30 July 2013

SMotW #67: No. of unlicensed software installations

Security Metric of the Week #67: number of unapproved or unlicensed software installations identified on corporate IT equipment


This is a simple compliance metric, a count of inappropriate or pirated software installations discovered on the network.  Using software to audit the network, the base data are easy enough to gather once the data collection clients are in place, although reconciling the automated findings against license records is a different matter unless the organization has a strong license management system.  That in turn requires a strong culture of compliance with corporate policies and procedures concerning the correct procurement and licensing of software and updating the license database accordingly ... which is probably one of the key goals for this metric, supporting the more obvious and direct objective to crack down on unlicensed software.


When considering the merits of this metric, ACME Enterprises Inc. was not in a particularly strong position with respect to license management and management was unconvinced about the benefits of software auditing compared to the Costs (which, for them, would have included setting up the license management system).  Hence the metric's PRAGMATIC score was not very encouraging:

P
R
A
G
M
A
T
I
C
Score
58
55
82
73
86
47
64
66
17
61%

Some of ACME's managers were a bit puzzled at first about the metric's reference to "unapproved or unlicensed". The risks associated with unlicensed or pirated software are straightforward enough.  They wondered what are the dangers of unapproved software?  And what is approval in this context, anyway?  During the short discussion that ensued, they quickly came to appreciate the issue, and decided that the metric made sense, hence the high rating for Meaning.

No comments:

Post a Comment

Have your say!