In the IT world, we tend to view end users as an occupational hazard—a perilous yet inescapable part of our jobs. After all, it seems employees will install just about any application they can get their hands on without regard for the potential licensing implications, compatibility issues, security holes, or bandwidth consumption.But who can blame them? They’re trying to do their jobs just like we all are, but without the benefit (or curse) of understanding the potential implications of their actions.
What we rarely acknowledge is that the onus is on IT leaders to ensure workers have the information they need—and are held accountable—to make good decisions. It all begins with a clearly articulated and effectively communicated software usage policy that educates end users about the importance of complying with a set of basic standards. Such a policy shouldn’t be long and infused with technical mumbo jumbo. In fact, the shorter and more straightforward the guidelines, the greater likelihood it will be read, understood, and, most importantly, adhered to. Not only can a properly developed software usage policy serve to curb risky behavior, but it will also generate goodwill among software publishers when and if they decide to audit you. If a vendor sees your organization making a conscientious effort to prevent the use of unlicensed software, they’re more likely to treat you as a partner rather than a criminal throughout the software audit process.
The nature of your software usage policy will (and should) depend on your organization’s size, geographic dispersion, and diversity of your software estate, as well as the sophistication of your end users and their technology needs. If you run the IT department of a small community college, for example, you may wish to prohibit anyone but the IT staff from purchasing or installing software on school-maintained systems. On the other hand, if you work for a technology company with software developers that rely on a variety of commercial and open source solutions to do their jobs, you may need to build more latitude into your usage policy.
As you develop your software usage policy, here are some points to consider covering:
1) Purpose of a software usage policy
Explain why a software usage policy is important from legal, security, and IT management perspectives.
2) Software purchasing guidelines
If all purchasing must be done through IT or finance, clearly articulate the process for requesting software. If employees are allowed to purchase software for business use, be sure to cover the following, if applicable:
- Are there situations in which purchases require approval, for example:
- Certain types of applications?
- Purchases exceeding a certain cost?
- Is there a list of authorized vendors?
- Is there a “black list” of applications, for example:
- Software that’s incompatible with other applications or systems
- Non-work related software
- How should purchases be documented?
3) Software installation guidelines
Communicate to employees that interpreting software contracts can be both difficult and risky, and urge them to seek clarification rather than make assumptions about what’s permitted under the terms of a license agreement. In order to protect your company, you may wish to require authorization or altogether prohibit certain activities. For example:
- Should employees be allowed to:
- Install commercial software?
- Install freeware or shareware? If so, are there any limitations?
- Uninstall software? If so, how should this be documented?
- Should employees be required to obtain authorization in order to:
- Transfer or copy software to another machine?
- Load company licenses onto a home machine?
(Note: The above two situations are prone to misinterpretation and require a clear understanding of the licensing agreement.)
4) Policy enforcement
Explain how you plan to enforce the software usage policy and, if appropriate, detail the consequences for non-adherence.
- Do you plan to monitor usage? (If so, it’s best to disclose this.)
- What happens if employees fail to comply?
- Will there be disciplinary action?
- What are the potential repercussions to the company?
In the end, your ability to effectively manage your software assets depends not just on the processes and technology you have in place to manage what’s installed and being used in your environment, but also on your ability to establish, communicate, and enforce a strong and comprehensible software usage policy. In fact, it should be a cornerstone of every organization’s IT asset management strategy. Not only will it make your network more secure, stable, and compliant, but it will make your job a heck of a lot easier.