|
January 2000
Exhibit A
Implementing the Executive Order
On Computer Software Piracy
SAMPLE SOFTWARE MANAGEMENT POLICY
1. Purpose. This Software Management Policy
(Policy) sets forth the steps this Agency shall take to comply with the Executive Order on
Computer Software Piracy (Order) and the Implementing Guidelines issued by the CIO
Council.
2. Software Acquisition and Installation Procedures.
Where possible, all requests for software and software
upgrades shall be submitted to the Office of the Chief Information Officer (CIO) or
his/her designee.
- All software and software upgrades not acquired by the CIO
shall be documented and identified to the CIO or his/her designee, who will verify that
the Agency has an appropriate license for the use of such software.
- All acquisitions of hardware that include bundled software
shall be documented and identified to the CIO or his/her designee, who will verify that
the Agency has an appropriate license for the use of such bundled software.
3. Destruction of Unauthorized Software. The CIO or
designated employees shall destroy all copies of software for which the Agency lacks the
appropriate license. Alternatively, the CIO may obtain the license(s) necessary to
maintain such software on Agency computers.
4. Software Management Review and Inventory. The
Agency shall conduct on a periodic basis (i) an assessment of its software management
procedures and practices; and (ii) an inventory of installed software and related license
agreements, purchase invoices and other documentation evidencing licensed software use.
The CIO shall supervise such assessment and inventory with assistance, as needed, from the
Agency's Inspector General, designated employees and/or outside consultants.
5. Recordkeeping. The Agency, under the supervision of
the CIO, shall establish and maintain a recordkeeping system for original software
licenses, certificates of authenticity, purchase invoices, completed registration cards,
original software media (e.g., diskettes or CD-ROMs), user information, and assessment
information. The Agency shall maintain this information in secure location(s) designated
by the CIO and consider the use of software management computer programs to automate such
recordkeeping.
6. Software Use Policy. Employees of the agency should
comply with the following software use policy:
- Prohibition against Unlicensed Software Use. No
employee shall:
- Install, reproduce,
distribute, transmit or otherwise use software for which this Agency lacks the appropriate
license, unless such software is properly licensed to the employee and used in accordance
with Agency policy and the applicable license. If an employee becomes aware of the
reproduction, distribution or use of unauthorized software in this Agency, he/she should
promptly notify his/her supervisor or the CIO.
- Install, reproduce or use
any software upgrade on a computer that does not already have resident on it the original
version of the software.
- Loan, distribute or transmit
Agency software to any third party, unless the employee is expressly authorized to do so
by his/her supervisor and the applicable license.
- Authorization to Use Agency Software on Home
Computers. The licenses for some Agency software permit employees of the Agency to
make a copy of the software for home use. In such event, employees may make a copy of
Agency software for home use only if they demonstrate a need to conduct Agency business
from their homes and receive express authorization from their supervisor, the CIO or the
CIO's designee. Under no circumstances, however, may an employee use Agency software for
purposes other than the business of this Agency.
- Downloading of Software from the Internet or Other
Sources on to Agency Computers. A variety of software is available on the Internet.
Some of this software, called "freeware" or "shareware," is available
free of charge for limited uses and may be downloaded by an employee with the prior
approval of his/her supervisor. Other software available on the Internet and from other
electronic sources, however, requires the user to obtain a license for its use, sometimes
for a fee. No employee shall download licensed software to his/her work station without
the prior approval of his/her supervisor, the CIO or the CIO's designee.
- Enforcement. The CIO shall supervise periodic
reviews and assessments to evaluate the effectiveness of the software management policy.
As part of this process, the CIO or his/her designee may ask employees to complete a
Software User Survey. This Survey will be used to determine the Agency's existing and
future use and need of particular software programs. Employee cooperation with all
assessments and Software User Surveys is greatly appreciated.
- An Employee may be held responsible for the existence of
any software on his/her work station for which the Agency lacks the appropriate licenses
- Questions? An employee may direct any questions
concerning this Policy to his/her supervisor or the CIO [provide phone numbers, office
locations, and e-mail addresses].
