GuidelinesonSoftware

AssetManagement
Version0.3

Contents
1Introduction.......................................................................................................................................2
1.1IssuesandChallenges.................................................................................................................2
1.2Need............................................................................................................................................3
2SoftwareAssetManagement(SAM)..................................................................................................3
2.1KeyProceduresforImplementation...........................................................................................4
2.2GovernanceStructure.................................................................................................................5
2.3ImplementationDetails..............................................................................................................7
2.4StrategicControl.........................................................................................................................9
2.5Security.....................................................................................................................................11
3AuditandCompliance......................................................................................................................11
4MaturityofSAMPolicy....................................................................................................................12
5SAMTools........................................................................................................................................14
6BenefitsofSAM................................................................................................................................16
7Ackowledgements............................................................................................................................18
8AnnexureA:InternationalStandardonSAM...................................................................................19
9AnnexureB:SAMIndianeGovernanceExamples.........................................................................20

1Introduction

The growth of ICT and in particular web based technologies has transformed the interaction
betweentheGovernmentanditsserviceseekers.Today,Governmentsworldwidewanttouse
thepotencyofICTtodeliverendtoendservicesrightatthecitizendoorstep,anytimeandat
minimumcost.ICTisincreasinglybeingseenastheonlywaytoimprovegovernance.Withthe
increase in accessibility to Internet and mobile technology, citizens themselves are expecting
moreandmoreonlineinformationandservicesfromgovernments.

The National eGovernance Plan (NeGP) was approved by the Government of India in May,
2006inordertopromoteeGovernanceonamassivescale.Untiltheformulationofthisplan,
eGovernancewasasubjectpurelydrivenbyindividualeffortratherthananationalvision.The
National eGovernance Plan is basically a shift in the approach and methodology followed by
theDepartmentstoimplementICTinitiativespriortoitsformulation.Lessonsandexperiences
from past successful and failed ICT initiatives both national and international have been
blendedinthenewNeGPapproachandmethodology.

TheNationaleGovernancePlanseekstolaythefoundationandprovidetheimpetusforlong
termgrowthofeGovernancewithinthecountry.Theplanseekstocreatetherightgovernance
andinstitutionalmechanisms,tosetupthecoreinfrastructureandpoliciesandtoimplementa
number of Central, State and Integrated Mission Mode Projects, with well defined service
levels, to create a citizencentric and businesscentric environment for governance.
ImplementationofeGovernanceprojectsisahighlycomplexprocessrequiringprovisioningof
hardware&software,networking,changemanagementandcapacitybuilding.Thisisaperfect
scenarioforthedeploymentofarobustsoftwareassetmanagementpolicy.

Software is an intangible asset protected by copyright and contract law. Due to its intangible
nature, software presents unique challenges in terms ofasset management. This challenge is
further compounded when it comes to the management of software assets for an entity as
largeandcomplexastheGovernmentofIndia.

1.1IssuesandChallenges

InformationTechnologyhasfundamentallychangedthewaywecommunicate,deliverservices,
access/store/transmitinformation,conductbusinessesandundertakedailyonlinetransactions.
As the Government undertakes critical and widespread eGovernance projects and transacts
withcitizensandentities,throughcomputersandnetwork,poweredbysoftwareapplications,
managingITassetshasbecomeachallengingandimportanttask.

Somekeytrends/challengesbeingfacedbyorganizationstodayare:
ManagementofallstrategicITassets
o Licenses
o Upgrades
2

o Documentation
o Softwareversions
More client machines (PC/Laptops) and Mobile Devices connected to unsecured
networks.
Increasingfrequencyofvirusandsecurityattacks.
Increasingfrequencyofclientsecuritypatchreleases.
Widerusageofopensourceandlicensedsoftwarewithdifferinglicensingagreements.
ManyLicenseagreementsrequiremandatoryperiodicindependentaudits

AneffectiveSoftwareAssetManagement(SAM)frameworkwillensurethattheDepartmentis
ready to deal with the challenges posed above and at the same time complies with the
regulatory,legal,IPRandsecurityrequirementsoftheSoftwarebeingused.

1.2Need

In order to establish a Software Asset Management Framework, a need has been felt to
establishaGuidelinefortheDepartmentsexecutingeGovernanceprojectswhichcanbeused
toinstitutionalizepoliciesandproceduresspecifictotheDepartmentswhilefollowingthebasic
principles of SAM. The purpose of this document is to provide practical assistance to
GovernmentofIndiadepartmentsinmaintainingaframeworkforthemanagementofsoftware
licenses and associated media. Implementation of the guidelines will provide assurance to
departmentsandtheGovernmentthat:
a clear management policy for projects for open source, licensed and customized
softwareisestablished.
project based software assets are integrated with existing software assets in the
department.
aclearsoftwareassetownershippolicycoveringtheentireassetlifecycleoftheassets
andprojectisestablished.
topreventuseofillegalsoftware.
tocomplywithsoftwarelicenseconditionsisadequatelymonitored.
therearetheappropriatenumberoflicensesforeachitemofsoftwareinuse.
thereareeffectivecontrolsinplaceforthephysicalsecurityofsoftwaremedia.

