Skip to main navigation
Skip to main content

 

Related links

 

Software management and legal issues

Introduction

In this electronic age software can have a direct effect on business success or failure. Increasingly, software plays a central role in most organisations, as a valuable category of corporate asset that contributes greatly to the operation of the organisation and the achievement of its corporate objectives. As government organisations are highly dependent on software, it is critically important to ensure that the business has the correct software installed. This software must be;

  • Fully supportive of business operations
  • Both genuine (not counterfeit or otherwise illegal) and properly licensed
  • Managed effectively
  • Suitably protected against misuse and damage
  • Purchased on a value for money basis and in accordance with public procurement law.

Purpose of this Guidance

Although valuable, software can be costly in terms of both financial outlay and resource requirements for acquisition, installation, support and usage. The portfolio of software and constituent individual items therefore, need to be managed throughout their lifecycle, to ensure that all are used effectively, efficiently, economically and at low risk.

This guidance provides an overview of good practice in software management, examining some of the business and legal issues surrounding software ownership, licensing and use. It identifies areas requiring care and suggests possible ways of providing that care.

This guidance is not intended as a substitute for project specific legal advice, which should always be sought where required.

Audience

This guidance is targeted at senior procurement personnel and those performing the 'IT intelligent customer' function. It provides guidance on what is required to ensure that their organisations' software is properly managed and that the issues below are fully addressed.

Issues of ownership and use

Senior procurement professionals and other relevant members of staff should;

Ensure that senior management are aware of the organisation's software requirements and that only software meeting these requirements is purchased.

Implement processes, procedures and standards for the acquisition and use of software to ensure that all software in use complies with applicable laws and licenses, including a means of verification and enforcement of compliance.

Accountability

Responsibility must be allocated, at a senior level within the organisation, to implement the corporate policies, processes, procedures and standards that will ensure value for money and low risk throughout the lifecycle of all software. This responsibility may fit within a variety of management areas, (e.g. general, procurement, IT asset, security or employment management). However adherence to these corporate policies, processes, etc, is the responsibility of all members of staff and ensuring compliance is the responsibility of all line managers.

Acquisition

In order to carry out its mission, each organisation requires the appropriate range of software that meets its requirements in terms of functionality, ease of use, security, stability and integrity. This is equally applicable to the two main types of software, systems software and business applications. It is particularly important that any software to support business functions matches the researched, agreed and documented requirements.

Software may be provided by means of existing service contracts or procured through separate contracts. In either instance the software may be either a commercial off-the-shelf (COTS) package or bespoke software, which may be built in-house or production contracted to another organisation. In all instances the software must be correctly licensed.

It is also essential to ensure that the effort and costs of acquisition, licensing, maintenance and support of individual products are commensurate with their level of usage and the business benefit they deliver.

In addition, as a government department or agency, it must be ensured that the acquisition process complies with all relevant laws, directives and obligations

Standardisation

Many organisations limit the variety of software available for use by staff, especially within the most common types:

  • Operating System
  • Word Processor
  • e-mail
  • Spreadsheet
  • Database
  • Web Browser
  • Document Distribution/Portable Document Viewer

This enables the rationalisation of training, maintenance and support, as well as simplifying the integration, sharing and transfer of data. This can increase availability of data and may guard against its loss, especially where members of staff move around or leave the organisation.

There are similar corporate benefits to be gained by limiting the authorised range of less common software to specific items on approved lists. This must be balanced however, against meeting future business and user requirements, where there may be a need for additional specialised software, which should be justified on a case-by-case basis. This balance can only be struck by there being an awareness of what is being used, who is using it and for what purpose.

A policy for software purchase should set out:

  • Personnel authorised to purchase.
  • The purchasing process.
  • Measures to ensure all software acquired is properly licensed.
  • Evaluation process for exceptions to standard purchasing process
  • A similar policy regarding software installation should also be set and supported by processes and procedures to ensure that the policy is followed. It is also necessary to ensure that levels of authorisation are clear.

Support and Maintenance

Most software, after acquisition, requires a degree of support and maintenance and users may need a source of information on the functionality and complexities of some items. To ensure that software continues to meet the requirements, first-line support is required. This is most often provided by an external IT Service Desk, but can be supported in-house. More detailed technical support may also be required and this may be provided externally via a support and maintenance contract or internally from appropriately trained personnel.

Support and Maintenance contracts often include details on software upgrades and are specific about the versions of software that are supported. Informed decisions should be made on the scale of distribution and timing of upgrades, as well as the implementation of new versions and releases of software. External support and maintenance agreements may contractually limit the choice available.

Risk Management

There are several risks inherent in the use of software, including:

  • Failure to meet business requirements
  • Disruption to work
  • Unavailability of, unauthorised access to or damage to corporate data
  • Legal action or loss of reputation due to unauthorised use of items of software.