7. Education and Training. The Agency shall provide
education and training to all existing and new employees on compliance with the Executive
Order and the Software Management Policy. As part of such education and training, the
Agency shall:
- Amend the employee handbook to include the Software
Management Policy, and distribute the updated handbook to all employees.
- Provide training to new and existing employees on (i) the
Software Management Policy; (ii) how to detect and prevent piracy; (iii) consequences of
violating the Software Management Policy and applicable copyright laws. Such training may
be conducted as a separate seminar or as a part of existing training programs.
- Circulate reminders of the Software Management Policy on a
regular basis (at least annually) or remind employees of the Software Management Policy in
other ways (at least annually), for example, through notices in agency newsletters.
- Inform employees where they can get additional information
on the Policy and software piracy prevention.
8. Performance Measures. The CIO shall develop
performance measures to monitor the Agency's compliance with the Executive Order, the CIO
Council Implementing Guidelines and the Software Management Policy.
9.
Exhibit B
Implementing the Executive Order
On Computer Software Piracy
SAMPLE SOFTWARE ACQUISITION POLICY
1. Purpose: This Software Acquisition Policy
(Policy) was adopted to implement those provisions of the Executive Order on Computer
Software Piracy (Order) that require this Agency to acquire computer software in
compliance with applicable laws and licensing restrictions. This Policy identifies
categories of software that violate such laws or licensing restrictions and sets forth
steps this Agency should take to avoid acquisition of illegal software. In addition, the
Policy indicates remedial actions that should be taken in the event a software reseller
supplies computer software that violates applicable laws or licensing restrictions.
2. Types of Pirated Software: In order to comply
with the Order, applicable laws and licensing restrictions, this Agency and its employees
should be cognizant of the different types of pirated software when evaluating bids or
engaging in negotiations to acquire computer software. For purposes of this Policy,
pirated software includes both illegally copied software and software that violates
licensing restrictions.
A. Illegally Copied Software
B. License Misuse
Software copies are licensed, and not sold, to the end
user. The software publisher's license agreement typically restricts how, and to whom,
software copies may be distributed. When acquiring software copies, the Agency should
review the applicable license and ensure that its use of the software will not violate any
restrictions imposed by the software publisher.
License misuse occurs when legitimate copies of software
are distributed and used in violation of the applicable license agreement. Examples of
license misuse include:
- Original Equipment Manufacturer ("OEM")
software: OEM software is licensed and specifically marked for distribution with new
computer hardware. License misuse occurs when OEM software is "unbundled" from
the computer and distributed to, and used by, the end user as a standalone product, often
at a heavily discounted price.
- Academic Versions: Academic software is
manufactured, licensed and specifically marked for distribution to educational
institutions and students at reduced prices. License misuse occurs when academic software
is distributed to, and used by, a non-academic end user.
- "Not for Resale" software: NFR software
is marked "not for resale" and typically is distributed as promotional or sample
product and not licensed for commercial distribution and use. License misuse occurs when
NFR software is distributed in violation of its resale restrictions.
- Fulfillment Software: Fulfillment software is
licensed solely for distribution to mid- or large-sized end users that currently possess a
volume license agreement or valid site license. Fulfillment software is typically
distributed in a CD jewel case without the packaging or materials that accompany retail
product. The fulfillment media is not itself licensed product. License misuse occurs when
fulfillment software is distributed to, and used by, end users that lack the necessary
licenses for use of the underlying product.
- Software Upgrades: Upgraded versions of software
programs are licensed and specifically marked for distribution to end users that currently
possess a valid license for the original product. License misuse occurs when upgrades are
distributed to, and used by, end users that lack a license for the original product.
Typically, OEM, Fulfillment and other non-retail products are
distributed without the colorful packaging and materials that accompany full retail
products. Accordingly, these non-retail products are easier to counterfeit. Thus, Agency
employees should be aware that deeply discounted non-retail software may in fact be
counterfeit.