Recognizing that various Departments differ in their goals, operations and their composition,
theguidingprinciplesaredesignedtoserveasthecommondenominatorallowingDepartments
sufficientlatitudeincreatingDepartmentspecificplanswhileprovidingaunifyingplatformfor
allGovernmentassetmanagementefforts.

2SoftwareAssetManagement(SAM)

AccordingtotheInformationTechnologyInfrastructureLibrary(ITIL),SAMisdefinedasallof
the infrastructure and processes necessary for the effective management, control and
protectionofthesoftwareassetsthroughoutallstagesoftheirlifecycle.
3


SAMisabusinesspracticedesignedtoreduceinformationtechnologycosts,limitrisksrelated
to the ownership and use of software, and increase IT and enduser efficiencies. ISO 19770
StandardistheinternationalstandardonSoftwareAssetManagement(SAM)Annexure1.

2.1KeyProceduresforImplementation

2.1.1Thereareanumberofkeyissuesthatguidetheinitialplanningandimplementationofa
SAM framework that should be addressed before developing an implementation plan. These
include,butarenotlimitedto:

Gainingseniormanagementsupport
An assessment of the risks involved in not implementing a framework: overlicensing,
underlicensing,increasedexpenditure,securitybreaches,softwarecompatibilityissues,
losttimeandlackoftechnicalsupportandproductupgrades.
An assessment of benefits of implementing a framework: savings through purchasing
onlywhatisneededwhenitisneeded,employeesbeingabletoworkmoreefficiently,
assistswiththecompilationofanaccuratebudget,abilitytomanageandmonitorusage
tolinkwithICTplanning.
Thedevelopmentofabusinesscasetodemonstratetheeffectivenessoftheframework
Considerationofwhatfunctionsmaybecentralized:forexample,licensemanagement,
procurementandsoftwareassetregisters.
Longtermmanagement:includingcontinuousimprovement,upgrades,complianceand
audits

2.1.2Softwareneedstobecontrolledthroughoutitsentirelifecycle,formtheinitialrequestto
deinstallation from a machine. The Lifecycle diagram below (fig. 1) outlines all of the key
proceduresthatshouldbeestablishedtosupportandmaintainasuccessfulframework.

Figure1
1

2.2Go
overnance
eStructure
e

2.2.1 NeGP
N
comp
prises of co
ore and su
upport infraastructure componentts and at present 27
7
Mission
n Mode Prrojects (MMPs). In order
o
to manage
m
the complexxities involvved in thee
implem
mentation of the Mission Mode Projects,
P
exxpert resources in thee areas of Technology,
T
,
Project Managemeent,ChangeeManagem
ment,CyberrSecurityandLegalneeedtobeaavailableon
n
fulltime
ebasisatth
heindividuaalDepartmeents/LineM
MinistriesofftheGoverrnmentofIn
ndia.

2.2.2 Mission
M
Mo
ode Projeccts are ow
wned and spearheaded by varrious Line Ministries//
Departm
ments. Thee Line Ministries/ dep
partments aare solely responsible
r
e for all the decisionss
connectted with th
heir MMP from
f
conceeptualization
n, design, developmen
d
nt, implementation to
o
operationsandmaaintenancephase.

2.2.3 Governance
G
d
in
n Figure 2 is suggested in the Operational Guidelines1
Structure depicted
issued by Dept. of IT, GoI. This
T
section
n describes various eleements of Governance Structure
e
which have to be leveraaged for retaining the Strateegic Contrrol within the Linee
Ministryy/Departmeent. Furth
including Roles and
her detailss on Govvernance Structure
S
d
Responsibilitiesareeprovided inOperatio
onalGuidelines.Thesu
uggestedGo
overnance Structureiss
mentionedbelow.

TheGuiidelinesareavvailableat
http://ww
ww.mit.gov.in
n/sites/upload
d_files/dit/filees/Guidlines_O
Operational_M
Model_V42_2
231210.pdf


Figure2:TheGovernanceStructureaspertheGovernmentofIndiaOperationalGuidelines

Empowered Committee (EC), with Secretary of the Line Ministry as its Chairman, shall be
responsibleforoverallguidance,for decidingpolicylevel mattersandto actasfinalbodyfor
approving all deliverables relating to the Programme and also take up responsibility of
monitoringofimplementationofSoftwareAssetManagementGuidelines.

