UNIVERSITY of GLASGOW

IT Services

Events

Discussion paper

- A Discussion Paper

Software auditing consists of the following processes:

  • Reviewing a workstation's current software resources - local and remote
  • Reconciling what is found with the record of known resources
  • Resolving any discrepancies between these two processes

Once achieved, there remains the problem of retaining the audited state, taking into account the inevitable additions, upgrades and deletions over time.

Reviewing a workstation's software resources

Nowadays this will usually be done using an auditing tool for local software. Who does the work? Probably local IT Support Units.

Issues:
Software auditing tool - Campus recommendation? Campus licence?
Filter files to reduce output - Should a central filter file be created/maintained by CS?
Non-networked machines? Integration into SSD?

Reconciling what is found with the record of known resources

The Working Group on Software Licence Policy has suggested a double stranded approach:

  • New machines
    All new machines should be fully audited and documented as they arrive.
  • Existing machines
    (i) Software should be grouped into risk categories - the risk being that associated with a piece of software in a given category being identified as incorrectly licensed, fallout from detection, and consequential cost of rectifying the licensing shortfall.
    (ii) Starting with the highest risk the faculty gradually works its way down the list, with the assessment of risk being officially reported to senior faculty management.

Issues - new machines
Local procedures will be required to ensure that auditing happens to all new machines. Probably carried out by the local support team. What happens when a machines goes out to a lab or office? The first thing the users do is load additional software. How is this to be dealt with? Who is responsible?
Issues - existing machines
For a faculty/department of any size this is likely to be a large/difficult task if an auditing process is not already in place. The work is largely administrative and in most cases would place a heavy, perhaps insupportable, extra burden on local IT Support Units. How is this difficulty to be addressed? Additional administrators?

Resolving any discrepancies between these two processes

Either money has to be found to re-license software for which licences cannot be identified, or
unlicensed software has to be removed, possibly causing problems with teaching and/or research.

Issues: Who does the work? Who bears the responsibility of ensuring that the job is done properly? Budget controllers/Heads of Departments/Deans?

Retaining the audited state

Internal Audit will require a yearly assurance that the audited state has been retained, that agreed procedures are monitored, and reserves the right to carry out random audits.

Issues: How is this to be achieved? Incremental audits? Each year? This begins to sound like a job in its own right. Not something to be dumped on already hard pressed IT Teams.

Iain Logan - Glasgow University 1st March 2004