3. Operational Defects of Pirated Software: The
Agency and its employees should be cognizant of the risks that accompany the acquisition
and use of software in violation of applicable copyrights or licensing restrictions.
Beyond the legal risks that accompany copyright and licensing violations, the use of
pirated software can jeopardize the effectiveness and integrity of the Agency's computer
system. This is because pirated software typically lacks the full package of benefits that
accompany legitimate product, including the following:
- warranty protection;
- notice of, and ability to obtain, upgrades to the software;
- technical support for the software;
- assurances that the software is free of computer viruses; and
- confidence that the most recent version of the software, free from defects, is being obtained.
4. Steps to Avoid Acquisition of Pirated
Computer Software: The Agency and any employees authorized to acquire software should
take all necessary steps to minimize the risk of acquiring pirated software, including the
following:
- Educate employees: Employees authorized to
acquire software should be educated on the requirements of the Order and this Software
Acquisition Policy.
- Standardize software acquisition procedures and
centralize purchases: The Agency should, to the extent possible, (i) implement
standardized software acquisition procedures throughout the Agency; and (ii) centralize
software purchases within a designated department or group of employees who have been
educated on the requirements of the Order and this Software Acquisition Policy. By
implementing standardized acquisition procedures and centralizing software purchases, the
Agency will be better able to prevent acquisition of pirated software. Moreover, a
centralized acquisition program can result in volume purchases, which are often
accompanied by discounts.
- Demand proper licenses and accompanying materials:
Before purchasing software, the employee should research the license and materials that
accompany the legitimate product (e.g., an original license agreement, registration card,
manual, security features, and diskettes or CD-ROM). Agency employees should demand and
obtain each of these materials, and avoid software resellers that refuse to comply.
- Verify appropriate license: Before purchasing
software, verify that the license authorizes distribution to, and use by, the Agency.
- Purchase software from reputable resellers:
Employees should seek out software resellers with reputations for honesty and customer
service within the community.
- Contact the Software Publisher: Particularly for
large purchases of software, employees should contact the software publisher or its
authorized distributor for information on the product and authorized resellers within the
community. Moreover, the software publisher or authorized distributor should be contacted
whenever an employee suspects that software acquired by, or offered to, the Agency may be
pirated.
5. Warning Signs of Pirated Software:
The Agency and any employees authorized to acquire software should be aware of the
following "warning signs" that often accompany pirated software:
- The price of the software is significantly below the
software publisher's suggested retail price or otherwise appears "too good to be
true";
- The software is distributed in a CD jewel case without the
packaging and materials that typically accompany a legitimate product;
- The software lacks the software publisher's standard
security features, such as a hardware lock or certificates of authenticity;
- The software lacks an original license or other
information from which the agency can verify that its use of such software is validly
licensed by the copyright holder.;
- The packaging or materials that accompany the software
have been copied or are of inferior print quality;
- The CD contains software from more than one software
publisher or programs that are not typically sold as a "suite";
- The software is downloaded via the Internet without the
software publisher's authorization;
- The software is distributed via a mail order or online
reseller that fails to provide appropriate guarantees of legitimate product;
- The software contains markings indicating that
distribution to, and use by, the Agency would violate the software publisher's license
(e.g., "distribute only with new PC hardware"; "Academic Version",
"Upgrade", etc.);
- The software is loaded onto computer hardware without a
separate license or invoice indicating a legitimate purchase.
6. Steps to Take if Pirated Software is Suspected:
If an employee suspects that software offered or supplied by a reseller is pirated, he/she
should contact the software publisher or an authorized reseller to investigate. If the
employee's suspicions are confirmed, the Agency should take one or more of the following
remedial actions:
- Return the pirated software and request legitimate replacement software or a refund;
- Withhold payment under the software contract until legitimate software is supplied;
- Terminate the contract for failure to comply with its terms;
- Suspend and/or debar the reseller for committing an offense that indicates a lack of business integrity, for engagement in fraud, or for
willfully failing to comply with contract terms (debarment only). (See Federal
Acquisition Regulation Subpart 9.4); and/or
- Bring a False Claims Act action against the contractor for
payments related to the illegal computer software.
