Sunday, March 8, 2009



























Agencies are potentially vulnerable to a number of risks if they are not managing their software environment to best practice. The assessment matrix below has been developed to assist agencies to quantify these risks based on a set of agency specific assumptions. By quantifying the risk associated with software licence management and incorporating it into a business case, managers will be able to communicate to senior management the implications of not having appropriate control of software assets.

1. Over licensing involving financial implications
The agency has invested heavily in software that is either not utilised or under utilised because there are no current processes in place for software auditing and metering that will identify potential licence availability. To exemplify this, a metering sample was taken of four major software programs currently in use within an agency that had not been used since 1/12/06. The results are as follows:

Table A
Software Package No of unused licenses (A) Cost of Licence (B) Cost to Agency = (A x B)
MS Project
MS FrontPage
MS Visio
MS SourceSafe
Total cost

2. Breaches of software licence terms and conditions
Aside from potential penalties and fines identified by a possible external audit (see 4), the agency undertakes at least one Microsoft self audit each year. Any identified instances of unlicenced Microsoft software need to be rectified by purchasing at OPEN Government Select Level A prices rather than current Select Level D. By using an example of four common agency Microsoft applications the following calculations indicate the potential financial impact of using unlicenced Microsoft software.



Table B
Software Package A.
No of unlicensed deployments B.
Additional Cost of Licence at Select Level A (Level A-Level D) Increased Licence Cost to Rectify = (A x B)
MS Project
MS FrontPage
MS Visio
MS SourceSafe
Total cost

3. Cost associated with current manual audits performed by the agency
By not having an appropriate tool to support software auditing and metering, the following costs are incurred by the agency each year. Note AO salary rates should include payroll overheads.

Table C- Manual Software Audit
No of audits x (time to achieve usable audit report x A0Xhourly rate + time to do gap analysis x A0X hourly rate) = Annual Cost

Table D- Cost of software audit using Audit and Metering Tool
(No of audits x (time to audit x A0X hourly rate + time to do gap analysis x A0X hourly rate) + (capital cost of tool or configuration costs/depreciation timeframe) = Annual Cost

Table E= Table C-Table D
Is the difference in the annual cost of performing software audits like the annual Microsoft self-audit using a manual process or unconfigured tool versus a specialised software auditing tool.

4. Financial and legal risks of being found to be under licenced by an external auditor
If the agency is audited by a vendor, a third party accounting firm is usually engaged. If the agency is found to be under-licenced the agency will be liable for the cost of the audit, the procurement of the missing licences (Table B) and any fines imposed.
This could equate to:

Table F - External Audit Cost
For an audit of 3,000 desktops:

(External Auditor rate of $2000/day x 10 days) + (Staff involved at A0x rate x Ydays) = cost of external audit. Downtime of staff included in the external audit may also be included.

Table G – Potential Fines
Identified Microsoft software licence deficiency at last Microsoft Self-Audit (%) x total software deployed = XX.

XX x $93,500 per instance (for criminal offence under Copyright Act)

5. Software compatibility issues realised during major releases
Change Management processes in agencies without a locked down SOE are often lengthy due to the need to undertake discovery work to identify possible applications loaded by staff outside of the change process.

Table H – Change Management
(Current testing period for new applications – projected testing period if known SOE) x A0x rate per hour= cost of additional testing requirement to protect network for each deployment.

X no. planned deployments in 2008/09 x additional testing costs = Cost of not having locked down SOE.

6. Potential security breaches and viruses
If agency desktops are not locked down, staff will have the ability to download or upload software applications from the Internet, email, and media onto the agency network. This ability will increase the risk of security breach or virus attack from pirated media, malicious attack or unsociable applications resulting in loss of data, staff downtime and disaster recovery costs.

In the event of a network event financial impacts will be felt by the agency to varying degrees. For instance:

Table I – Hardware rebuild
Even if a virus infection occurs only once a year:
(Potentially 20% of computers infected or one building x Y hours to rebuild each x A0X rate) + (Y hours x A0 rate of unproductive time for each affected staff member) = additional potential cost of not having a locked down environment


Posted by at No comments:
Subscribe to: Comments (Atom)