CentralProjecteMissionTeam(CPeMT)isheadedbyaseniordomainrepresentativefromthe
LineMinistryastheProjectMissionLeader. The CentralProjecteMissionTeam(CPeMT)has
theoverallresponsibilityofprojectdesign,development,supervision,guidance,evaluationand
monitoring of the implementation, business process reengineering implementation of an e
Governance project and shall be responsible for exercising Strategic Control. To effectively
managevariousactivitiesoftheprojectdevelopmentandimplementation,varioussubgroups
could be formed under CPeMT to support its activities. The two key subgroups are Central
TechnicalTeam(CTT)andProcessAdvisoryCommittee(PAC).
Central Technical Team (CTT): The responsibility of CTT inter alia includes providing
technicalleadershipandensuringStrategicControlovertheprojectandmanagementof
allStrategicAssets.CTTshallberesponsibleforimplementationofSAMGuidelines.
ProcessAdvisoryCommittee(PAC):PACisresponsibleforprovidingprocesslevelinputs
andfunctionalrequirements.

HeadofDedicatedProjectTeam/ChairmanofCTTtobeoverallresponsibleforSAM

TheDedicatedProjectTeamwillassisttheMissionLeadersoftheMMPsandotherITinitiatives
by providing strategic direction and leadership to ensure the project are implemented
successfully,theoutcomesenvisagedfromtheprojectarerealizedandensureimplementation
ofSAMGuidelinesasperthedetailsgivenbelowinPara2.3.3.

2.3ImplementationDetails

2.3.1TheimplementationofSAMinvolvesfourstages:
Initiation
Assessment
Prioritization
Implementation

Initiation:
Commitmentandsupportofseniormanagement
Formulation&formalizingtheSAMstrategy
Definingpolicies&initialprocedures

Assessment:
Manualinventoryofsoftware
Automaticinventoryusingsoftwareinventorytools
Mappingoflicenses

Prioritization:
ITstrategy
ITbudget
Usagepattern
Legal/Regulatoryconsiderations

Implementation:
Implementtechnology
Implementpeopleprocesses
Implementprocessesandprocedures

2.3.2Aflowcharttopracticallyimplementthefourstages:

S 1
Step
Impleme
entation Plan
Assig
gn Roles &
respo
onsibilities

Step 2
w policies &
Develop / Review
procedure
es
Training & awa
areness
program
ms

Step 3
Conduct an audit of
o
software

Step 4
Develop, popullate and
maintain, Sofftware
Register/Softwarre License
System
m

Step 5
Determine and recorrd
license types & numb
bers

Step 6
Dettermine and record
media types

Step 7
Conduct gap analysis
s on
licenses

Step 8
Audit of software
A
requirements

S 9
Step
Purchase, pool
p or uninstall
so
oftware

Step 10
Review License
Agreements

Ongoing
g review and
complia
ance audit of
software, liicenses, media
and processes
p

Figure3
3

Figure4
4

2.3.3Ro
olesandRe
esponsibilitiesofDediccatedProje
ectTeamforSAM:
EstablisshingOrgan
nizationPoliicies
EstablishaSAMcellw
withintheDeedicatedPro
ojectTeam
oftwareusee,copyrightandperson
nalsoftwareeusagepolicy
Establishso
Rigorouslyenforcetheepolicies

DesigningandImp
plementingProceduress
Formalizep
proceduresinstallation
n,disposalaandretirementofSoftw
ware
procedurefforacquisitionandtran
nsferoflicenses
Formalizep
8

FormalizeprocedureforstandardizationofSoftwarewithinMMPandDepartment
FormalizeprocedureforStorageandDisasterprotection
EnsureadherencetoGuidelinesforStrategicControlforcustomized
applications/software

ManagingandMaintainingRecords
Softwareinventorymanagementsystem
HardwareInventorymanagementsystem
LicenseInventorymanagementsystem
Assetdocumentationmanagementsystem
ManagementSystemsfortheassetsofCustomizedsoftwareasdetailedintheStrategic
Controlguidelines

OngoingManagementandReview
ManagetheversionsandrelateddocumentationofApplicationSoftware
ContinuousmonitoringforadherencewithSAMpolicy
Periodicreviewandupdateofprocedures
PeriodicreviewofInventorysystems
ContinualimprovementoftheSAMframework

2.4StrategicControl

Information Technology (IT) has emerged as a key driver in improving the efficiency in the
GovernmentProcessestherebyfacilitatinghigherlevelsofservicedeliverytothecitizensand
other stakeholders. Additionally, it is also improving the effectiveness, accountability and
transparency of the Government processes. To expedite the implementation of IT projects
especiallyintheareaofeGovernance,participationofIndustrybothaspartnerandvendorhas
becomeessential.Thishasresultedintoasignificantincreaseintheroleandresponsibilitiesof
theIndustryandPrivateSectorinsuchprojects.AlthoughoutsourcingtoIndustryhasincreased
thebandwidthforimplementationoftheprojects,ithasalsonecessitatedtheneedofretaining
Strategic Control2 within the Line Ministries/Departments over the project life cycle, its
deliverablesandoutcome.

