HELPDESKPolicy
University of Glasgow
University policy on software licence management
Background
This policy aims to ensure that all software used by the University is properly licensed, and that proper records of this are kept.
An external review of software licensing, carried out by Ernst and Young,. had one fundamental recommendation and several significant recommendations. The fundamental recommendation was that a member of UMG should be allocated responsibility for ensuring compliance. In response, responsibility for policy development has been allocated to the Director of Information Services.
Partly because of concerns in this general area, the University has taken out a Microsoft (MS) Campus licence, which covers all University computers for current and recent MS operating system, some MS client access rights to MS servers, and MS Office. While this reduces the risk in that these products were the most widely used, it does not abolish risk even for Microsoft products.
Why is it important?
Computers are widespread (the University has more than 10,000) essential tools for operating the University. If we were audited, we could in the past have had great difficulty proving that we were properly licensed in many cases where this was true. This could have led to adverse publicity, as well as the possibility of legal costs, including effectively buying software we had already paid for.
Key issues
The problem is exacerbated because -
· Computers are used in very different ways (eg as servers, staff workstations, built into equipment, in student clusters, in laboratories and other shared spaces, as public access machines, etc), and these different uses have licence and record implications
· Software is licensed in many different ways (eg through site licences, floating licences, per machines licences, shareware, public domain etc) and these different licences affect the records that are required
· Software licence terms vary widely
· Responsibility for equipment including computers is highly devolved.
Who has the responsibility?
Every computer must be under the control of an individual, the asset controller. By default, the asset controller is the Head of Department, but this role may be explicitly delegated. The asset controller is responsible for complying with this policy.
For the purposes of this policy, all computers bought through research grants are treated as being owned by the University.
Every person who attaches a computer not owned by the University to the University's network is responsible for complying with University regulations and policies, including this policy.
Software licence policy
Attached below is the University's agreed policy on the loading of software and the keeping of records.
a) The University intends to comply with copyright law and any contracts it enters into in the form of software licences. All software on all computers owned by the University or attached to the University's network must be properly licensed, and all students, staff and visitors using these computers must comply with the licence terms. Copying of software contrary to licence terms is potentially software piracy and may result in disciplinary or legal action.
b) Given the powers and remedies that software companies and their representatives have available, the University must be in a position to prove its claims with regard to software licences. This means that you may only install software on a University computer if
· the specific version is public domain (or otherwise available as free software under a licence such as GPL), or
· it is site-licensed by the University for your purpose (Computing Service is required to keep a record of such licences), or
· the University owns the intellectual property of the software, or
· the software intellectual property is owned by a staff member, or by the designated user of the computer, who has agreed to it being loaded, or
· the software intellectual property is owned by a matriculated student of the University and is being loaded as part of a course of study or research, or
· it is shareware that the University has paid for, or that you plan to (and do) remove or pay for after a trial, or
· the software is licensed for that specific computer by a specific licence, for which records exist, or
· the software is licensed for that computer under some sort of floating licence, administered from a server, for which records exist.
c) You may be personally liable if you load software onto computers in contravention of this policy. You may be personally liable if you load software you have acquired with non-University funds, or have acquired other than in the proper course of University business.
d) For the avoidance of doubt, this policy applies to all computers connected to the University network, whether acquired with University funds or from research or other grants (see the Financial Handbook section 29.4.1.at http://www.gla.ac.uk/services/finance/handbook/sectionb29.htm, and the Computing Regulations at http://www.gla.ac.uk/services/computing/regulations/regulations.shtml).
e) Records must be kept linking software licences to the computers on which the software is used. Records of transfer or deletion of licensed software must also be kept. The asset controller should retain transfer or deletion records for at least 2 years.
f) The records referred to above should take the form of entries in a software asset register. The software asset register should be kept up to date at departmental level. Heads of Departments are responsible for returning the software asset register with their hardware asset register on an annual basis the Computing Service. Records must be produced as required or authorised by the Director of Information Services or his or her representative, or by Internal Audit.
g) Recognising the scale of effort needed to bring this policy into effect; records for existing machines will initially be voluntary. Records are mandatory for
· all new machines
· any machine on which significant new software is loaded
· all machines re-configured as required after a change of use (see computer disposal policy)
· all servers.
This will see all computers covered within a period of 4-5 years. Once records are required for a computer, they must be kept up to date. This phasing in of records does not indicate any relaxation of the requirement for valid licences for all computers. This timescale may require to be shortened at a later date.
h) The Director of the Computing Service shall produce and keep up to date recommendations on how to achieve this, minimising effort for asset controllers. For example, the components of the current version of Standard Staff Desktop could be listed as one composite item, with a pre-primed asset register form provided on installation.
Guidelines should be provided for filling in software asset registers in relation to software that comes as part of the operating system, or other applications installed under licence, or as drivers for hardware devices, or down-loaded (eg Netscape, Acrobat etc).
Chris Rusbridge
7 January 2004