Note: The identity of the company featured in this customer snapshot has been concealed to protect the non-compliant.
Part 1: Sorting Out a Software Compliance Tangle
Searching for software purchasing records, an IT manager at a well-established health insurance provider found herself face to face with a compliance nightmare of colossal proportions. What began as a filing exercise became a scavenger hunt where all the clues added up to potentially huge license violation penalties from multiple software vendors.
With multiple offices supporting over 1,800 desktops, 250 servers and close to 200 IT staff, the healthcare insurance provider contracts its IT services to government organizations and services as well as a private client base of individuals and companies. Its computing environment is necessarily diverse in order to support its broad operational mission and wide geographic presence, but the vastness of its infrastructure created fertile ground for software license challenges.
Software asset management had previously been overlooked in favor of other priorities. A standard desktop image existed but was not enforced. Requests for new software were approved without question. There was no system in place to validate what was currently installed on workstations or to vet those applications for compatibility with security policies or the network environment. Manual software compliance audits were conducted occasionally but were not performed frequently enough to keep pace with the ever-changing desktops.
Among the muddle of software documentation and unpleasant surprises, there was one golden nugget: an unused copy of Express Software Manager license compliance software. It was a simple matter for the IT manager to upgrade to the latest version of the product and begin collecting data on the inventory and usage of the company’s software assets.
Unfortunately, what it revealed would have made even the most stalwart asset manager panic: a host of unlicensed software, unused licenses with hefty ongoing maintenance fees, and programs that violated corporate security policies. Beyond standard license compliance obligations, healthcare organizations are bound by stringent privacy and security regulations regarding individual data.
The insurer’s open-desktop policy provided flexibility for the software development team, but inevitably led to the presence and use of software that posed a risk to the sensitive data housed on the network. For example, a English-French translation software program required that the application under development be uploaded to a web site where the translation took place. This “tunnel,” however, created a potential security breach through which health information could be inadvertently transmitted—a risk that violated not only corporate but also security mandates.
Multiple boundaries had been crossed, and the situation required immediate attention if the organization wished not to face regulatory sanctions more severe than software vendor penalties. Given the magnitude of the risks, the healthcare insurance company set about righting the ship by establishing a well thought-out software asset management program, with Express Software Manager at its core.
Our next post discusses how the situation was turned around.