ImplementationofSAMfacilitatestheLineMinistry/departmenttoretaintheStrategicControl
within government by enabling taking over the management of all the customized software
assetscreatedundertheprojectandalsobytakingoverallthelicensedsoftwareprocuredby
the outsourced agency for the implementation of the project. It also further defines the four
keyfactorsi.ePeople,Policies,Processes,andInfrastructurewhichareessentialinmaintaining
propercontrolsinanoutsourcedproject.

GuidelinesforStrategicControlinOutsourcedProjectsareavailableat
http://www.mit.gov.in/sites/upload_files/dit/files/Guidelines_setting_Dedicated_Project_Teams_251110.pdf

Figure5
5

.
ofeachoftthesecomponentsarefurtherelab
boratedbellow:
Thekeyyelementso

2.4.1Pe
eople
a. Organizationsttructure
b. Emp
ployeeConttractsandn
nondisclosu
ureagreementswithvendor(s)
c. Background ch
heck and sccreening off employeess (presentlyy being done in case of Defense
e
contracts)
d. Indu
uctionandrregulartrainingprograammestoorientstaffrregardingSeecuritymeaasures.
e. Sup
pervisorycontrolbyDepartmentall/Governmentstaff.
f. Attrractingand retentiono
oftherightskillsToeeffectively managetheeoutsource
edactivitiess
itisimportanttomaintain
nthecoreskillsinternaally.
i.
Onewaayofretainiing/buildin
ngskillsinteernally,retaainingintereestofstaffaandhelpingg
tobuild
dacommon
ncultureistthroughrottationofstaaff.
ii.
Strongmotivatorstoattracttalent:
a. Challenginggworkinpu
ublicsectorr
b. Abilitytodevelopnew
wskillsbothonthejobandthrougghtrainings.
iii.
Reward
dandrecognitionprogramsareim
mportant.
iv.
Two different payy scales for internal and extern
nal staff aree considere
ed to be a
a
problem
m.Thesalarrydifferentialshouldn
notbemoreethan30%.

olicies
2.4.2Po
a. Doccumentedo
organization
npolicies
b. Roleebasedautthoritiesand
daccess
c. Dataclassificattion(criticall,manageab
ble&comm
modity)
d. Roleeclassification
e. Deccisionmakin
ngcontrolsinlinewiththegovern
nancemodeel.
f. Dessignforprop
persecurityyandcontro
ols
g. Inteegrationofssecuritywitthdelivery lifecycle.SSecuritypolicyshouldb
becompreh
hensiveand
d
shouldcoveraccessprivileeges,encryyptionpoliciies,vettingproceduress(asindicattedearlier),,
audittrails,nettworksecurrityetc.
10

h. Emphasisonapprovedsecurityframeworksandpolicies
i. Strictpenaltiesfornoncompliance.
j. If possible divide the job region wise to multiple vendors. This will maintain competitive
environmentandalsobackupincaseofanyfailure.

2.4.3Processes
a. Applicationspecificaccessandsecuritycontrols.
b. Definecore/noncoreprocessesformanagementcontrols.
c. Comprehensivelogsofalloperations/transactionsandregularreview
d. Controlsondatabase,network,OSetc
e. Intellectualpropertyprotection
f. Businesscontinuityplanning
g. Regulatorycompliance
h. PeriodicAudits

2.4.4Infrastructure
a. Defineenterprisesecuritystandards.
b. Physicalsecurityandaccesscontrols
c. Networksecurity,firewalls,perimeter,andendpointdefenses.
d. Monitoringandcomplianceofsecuritystandards.
e. Detailedriskassessment.
f. Regularsecurityaudits.

2.5Security

Securityfeaturescanhelppreventthetheftortheunauthorizeduseofasystem.
SecurityfeaturesgenerallyavailablewithSAMinclude:
Passwords,poweronpasswords,setuppasswords
Smartcardsorbiometricstechnologyforaccessprotection
Securitylocks,whichcanbeactivatedremotely
Centralandremoteactivationanddeactivationofthesystem,itscomponents(diskette
drive,harddisk,portsandsoon)orboth
Disablingofinterfaces(serial,parallel,UniversalSerialBus[USB])locallyandremotely.

