Software Tracking Policy

Version: 1.00Issue Date: 12/16/2014

This Software Tracking Policy is supplemental to the Asset Control Policy and part of it may be incorporated into that policy. This Software Tracking Policy is meant to ensure that software in use is tracked for purposes of licensing and making it available when needed for installations. In addition this policy should be used for tracking changes to software being developed by the organization in conjunction with the Change Management Policy.

1.0 Overview

This Software Tracking Policy defines responsibilities, requirements, and methods to ensure software is stored properly, made available to authorized personnel for authorized use, and that licensing is sufficient and legal.

2.0 Purpose

The purpose of this Software Tracking Policy is to ensure software is properly licensed and make it available when needed for authorized use.

3.0 Scope

This Software Tracking Policy covers all software operated by the organization and developed by the organization. This policy is effective as of the issue date and does not expire unless superceded by another policy.

4.0 Definitions

  • Commercial Software - Also known as proprietary software, it is normally accompanied by a licensing agreement which is the terms of use for the software required by the manufacturer.
  • Shareware - Freely distributed software which can be used for a trial period after which the user is expected to make payment or meet terms of the license if they continue its use.
  • Freeware - Software which does not require payment but some terms of use may exist such as Open Source licensing.
  • Copyright - A legal protection against reproduction of created work without permission from the creator.
  • Software License Agreement - A legal contract between a software application creator or manufacturer and the software user.

5.0 Library System

A library system for tracking software shall be created and set up to be easily managed. It may be part of the asset tracking system. The system will track the following:

  • Software name, version, manufacturer name and contact information, vendor name and contact information, date of purchase, purchase price, and number of licenses.
  • Location of the CD, media, and/or manuals that the software is on, whether it is checked out and to who, when it was checked out and when it was returned.
  • The number of licenses required.
  • If the software is created by the organization or by a contractor for the organization this system shall be used to track contacts who are the creators of the software and each version number.
  • Software that is no longer used may be noted to be archived in the system and after some set period of time disposed of and noted in the tracking database.

The IT department head must delegate the responsibility to a "software librarian" to ensure the library tracking system is maintained and the materials are properly checked out and checked back in. It is the responsibility of the person checking out software to return the materials within the time specified when it was checked out.

6.0 Software Auditing

The software librarian and/or designated staff must periodically audit systems (at least once per year) to be sure that unauthorized software is not running on them and that licensing is up to date. Auditing may be done through the network but some auditing should be done in person at randomly chosen systems.

7.0 Software Change Management

Software change management should be part of the System Development Life Cycle (SDLC) and the Change Management Policy. Software changes to software being developed in house must be tracked. The software tracking library system may be used to track software changes or another system may be used. Someone must be delegated by the IT department head to ensure software changes are tracked in the change management system.

Software from outside or developed inside the organization must be installed by authorized and qualified personnel. The software inventory database must be updated when software is purchased or installed.

7.1 Software Environments

The software change management system must track the environment that the specified software is certified for. Various versions are certified for one or more of a test environment, a QA environment, and a production environment of services.

The software library system shall store the creation and modification dates of software including the version number. It shall provide the ability to review who made changes to the software and to the entries in the library system.

The test environment shall be used by developers only. The QA environment shall be used by the customer requesting software development combined with the developers. The production environment shall be used by the end users and shall not be used for testing or QA testing.

Logical access controls shall be put in place to prevent unauthorized changes to the production environment by developers or other unauthorized parties. Duties shall be seperated so the developers do not put the code on production servers but that duty shall be assigned to server team members. The developers shall be able to update code on the test enviroments and the business owner or other unauthorized parties shall not.

8.0 Enforcement

Since proper tracking of software and software change management is important for the ability of the organization to function, employees that do not adhere to this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.

9.0 Other Policies

  • Asset Control Policy
  • Development Life Cycle Policy
  • Change Management Policy

10.0 Other Requirements

  • A software tracking database must be created. It is up to the head of the IT department to delegate that responsibility.
  • A software checkout procedure must be developed by the software librarian.
  • A procedure for promoting code from a test environment to QA environment, then to a production environment must be created.

Approval

Approved by:__________________________ Signature:_____________________ Date:_______________