internet storage services etc
YOU ARE COPYING SOFTWARE!
In the instances above you are MAKING A COPY of a software program. Your license / EULA needs to be checked before you do any of the above!
If you work for a company that has delegated software purchasing and management to a systems administrator, the systems administration department should be able to supply you with proof that your software is legally licensed.
If you purchased your software from a store, through a mail-order catalog, or even from an individual, and a EULA did not accompany the product, you may have purchased illegal software. Illegal software, commonly called "pirated" software, may expose you and/or your business to legal liabilities. If you suspect you have an unauthorized copy of the software, or have concerns about the legal ramifications of using such software, see the questions in this Help document concerning software piracy.
SOFTWARE LICENSING ISSUES - A GENERAL RULE
- Copies of software or its documentation
CANNOT be made without the express written consent of the software
publisher.
- Software SHOULD ONLY be purchased from a legitimate identifiable source otherwise it can present security and legal threats to the organization.
- In some cases, license agreements for a particular software program may permit an additional copy to be placed on a portable computer or home computer for business purposes. BEFORE doing this ensure the license agreement actually permits this. NOT all vendors offer this facility. Some did offer it then altered the license conditions "after the event". Can they do this? YES. It's generally written into the license agreement that the vendor can change the agreement at any time!
- The unauthorized duplication of copyrighted software or documentation is a violation of the law and is contrary to established standards of conduct for most if not all organizations. Employees who make, acquire, or use unauthorized copies of computer software or documentation should be subject to immediate discipline, up to and including immediate termination of employment.
How to tell if you're at riskThere are several issues you need to be aware of;
- All Licenses are NOT the same
- Licenses from the same vendor vary wildly
- License conditions can change when you download software
- Licenses apply NOT ONLY to software but can also apply to music, sound files, pictures, fonts and even dll files!
To be "software compliant", each PC must have a full-license for each software application loaded.
The most common causes of license violation are:
What steps are necessary when looking at the "big picture" of software compliance?
- Sharing software licenses between PC's
- A legal upgrade of a product loaded on top of an unlicensed full-version of the product
- PC's accessing server based systems without the correct network access license
Ways to detect illegal software can be identified at; http://www.pcprofile.com/software_piracy.htm
- Understand software copyright and the
implications of the Copyright Law in respect to software ownership for
your regional area
- Be committed to stamping out software theft throughout your organization.
- Establish a software Code Of Ethics,
- Inform all staff, display the code and get the staff to understand the code.
- Run a training session on software compliance!
- Create an employee compliance statement and get all staff to sign it.
- Make software compliance an integral part of your enterprise/employee agreements.
- Induct and train new staff in the issues of software compliance.
- Conduct annual training sessions on software compliance and copyright issues.
- Establish a software register for each machine, listing all licensed software BUT get rid of any unlicensed software first! Make sure you don’t lose any corporate data and files in the process!
- Instruct the staff resident at each desktop PC to sign the software register, making them accountable for the software installed.
- Store original software discs in secure, central locations, identified and matched to software registers.
- Appoint a "license keeper" who is responsible for storage and tracking of ORIGINAL media and licenses as well as formalized proof of purchase
- Display warning and reminder notices on notice boards and on PC’s & workstations.
- Appoint a software controller, to co-ordinate buying software, installing software and maintaining software registers.
- Make all your management team software auditors. This will keep the staff on their toes!
- Conduct regular, unannounced audits of departments and selected PC’s and workstations.
- Vary the frequency of software compliance audits.
- Conduct full software audits, re-establish the software registers, with staff signing again.
- Look also at MP3, sound files, video files, picture files as they are also indications of spurious NON-work related activity
How can I PROVE that I am legally compliant?