3AuditandCompliance

Anauditoftheagencysdeployedsoftwareshouldbeundertakentoascertainwhatsoftwareis
installed on its computer networks and devices. The initial audit should provide an accurate
reportofthequantitiesofsoftwareproductsdeployedwithintheagency.
OncecollectedthekeyinformationshouldthenbecollatedintoaSoftwareAssetRegister(SAR)
toassistinmatchingsoftwareinusewithagencylicensedetails.
11

3.1Audit
Atitssimplestitinvolvesthefollowing:
IdentificationofSoftwareAssets
VerifyingtheSoftwareAssetsincludinglicenses,usage,andrights
Identifying gaps that may exist between what exists on the installations, and the
licensespossessed,andtherightsofusage
Takingactiontocloseanygaps
RecordingtheresultsinacentralizedlocationwithProofofPurchaserecords
Compliancetonotifiedstandards

3.2Compliance
AneffectiveSAMframeworkwouldensure:
Businesspracticesareinlinewithapplicablelaws
Adequatesafeguardshavebeentakentocoverthelegal risksat appropriatesoftware
lifecyclestages(Contracting,Procurement)
Policiesandproceduresareintunewithlegalrequirements
Personnelareawareofthelegalrisksposedbyunauthorized/piratedsoftware
Regularmonitoringisdonetoassesscompliance

BenefitsofCompliance:
Reducedriskandliabilityforintentionalorunintentionalcopyrightinfringements
Bettersoftwarelicensemanagementwithreducedincidenceofoverorunderlicensing

4MaturityofSAMPolicy

TheSAMOptimizationModelprovidesaframeworktoevaluatethematurityofSAMprocesses,
policies,andtools.ThemodelmapstotheISO/IECSAMstandard197701andisbasedonthe
InfrastructureOptimization(IO)model:inordertoachieveeachlevelofIO,thereneedstobein
place a corresponding level of SAM optimization to support it. Ultimately, it is critical for all
organizations/governments to know what IT assets (software and hardware) they own and
wheretheyexist.Withoutthisknowledgeanorganizationcannoteffectivelyaddresschallenges
such as optimization, server consolidation, virtualization, information security, business
continuity,andconfigurationmanagement.

4.1ThecorrespondinglevelsofSAMmaturitythatenableoverallIOmaturityareshownbelow:

12

Figure6

4.2KeycomponentquestionswhicharepartoftheSAMOptimizationModel,anddesignedto
measureanorganizations/governmentsoveralllevelofSAMmaturity:
1. SAMThroughouttheOrganizationGenerally,organizations/governmentsthathavemade
aneffortrelatedtoSAMappeartohavestartedwiththisfirstcompetencybyassigningSAM
rolesandresponsibilitiesthroughouttheorganization.
Well documented SAM policies and procedures Organizations generally understand the
need to have formally documented SAM processes to be successful in running a SAM
program. Only those SAM programs that are embraced by upper management are
successful.
2. SAMSelfImprovementPlanOrganizationsthathaveenoughcumulativematuritytobeat
the Standardized or Rationalized level overall may benefit from developing a formalized
strategyandSAMimprovementplan.
3. HardwareandSoftwareInventoryThisisakeyindicatorofoverallmaturity.
4. AccuracyofInventoryAccuracyofinventoryisagoodpredictorofoverallmaturity.
5. LicenseEntitlementRecords Some organizations/governments mayhave more complete
entitlementrecordsthananticipatedbecausethelicenseentitlementinventoryismanaged
as a separate process (e.g. by procurement), even if IT operations processes are not
implementedinamatureway.
6. Periodic SelfEvaluation Those organizations/governments that collect and maintain
inventory records for deployment and entitlement are likely to perform periodic
reconciliationsofsuchrecords.
7. Operations Management Records and Interfaces Lockdown of user PCs If PCs in their
environment are not locked down to prevent downloading unauthorized software, it can
exposeanorganizationtoissuesrelatedtolicensenoncompliance.

13

Centralized Software Distribution Lack of this could lead to installations that cannot be
trackedandsupportedandisanindicationofpoorSAMpracticesandmaturity.
8. Acquisition Process Disconnects between the acquisition process and the deployment
process are a root cause of issues when new assets are added to the operational
environment.
9. DeploymentProcessThekeyriskthatmostorganizationsfaceisintheinterfacesbetween
the acquisition and deployment processes. The root cause of most license compliance
issues is the disconnect between IT administrators who deploy software, procurement
offices,andlegalcontractadministratorswhoacquiresoftware.IT,legal,andprocurement
organizationsmaybeimplementingeachprocesseffectivelyontheirown,butissuesresult
if these key stakeholders for SAM do not have both structured and open communication
processes.
10. Retirement Process Compared with other key processes in the IT asset life cycle,
retirement management is often literally left until the end and then often forgotten or
ignored.Organizations/governmentsthathavematureprocessesandproceduresrelatedto
other aspects of the software life cycle may benefit further by implementing effective
retirementprocesses.