Exhibit C
Implementing the Executive Order
On Computer Software Piracy
INITIAL SOFTWARE MANAGEMENT ASSESSMENT WORKSHEET
I. Conducting An Assessment
| Pre-Assessment Procedures |
Benchmark
Date |
|
|
|
|
|
|
Determine whether to notify employees of assessment and
distribute assessment information letter to employees, if warranted.
|
|
Determine whether to use software to perform certain
functions of the initial assessment and select software package and vendor, if warranted.
|
|
| Assessment Procedures |
Benchmark
Date |
Identify the location of servers, workstations, and all
other hardware that run software programs.
|
|
|
|
|
Record the title, version, publisher, and serial number of
software.
|
|
Record files not recognized by automated assessment
programs or the inspector and determine whether such files are legitimate.
|
|
|
|
|
Match the record of software against licenses and
ownership documentation to establish proof of authorization.
|
|
Reconcile number of users of software loaded on networks
with the number of users accounted for in licenses.
|
|
| Post-Assessment Procedures |
Benchmark
Date |
Take corrective action to delete and destroy unauthorized
copies of software or obtain licenses for them.
|
|
Identify problem areas, if any, where the agency may focus
training and educational efforts to reduce the use of unauthorized software.
|
|
|
|
|
II. Software Acquisition Procedures
| |
Yes |
No |
Comments |
| Does the agency include software
as a separate line item in its budgeting process? |
|
|
|
| Does the agency purchase
software through a central office? |
|
|
|
| Does the agency obtain a
sufficient number of licenses to cover the expected number of users? |
|
|
|
| Does the CIO or other
responsible official periodically review software licenses and ensure the agency's
compliance with them? |
|
|
|
| Does the agency ensure that it
receives all required components (end user license agreement, registration card, manual,
and CD) and security features for all retail or OEM software it acquires? |
|
|
|
| Does the agency properly
register purchased software? |
|
|
|
| Does the agency maintain
software registration and license information in a centrally located file and/or software
management system? |
|
|
|
| If a software upgrade is
requested or needed, does the agency obtain the necessary updated licenses? |
|
|
|
| Does the agency maintain a log
listing the hardware and software at each workstation and each office location? |
|
|
|
| Does the agency ensure that
users have access to manuals and reference materials? |
|
|
|
| Does the agency remove from its
hard drives discontinued or obsolete software? |
|
|
|
III. Software Installation and Management
| |
Comments |
| What, if any, software is
installed by the vendor? |
|
| What software is installed by
agency personnel? |
|
| Who authorizes installation of
new software? |
|
| Who monitors installations? |
|
| |
Yes |
No |
Comments |
| Does the agency use passwords or
other methods to restrict access to particular software programs? |
|
|
|
| Are employees authorized to use
agency-owned software at home for personal use? |
|
|
|
| Are employees authorized to use
agency-owned software at home for agency business? |
|
|
|
| If so, does the agency ensure
that the applicable license agreement permits home use of agency-owned software? |
|
|
|
| Does the agency permit employees
to install personal software on their computers at work? |
|
|
|
| If so, does the agency ensure
that these programs are used in accordance with applicable license agreements? |
|
|
|
| Does the agency review and
document the software installed and used on each work station at regular intervals? |
|
|
|
| Are license agreements retained
and filed with software serial numbers noted on hard copies? |
|
|
|
| Does the agency reconcile its
base of installed software with its software licenses at regular intervals? |
|
|
|
IV. Management of Original Software and Backup Copies
| |
|
|
|
|
| |
Yes |
No |
Comments |
| Does the agency make backup
copies of original software? |
|
|
|
| Are original software
diskettes/CD-ROMs and backup copies stored at a central location? |
|
|
|
| Does the agency monitor the use
and return of backup diskettes/CD-ROMs? |
|
|
|
| Does the agency store original
diskettes/CD-ROMs in a secure location where access is limited to authorized employees? |