You need to;
- INVENTORY what is installed
- DETECT what is installed
- NAME the application without using a database or registry method
- UPLOAD the results to a central repository
- FILTER the results to focus on major application packages
- AGGREGATE the results to work out "how many copies of"
- IDENTIFY LICENSES and check the installations don't violate license conditions
- LOCATE ORIGINAL media and secure it
- CHECK media for counterfeit or bad copies
- ESTABLISH PROOF of Purchase by marrying invoices to asset ownership
- CULL and REMOVE illegal copies
Then repeat the above process every 3 to 6 months depending on "your rate of "software volatility" (the rate of change) in the organization.
Not convinced you need to sharpen up your software compliance audit practises?
See Busted and
Ways to detect illegal software can be identified at; http://www.pcprofile.com/software_piracy.htm
- Firstly you need to take a full stock take or inventory of all the PC's on site.
- Then you need to undertake a full software inventory, not just of Microsoft installed software but ALL software on the PC based systems.
- You might as well take a hardware inventory (of the PC system) whilst you are doing the task for asset purposes!
That's the easy part, time consuming, but easy nonetheless. Then you need to
- consolidate all the details
- then work out what you own
- and what you don't!
You also need to identify;
- what has been purchased,
- where it was purchased from,
- date of purchase,
- numbers of licenses purchased
and finally
- locate the original media
- and licenses
- and match all the above to the software inventory records created!
The above is the MINIMUM detail needed as evidence of purchase to defend yourself should you get caught in a raid by the anti-piracy vendors.
Conduct your own "software raid" and expose the problem, before someone else does!
How to become Software Compliant
If you find that PC's in your organization are under-licensed you need to either delete the software or obtain the correct number of software licenses to ensure that you’re legally compliant.
Organizations should set in place controls that permit frequent and periodic assessments of software use, announced and unannounced audits of company computers to assure compliance, and the removal of any software found on desktops, notebooks and servers for which a valid license or proof of license cannot be determined, and disciplinary actions, including termination, in the event of employee violation of these controls and policy.
What
should you be doing as "the AUDITOR"?
How can you detect what has been installed?
The tools we offer are the "electronic engine room" of the auditing cycle in so far as they provide the electronic means to identify and detect without a database what is installed. Then they provide the means to upload that detail in CSV format to any database or spreadsheet or asset register you may wish to utilize without being held in encrypted or locked down format. They provide the means for you to tailor reports to suit your own needs using Crystal Reports etc or SQL Server.
After the electronic audit is completed you need to verify that what is installed is covered by licenses and proof of purchase and there is NO software on the market that can do that for you. If the other audit tools you are evaluating claim that using their tool "is all you need consider" then they are misinforming you.
Sample EULA's (End User License Agreements)
This web page link will illustrate the complexity of software licenses by showing on-line the individual EULA's, that vary between one vendor! http://www.pcprofile.com/Sample_EULA.htm
Frequently Asked Questions about Software Licenses
This web page link will illustrate a range of different questions and our answers. http://www.pcprofile.com
Software Audit tools are located at ; http://www.pcprofile.com
OUR SOFTWARE COMPLIANCE AUDIT TOOLS
|
|
PCProfile
PCProfile PC audit software tools provide software compliance solutions for management and auditors. Our flagship product - AUDIT-Baseline allows for a software audit and a "differential" audit to be taken at any time to identify additions, changes and deletions since the last audit! We specialize in PC Audit Software, Software Compliance, PC Auditing, Software Inventory and License Management, and PC Desktop Asset Management and have significant management experience in the issues and problems faced by organizations (large and small) when trying to conduct desktop hardware and software audits, software inventory and asset creation.
AUDIT-Baseline, AUDIT-Manager, AUDIT-Server, AUDIT-Images, AUDIT-Sounds, AUDIT-Compare, Software Compliance Auditors Toolkit, and Software Inventory System Copyright 1999-2001(C) Rob Harmer Consulting Services Pty Ltd All rights reserved Worldwide
- Article written exclusively for AUDITNET.ORG by:
email robharm@pcprofile.com http://www.pcprofile.com
The opinions, beliefs and viewpoints expressed by the various authors and forum participants on this web site do not necessarily reflect the opinions, beliefs and viewpoints of AuditNet®