5SAMTools

Findingtherightsoftwarelicensingsystemsandtoolscanbeabigchallengeprimarilyowingto
the immaturity of the software asset management tool and license management software
solutionmarketandthetypesofsystemavailableeitherofthedatabase(simple)orworkflow
database (advanced) variety, and compatibility with existing network and software/hardware
infrastructure of the organization. In such a scenario, it is important to have a detailed
categorizationoftheSAMtoolsavailable.

SAMtoolsconcentrateonfivekeyfunctions:
inventoryandassetmanagement
security
systemsettingsconfiguration,deploymentandsoftwareupdating
faultandperformancemanagement
integrationwithenterprisemanagementtools

Variouscategoriesoftoolswhichcouldbeusedaregiveninthetablebelow(Figure7):

14

ToolCategory

FeaturesOffered
Allowsmanagementofinventoryofsoftware
assetsandlicenses
AssetInventoryTools
Offerssimpletools(Excel)tocomplexsystems
(GASP)

Identifieshardwareandsoftwareinstalledinthe

company
Checkssoftwareonallplatforms
CannotworkonstandalonePCs
AssetDiscoveryTools Doesnotworkfornewapplications/internally
developedapplications
Oneserverapplicationmaybeusedbymany
users,sincethetoolslooksatapplicationinstances

Checksuseofsoftwareonworkstations

CanbePassive(checkusage)orActive(check
licenses)
MeteringTools
Sendsexceptionreports(exceedinglicenselimits)
CannotbeusedforstandalonePCs

Allowsformanagementoflicenseinformation
Periodicallydeterminesaneedforeachtypeof
softwarelicenseused
License
ManagementTools Tracesthelicenserequestswithlicense's
effectiveuse
Identifiesunusedlicenses

Managesalltheissuesrelatedtosoftware
Contract
purchasecontractsandtheirinstallation
ManagementTools Checksfortermsofcontract,their

possible automatic renewal or expiry dates

Deployment
Monitorssoftwareduringthedeploymentstage
ManagementTools Allowsinstallationwithrelatedauthorizations
Preventstheinstallationofunauthorized
software
SecurityTools
Preventschangesinthereleasedandauthorized
configurations
ProcurementTools Allowsforpurchaseofnewlicenses
UsesLicensingkeys
VendorLicense
Makesuseofhardwaredongles
Management
Allowsforonlinelicensemanagement
Technology
PerformsSoftwareMetering

Figure7

15

6BenefitsofSAM

6.1 A holistic consideration of SAM involves managing and improving all aspects of software
assetsacrossmostoperationalandorganizationcomponentsofthecompany.Thisbigpicture
view not only helps companies build a more strategic and integrated approach to software
licenses; it also helps increase the number of benefits associated with effective management
andtheirpotentialimpact.Amongthosebenefits:
Costcontrol:
Lesslegalandcompliancerelatedexpenses,includingsoftwareaudits.
Better management of operational costs related to maintaining license compliance. For
example,securingbettersoftwarelicensingcontractsinwhichdeploymentandtechnical
architecture are clearly outlined and understood helps companies to negotiate more
favorable deals with software vendors, thereby lowering overall costs of their software
procurement.Cost avoidanceisachievedbyrationalizingthesoftwareportfolio toreduce
redundant,overlappingornolongernecessarysoftwarelicenses.

Reductionofrisks:
ContractualriskEffectiveSAMhelpstooptimizeclientsnegotiatingpositionwiththeir
vendors, outsourcers and potential merger & acquisition partners. Companies armed
with complete and insightful information will be better able to prevent thirdparty
providersfrominsertingincreasedriskpremiumsintotheiroffers.
Reputational risk Clients may face public disclosure of underlicensing, which could
leadtosignificantadversemediacoverageandpenalties.
Financial and budgetary risk While settlements of vendor audits are normally
confidential,vendorauditactivityhasbeenincreasing.Therehavebeensettlementsin
many cases in multiples of millions of Euros per vendor for unlicensed application. A
recent Gartner report indicates that more than 50% of their clients polled have been
auditedbyatleastonesoftwarevendorinthelast12months.
InformationsecurityriskInadequatelylicensedsoftwareintroducesthepossibilitythat
clientsmayhavedeployedcounterfeitandpotentiallyunauthorizedsoftware.Thereisa
risk that such software may include malicious code and be operating at substandard
levels.

