Sandi recommends you take these 15 steps in turn or consult the skills of a qualified SAM consultant to help you.
1. Collect and review all software acquisition records.
2. Collect and review all software license agreements.
3. Select a process or tool for the internal software review.
4. Decide whether employees will be notified in advance. If employees are to be notified in advance, send an explanatory memorandum. If employees are not notified in advance, be respectful of employee property. It is always possible that you may find a program that does not belong to the company, but is an employee’s legitimate property. Do not erase any software without first consulting the employee on whose PC the program is found.
5. Determine who should be involved in the review. Suggestions: MIS Director, Senior Management/Staff Legal Counsel, Department Heads, Outside Legal Counsel/Auditor.
6. Conduct the review. If using a software discovery tool, skip to step 8
7. If manually checking machines follow these procedures: Locate all personal computers, including portable computers. If the facility is large, mark locations on a floor plan. When a PC is not accessible, make a note to search the hard disk at a later time. Print a list of directories for each hard disk, determining if and how software are can be downloaded onto a hard disk from your local area networks. It may be necessary to search several drives, i.e., C, D, E, and F and subdirectories of each drive. Searching the directory on a Macintosh system may involve opening folders within other folders to find all applications. Programs will generally be identified using abbreviations like WP for WordPerfect, 123 for Lotus 1-2-3, SK for Sidekick, WS for WordStar, etc. Take an inventory of floppy disks and available documentation if software is not stored on hard disks.
8. Compare software found on hard disks with acquisition records. Alternatively locate authorized disks and/or documentation for each software program listed on a hard disk.
9. Review organizational policies on the use of software on home computers.
10. Consult employees who are using software programs where there are no records or disks. (An employee may be using his or her own purchased software on the office computer. If so, the employee should be required to demonstrate that the software is legitimate and not pirated. Ideally this software should be removed or purchased by your organization)
11. Destroy any unauthorized copies of software and record work. List personnel who need to be supplied with legitimate software.
12. Publish corporate policy of software use, and request employee sign off.
13. Document list of standardized software based on evaluation of software installed and communicate required software to be supported to helpdesk personnel.
14. Document processes for storage of media, documentation and proof of license.
15. Document products and processes for data storage, disaster recovery planning and testing, security against hackers, viruses, spam and spyware.
Has Sandi missed any points? what else would you recommend? Please use our comments facility below to add your feedback.