The risks are greater should the following circumstances apply:

  • Software requirements are not fully defined
  • Ad hoc buying is allowed
  • The producer or supplier of the software does not have a proven history of successful delivery
  • The software is not tried and tested
  • The software is not managed as an asset
  • Ongoing support is not available.

The probability of these risks occurring can be reduced by the use of defined processes and procedures including:

  • identification of requirements
  • acquisition process
  • installation procedure for software, including testing
  • support and usage monitoring of software once installed.

The use of processes and procedures can mitigate the severity of impact should the risks materialise. However the processes and procedures must be comprehensive and cover, where appropriate, the following:

  • All software is genuine and fully licensed, i.e. not counterfeit or an unauthorised copy.
  • All software is acquired from a reputable source that will guarantee that the software is genuine and properly licensed.
  • The software has been produced in an environment where it and its media have been protected from corruption.
  • Each item of software has a level of robustness and integrity appropriate to its use and the type of data to be produced or accessed.
  • Upgrades and maintenance ensure the continued stability and integrity of software.
  • No items of software pose unacceptable risks to the operating environment or corporate data.
  • Security controls explicitly protect the operating environment and corporate data from interference.
  • All software usage is authorised.
  • Software is only used within the terms of the agreements that authorise its use.
  • The number of users does not exceed the terms of the licence.
  • Software is stored appropriately.

The design of some software may circumvent security controls or be open to virus introduction. This risk increases with uncontrolled proliferation in the variety of software but can be minimised by proper management procedures. All software must be capable of being managed by existing corporate policies and controlled by the processes and procedures implemented within the organisation.

Asset Register

Information on software should be recorded in one or more asset registers depending on the organisational structure, requirements, authority and accounting levels. Software assets can be held on a separate register or as part of an IT asset register or general asset register. Where several registers are used it is useful if they utilise similar formats to facilitate co-ordination of information or its transfer during any reorganisation.

  • Registered information on software should include or point to details held elsewhere on:
    name / description of the software
  • supplier invoice / contract details
  • date of purchase
  • any identifiers, including licence or serial numbers
  • details of licencing agreements and terms, including licence duration
  • version(s) in use
  • whereabouts of distribution media
  • whereabouts of documentation including manuals
  • staff with authorised use
  • equipment on which copies are loaded - including location if fixed
  • configuration details

Where appropriate, items of information should be cross-referenced to any licence serial numbers.

The register should provide a continuous, comprehensive, up-to-date picture of the distribution and use of the software, within the organisation. This will assist in ensuring and demonstrating compliance with all licences and agreements.

Control points

The management of processes and standards should be exercised at certain points in the software lifecycle. Below are some of the issues to be addressed during procurement, installation, documentation, upgrade, monitoring, change management, disposal and audit.

Installation

Limits should be set on the ability of staff to install software to:

  • help in the protection of networks and systems against viruses
  • ensure that all products are properly installed
  • enable licence allocation to be properly documented and controlled.

There are mechanisms for blocking software installation by anyone without appropriate privileges but these should be used with care as they can prevent necessary legitimate actions like the installation of trial versions or printer drivers on mobile computers off-site.
Where equipment with pre-installed software is purchased, proof of authority, documentation and monitoring is required to the same degree to that required for direct software purchases.

If installation of software is required on home and work PCs, then the authority and licence need to be establish the terms and conditions under which this can be done. Steps must be taken to ensure that all installations:

  • conform to the terms of the licence
  • are documented
  • use is monitored

Members of staff producing work at home, on their own hardware and software, must also comply with relevant licence requirements.
Software called "freeware" or "shareware" is available, free of charge for limited use, via downloads from the Internet. However, there are other software downloads available, on the Internet, which require users to be licensed. It is crucial that software is only downloaded from reputable sources and that it is only used within the terms specified by the owner.

In all circumstances a member of staff must not download or otherwise install, software onto PCs belonging to the organisation (whether used at work, off-site or at home and whether in the course of employment of otherwise) without the approval of the appropriate authorising person within that organisation.

Documentation

Information must be documented in the appropriate Asset Register regarding all software acquired or used throughout the organisation. This should include details of licences, software, manuals and media including proof of purchase, holders, users, locations and scope.
Upgrades

Where several versions of software exist, most suppliers will have policies on the versions they will support and which can continue to be used. It is important to be clear on these policies so that appropriate decisions can be made on whether to and when to upgrade in order to ensure optimum use of the software while maintaining necessary stability and support.

When new versions of products or upgrades are implemented they should be accompanied by new documentation and media. Older versions may continue to be used for a limited period but it may be necessary to ensure that they are deleted and that media and manuals are destroyed or put out of use once the new version has been satisfactorily installed. In most cases, software publishers only allow upgrades to be made if a computer or system has an original licensed version of the older software. Careful attention must be paid to such requirements.