Optimizationofcurrentassetsandprocess:
Enableslicenseoverpaymentrecovery.
Facilitatespreparationsformergersandacquisitions.
Helps make vendor audits more time and resourceefficient and delivers stronger
negotiatingpositionthroughbettermanagementoflicenserelatedcontracts.
HelpsITleadersmakebetterdecisionsthroughtheuseofbetterinformation.
Increasedconfidencebybothinternalandexternalstakeholders.
PromotesmoreefficientITsystems;lesstimeandmoneyspenttowardcompliance,and
moreintomakingITamoreeffectiveandstrategiccontributortooverallcompanygoals
andobjectives.
16


6.2 An often neglected but important area of SAM is Software Retirement Management.
SoftwareRetirementManagementbenefitsinclude:
Costoptimization(e.g.,reuseofretiredsoftwarefromretiredPCs)
Accurate records (keep hardware and software inventories accurate; enable
reconciliationbetweenthefinancialfixedassetledgerandtheactualITenvironment)
Social responsibility (many organizations/governments donate old hardware and
softwareandhelptoensuregreenrecycling)
Security and risk management (e.g., harddisk wipe and other initiatives to protect
customerandcorporateprivateandconfidentialinformation)
Licensecomplianceriskmitigation(e.g.,iflegacyPCsandserversarenotappropriately
retired,thecompanyisrequired,perthelicenseproductuserights,tomaintainlicenses
fortheseitems)

17

7Ackowledgements

1. QueenslandGovernmentSoftwareAssetManagement(SAM)Guideline

2. QueenslandGovernmentBestPracticeGuideforThirdPartySoftwareLicenseManagement

3. KPMGSAM:AKeytoInfrastructureOptimization

4. BusinessSoftwareAllianceGuidetoSoftwareAssetManagement

5. BusinessSoftwareAllianceGovernmentGuidetoSoftwareAssetManagement

6. BusinessSoftwareAllianceTheBusinessBenefitsofSoftwareAssetManagement

7. BusinessSoftwareAllianceStandardsBasedSoftwareAssetManagementPrinciples

8. DataSecurityCouncilofIndiaAssetManagementBook

9. GovernmentofIndiaGuidelinesforStrategicControlinOutsourcedProjects

10. GovernmentofIndiaGuidelinesforSettingupDedicatedProjectTeam

11. GovernmentofIndiaNeGPGuidelinesforOperationalModelforImplementationofMission
ModeProjectsbytheLineMinistries/StateDepartments

12. Ernst&YoungEffectiveSoftwareAssetManagement:HowtoReapitsBenefits

13. http://www.indiatechonline.com/bsakarnatakagovernmentpartnership251.php

14. http://www.bsa.org/country/News%20and%20Events/News%20Archives/hi/2010/hi10132010
ficci.aspx

15. http://www.newkerala.com/news/world/fullnews128649.html

16. http://www.iso19770.com/

17. http://www.foursquareinnovations.co.uk/software_asset_management.html

18

8AnnexureA:InternationalStandardonSAM

The development of the International Standard on SAM is a global project led by Swedish
StandardsInstitute(SIS).

TheInternationalStandardonSAMisuniqueasitcombinesprocessdescriptionsandsoftware
adaptations without the two parts being dependent on each other. When performing
inventories of installed software, everything is scanned and the result is often difficult to
understandduetothevolumeandcomplexityofinformationreported.Thedefinitionsinpart
two of the standard will enable identification to be simpler therefore making the inventory
processmoreefficientandeffective.

8.1 ISO 19770 Standard is the international standard on SAM. It is a two part standard,
covering:
Businessissues(ISO197701):wasdevelopedtoenableanorganizationtoprovethatit
is performing SAM to a standard sufficient to satisfy corporate governance
requirementsandensureeffectivesupportforITservicemanagementoverall.Itcovers
the processes and procedures for SAM planning, inventory control and software
lifecyclemanagement
Technical issues (ISO 197702): technical specifications and metrics (under
development)
ISGovernanceframeworkentailsSAMandisbasedonthefollowingstandards:
ISO27001InformationSecurityManagementSystem
BS15000ITservicemanagement
These standards mandate compliance with regulatory requirements for restricting copying of
softwareinorganizations.

8.2ISO19770hassixmainsections:
Controlenvironment,whichdealswithprocesses,procedures,rolesandresponsibilities.
Planningandimplementation,whichdealswithresourcerequired,reportingstructure,
measurementandverification.
Inventory, which deals with selection and confirmation of assets, monitoring of
existence,usageandstorage.
Verificationandcompliance,whichdealswithprocessestoidentifyandmatchinventory
tolicenses.
Operations management, which deals with documentary evidence of implementation,
andmanagementofrelationshipswithvendors.
Lifecycle,whichdealswithsoftwarelifecyclemanagement.