|
|
|
| |
|
| Who is responsible
for making and storing backed up software? |
|
V. Physical Security of Computer Systems
| |
Comments |
| How many of each of the
following does the agency own? |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Yes |
No |
Comments |
| Does the agency maintain records
of hardware, its location, and other information technology assets? |
|
|
|
| Does the agency number and
physically account for hardware systems? |
|
|
|
| Does the agency have procedures
in place to record the removal of systems from their assigned locations? |
|
|
|
| Does the agency regularly make
an assessment of hardware systems? If so, how often? |
|
|
|
| Are agency computers properly
maintained and serviced on a regular basis? |
|
|
|
VI. Software Management Policy and Employee Training
| |
Yes |
No |
Comments |
| Does the agency have a Software
Management Policy? |
|
|
|
| Does the Policy include
procedures for distributing software within the agency? |
|
|
|
| Does the agency have a training
program to educate employees on software licensing issues and the Software Management
Policy? |
|
|
|
| Does the agency inform its
employees of the Software Management Policy upon hiring and at regular intervals? |
|
|
|
| Does the agency hold employees
accountable for their computer system usage and content? |
|
|
|
Exhibit D
Implementing the Executive Order
On Computer Software Piracy
SOFTWARE USER SURVEY
1. Which five software applications do you use most often
at work and how frequently do you use them?
|
|
|
Hours/per day |
|
|
|
|
Hours/per day |
|
|
|
|
Hours/per day |
|
|
|
|
Hours/per day |
|
|
|
|
Hours/per day |
|
2. Does the agency provide you with the software you need
to perform your job tasks?
3. How did you obtain the software applications identified
in question 1 (check any of the following answers that apply)?
| |
I access software through a
centralized server. |
| |
I obtained software from my
supervisor. |
| |
I acquired software directly
from a reseller. |
| |
I downloaded software from the
Internet |
| |
I copied software from another
employee. |
| |
I copied software from my home
computer |
| |
I copied software from
friends/relatives. |
4. Do you use a home computer to complete work-related
assignments?
5. How do you transfer data between home and office?
| Diskette |
|
|
Modem |
|
Portable Computer |
|
6. Who provided the software used at home for work-related
assignments (check any of the following answers that apply)?
| |
I purchased my own software. |
| |
I was reimbursed by the agency
for my software. |
| |
The agency purchased software
for my use at home. |
| |
I use a copy of the agency's
software for work-related tasks on my home computer. |
| |
I downloaded software from the
Internet. |
| |
I copied it from
friends/relatives. |
7. What software applications would you like to have at
work that you currently do not?
| |
|
|
| Employee |
|
Title |
| |
|
|
| |
|
|
| Date |
|
Unit/Department |
Exhibit E
Implementing the Executive Order
On Computer Software Piracy
SAMPLE NOTIFICATION LETTER
Date:
To: All Employees
From: Chief Information Officer
Subject: Review of Computer Software
During the month of _________, the Management Information
Services Department will conduct a review of software used by [Agency]. Your department is
scheduled to be visited on ______ (day)_________, _____ (date) _________. The purpose of
the review is to:
- Determine what software is in use at each workstation
and whether the original diskettes, manuals, licenses and other documentation exist for
each program.
- Remove unauthorized copies of software.
- Determine whether there is software you may need to do your job that you do not currently have.
- Scan each system for viruses.
- Confirm the serial numbers for each piece of hardware (modems, printer, monitors, etc.).
- To ensure that the review does not disrupt your workday, we
will try to accomplish these tasks quickly. Please locate the appropriate original
software media (i.e., diskettes or CD-ROMs) and documentation if they were issued to you.
Also, please make a note of any personal software you have installed on your workstation
and have available for us copies of the diskettes and documentation for these programs.
Your cooperation is greatly appreciated.
|