Monitoring

Monitoring the use of software especially on the network, will provide an outline of what is in use and where in the organisation. This will enable decisions on any further standardisation required and indicate whether installation standards are working.
Software being installed and used should be monitored against purchases and licences to ensure that each licence paid for is being used and each use is appropriately licensed. This information can be utilised to ensure efficient and legitimate use of the software.

The level and type of measures required in monitoring may be dependent on the nature and terms of the licenses. It is important to identify areas, functions or individuals within the organisation where licences are being over or under used.

Measuring usage against various licence models poses a variety of challenges according to the terms of the licences. A particular problem may arise in the case of software licenses that allow a given number of concurrent users. Such software may contain mechanisms to prevent overuse or warn that this is imminent. If this is not the case and the department does not have appropriate monitoring mechanisms to check concurrent usage, then there is a danger of overuse or precautionary over-licensing.

Change Management

Organisational changes to a department, the vendor or licensing authority may affect the ability to continue to legitimately use software and actions may be required to ensure continued legal use.
Changes within a department may also affect the requirements for software, licences and the quantities required.

Software may need to be changed to meet a changing business requirement. Recognised change management disciplines such as those documented in the OGC IT Infrastructure Library should be used.

Disposal

When equipment is being replaced or disposed of, clear decisions need to be made on the disposal of any installed software. Unless authorisation to transfer software and licences can be demonstrated and documented then it may prove safer to purge software from equipment on disposal. Records should be maintained showing what has been removed or included with the equipment.
It is necessary to be clear regarding rights and obligations in the event of a software agreement termination and the authority to transfer software.

Audit

Audits should be performed at least annually, preferably without notice, in order to verify the software in use, (whether on the network or on free-standing computer equipment) against the asset registers. There are tools that allow equipment to be scanned and also record the software present (in some cases remotely from the network). Not only will the audit detect any unlicensed software it will assist in identifying under of over usage of licensed software. Unless mechanisms are available to monitor usage, any information on whether software is being used will be dependant on interviews or questionnaires. The results of the audits should be used to correct any licensing discrepancies or rationalise allocation of existing licenses.

Procurement

The purchase of software, whether by licence or otherwise, when the cost is greater than a specified minimum threshold value and the purchase is made by a public sector contracting authority, as so defined, will need to comply with the procurement Regulations and with general principles of EU law. The Regulations set out detailed rules to be followed when conducting a procurement, while general EU law requires that, throughout, your procurement must be transparent and ensure equality of treatment for suppliers competing for your contract. In addition to compliance with the public procurement regime, your organisation must also ensure that the procurement is guided by the need to ensure value for money.

You should be aware that the terms of your initial procurement of software may determine how you may purchase software in the future. Thus, it may be that an upgrade to software procured will be regarded as a fresh procurement (and therefore subject to the procurement Regulations) and it may also be the case that the purchase of additional licences subsequent to your organisation's initial procurement may also be regarded as a fresh procurement. Much will therefore depend on the structure of the initial procurement, including the terms of the contract notice and, particularly, those of the licence or agreement for sale.

The application of the EC-based public procurement rules to the purchase and licensing of software is not straightforward. Software may be bought from manufacturers or distributors. In either case, a licence from the manufacturer to use the software will be needed. When the software is bought from a distributor, this may be by means of an individual contract or by calling off a contract under a framework agreement with one or more distributors. The price charged by the distributor will usually include the cost of the licence and an element in respect of support and maintenance services to be provided by the distributor and any peripherals.

The view is taken that the licensing of software does not in itself involve the award of a contract for the provision of supplies or services covered by the EC-based public procurement Regulations. The Regulations set out detailed rules to be followed when conducting a procurement within their scope. They are not considered to be apt for the acquisition of licensing rights which can only be exercised in relation to particular software. However, the public procurement Regulations and the general principles of the EC law requiring transparency and equality of treatment for suppliers will apply to the purchase of software itself as involving a contract for supplies. This is the case whether or not the supplier also licenses the software.

Subsequent changes negotiated to software licensing agreements with manufacturers, for example in terms of pricing structure, the number of licences covered and types of upgrades, should not therefore involve the award of contracts subject to the public procurement Regulations as such, although any linked purchase agreements with distributors through whom the software is acquired may well do so. Much will depend on the structure of the original procurement, including the terms of any contract notice and of the purchase agreement. But this is a difficult area and, given the complexity of the law and the variety of factual situations, you may need to take project specific advice on these aspects.

Given the complexity of the law in this area, these may be matters on which you will need to take project specific legal advice.