19

9AnnexureB:SAMIndianeGovernanceExamples

9.1KarnatakatapsBSAtobeefupsoftwaremanagementingovernment

The Center of EGovernance of the Karnataka Government has joined hands with the India
operation of the Business Software Alliance (BSA) to bring the benefits of Software Asset
Management(SAM)tostatebasedPublicSectorUndertakingsandgovernmentdepartments.
SAM, an ISO ( 2006) standard, enables companies and organizations to efficiently and
effectivelymanageandtracktheirsoftwarelicensesasvaluablecompanyassetsthroughoutits
life cycle of procurement, deployment, usage, maintenance and retirement, enabling cost
savings,riskmanagementandoperationalefficiencies.KarnatakahasalreadyengagedwithBSA
to introduceSAM to small and mediumenterprises in the state and the new partnership will
helpspreadtheculturewithinpublicundertakingsengagedinkeysectorsincludingtransport
andenergy,explainsD.S.Ravindran,CEOofKarnatakagovernmentsCentreforeGovernance.
The state has been judgednumber one in ereadiness among all Indian states and its total
annualspendingonITisaroundRs3billion,Dr.Ravindranadded.

9.2 BSAFICCI WRC Recognizes SMEs on Software Asset Management Leadership in

Maharashtra,supportedbyGovernmentofMaharashtra

BusinessSoftwareAlliance(BSA)inpartnershipwithFICCI(WesternRegionalCouncil)awarded
the BSA Certificate of Recognition to 26 companies under the Leadership in Software Asset
Management Program as part of the Progressive Maharashtra initiative aimed towards
building sustainable competitive advantage in the state supported by the Government of
Maharashtra. The Leadership in Software Asset Management Program aimed at promoting
the value of software licenses as organizational assets, importance of IT Governance and
IntellectualPropertyRightsinSoftware,toenablesmallandmediumenterprisesinthestateto
becomeITcompetitiveandmaturebyadoptingworldwidebestpracticesinimplementingIT
policies and procedures through the ISO recognized standard ofSoftwareAsset Management
(SAM).

AspartoftheSAMLeadershipProgram,morethan500SMEcompaniesweresenteducation
and awareness material on SAM and related areas. Additionally, a total of 45 SMEs across
industry sectors in Maharashtra participated in the Software Asset Management Certification
Program organized and executed by BSA, supported by FICCI (WRC), which comprised of
educational and awareness workshops and voluntary SAM review assessments for the SMEs
whichcameforwardtoevaluatetheirorganizationalmaturityoftheirITenvironments,policies
andproceduresandassessmentoftheirsoftwarelicenses.Twentysixcompanieswerefinally
awardedCertificatesofRecognitionforsuccessfullyfulfillingalltheelementsoftheprogram.

20

9.3BSAlaunchessoftwareassetmanagementprogrammeinAndhra

Hyderabad, Jan 20, 2011: After success in Karnataka and Maharashtra, Business Software
Alliance(BSA)announcedthelaunchofitseducationandcertificationprogrammeleadership
inSoftwareAssetManagement(SAM)inAndhraPradesh.

To be supported by the state government, the programme is aimed at improving corporate

governancethroughcostcuttingandimprovedefficiencyamongsmallandmediumenterprises
(SMEs).

KeshavS.Dhakad,chair,BSAIndiaCommittee,toldreportersthatawarenesswouldbecreated
among SMEs on the benefits of SAM, an ISO 19770:1 standard, which promotes the value of
managingsoftwarelicensesasassetswithincompaniesandorganizations.

"Through this programme, BSA aims to enable Andhra Pradesh to become a leading state in
promoting SAMled strong corporate governance standards in the field of IT within the local
companies, driving cost efficiencies, better risk management and achieving high levels of IT
maturityandimprovesecurity,"hesaid.

The participation and recognition under the programme would help SMEs control costs,
enhance productivity, network security and fulfill compliance obligations. "It would help
participatingcompaniestoenhancetheirbrandreputationandattractinternationalclientsand
investors by showcasing their improved organization management, through the certification
undertheprogramme,"Dhakadsaid.

Ravi Prasada Rao, joint director, egovernance in Andhra's information and communication
technologydepartment,said1,000to1,200SMEsinandaroundHyderabadcouldimmensely
benefitfromthisfourmonthlongcertificationprogramme.

ThestategovernmentproposestoempanelSAMcertifiedSMEsforawardingthegovernment
worksinegovernance.

21