Licensing

It is likely that your acquisition of software will be by means of a licence. You should be aware that the terms of a licence, including your obligations, are fully enforceable at law and it is important that you understand those terms before agreeing your licence. Common licensing issues which give rise to difficulties include:

  • a) ownership of intellectual property rights (for example, when you purchase software specifically designed for you, who should own the copyright in that work? Do you have an undertaking from the licensor that any intellectual property rights licensed to you are his to licence?)
  • b) variation of use by the licensee (for example, does the licence restrict use to certain sites?)
  • c) use by third parties (for example, if you spin-out part of your business or participate in a joint venture, will the spin-out or JVC be able to use your software?) and
  • d) termination (for example, can the licensor terminate your licence if there is a change in control of your business?).

The examples given above are merely illustrative of the sort of issues, which can arise in licensing and are not meant to represent an exhaustive list of such issues. When negotiating the terms of your licence with suppliers you should consider whether, in order to minimise your risk profile, you require specific legal advice. Particular attention should, in any event, be paid to contracts for bespoke software or contracts, which are otherwise unusual.

Support and Maintenance

The question of support and maintenance is likely to be addressed in your licence or in the agreement with the distributor from whom you purchase the software. However, given the importance of this subject, we consider that it merits a separate section in this guidance.
First, newly purchased software will, of course, require support and maintenance; it is likely to be convenient to deal with this in the terms of the licence or, as the case may be, in the agreement under which you purchase software from a distributor. Where the licence or the agreement with the distributor does not provide for support and maintenance services (either provided by the licensor, the distributor or a third party), then you should be aware that a separate acquisition of such services, provided it exceeds the minimum threshold value, will be caught by the procurement rules and will therefore need to be the subject of a fresh procurement.

Secondly, the use of newly purchased software by an organisation, public sector or otherwise, poses risks for the business of that organisation and for that organisation's (or indeed a third party's) existing computer systems, should the newly acquired software fail to function properly and/or damage the organisation's, or a third party's, property. This is an issue, which must be addressed, in your initial licence. In particular, you should consider:

  • a) whether the newly purchased software should be trialed/piloted in a sterile environment within the organisation before roll-out (hopefully, any "bugs" that are present can be remedied without damage to your or third parties' existing infrastructure)
  • b) what sort of warranties and indemnities the licensor (and, if appropriate, the designer and manufacturer) should give as to the fitness of the software
  • c) what sort of indemnities the licensor should give as to losses and damages arising from infringement of third party intellectual property rights
  • d) what arrangements are in place should your existing computer systems or other existing software be damaged by 'bugged' software and, in particular, what arrangements are in place to deal with any liability to which you are exposed as a result of damage to third parties' property caused as a result of your organisation's use of 'bugged' software provided by the licensor (in this context, you should pay particular attention to insurance coverage, limitation of liability clauses in your licence, and additionally, you should have in place a "disaster" management strategy).

Managing Use

Once the newly purchased software is installed and operating satisfactorily, you need to ensure that your organisation's employees are using that software in an appropriate manner.

It is important not just that such a policy be established but that appropriate procedures are set up to verify and enforce compliance with that policy. It should be clear to an organisation's employees that failure by an individual employee to comply with an organisation's software use policy is, in all circumstances, a disciplinary matter and may, in appropriate cases, lead to dismissal. Such a policy should be widely worded and should include, for example, not just copying but also downloading or otherwise installing software, should explicitly refer to use off-site and at home and, in addition, should stipulate that it covers use of software whether or not that use is in the course of an employee's job.

To be effective however your software use policy must be brought to the attention of all employees (including temporary staff). It is suggested that your policy should be included in employment contracts and staff handbooks, while reminders ought to be circulated to all staff at regular intervals.

Related Issues

While it is not the direct subject of this paper, information, documentation and data published on websites will generally attract copyright and other intellectual property rights. Care is required to not infringe such rights when downloading or using such documents and information.

Developing mechanisms for sharing or distributing software within and across government departments may raise interesting issues in the future.

Print this page


OGC Gateway management reviews identify risks to programmes and projects and ensure that you deliver them on time and on budget. Government Relocation and Asset Management - streamlining the civil service and improving management of the civil estate. Centres of Excellence in programme and project delivery through your departments, agencies and non departmental public bodies. Programme & Project Management (PPM) Specialism helping developing careers. Key OGC products in the programme and project delivery chain include ITIL, PRINCE2, M_o_R and MSP.

Procurement policy supporting the implementation of European Union directives. Commodities, construction and facilities management procurement. Sustainable procurement. Efficiency Programme, eProcurement and eAuctions, improving supplier relationss and developing Best Practice, OGC works with the public sector to achieve efficiency, value for money and successful delivery of government projects. Expert advice, knowledge sharing by providing specialists, either as consultants or interim managers for your programme and project management.