S 2.88 Licence management and version control for standard software

Initiation responsibility: Top Management

Implementation responsibility: Head of Organisation, Head of IT

Experience has shown that a lack suitable version control and licence control quickly leads to a wide assortment of versions being used on an IT system or within an organisational unit, some of which may be used without a licence.

Only licensed software must be used on all IT systems within an organisation. This provision must be made known to all employees and the administrators of the various IT systems must ensure that only licensed software is used. To do this, they must be equipped with suitable tools for licence control.

Within an organisation, different versions of an application are used in many cases. Within the context of licence control, it must also be possible to gain an overview of all software versions used. In this way, it can be guaranteed that old versions are replaced by newer ones as soon as this is necessary and that all versions are deleted when licences are returned.

In addition to this, the various configurations of the installed software must be documented. As a result, it must be possible to acquire an overview on which IT system which security-related settings of a standard software product were specified by the approval and which were actually installed. For example, it can thus be rapidly clarified on which computers macro programming has been installed on product XYZ and on which it has not.

To ensure that licences do not become invalid in the event of hardware defects, hardware-independent licences should be used if possible. Thus, an IT-System can be replaced with less time and expense if the hardware fails.

If it is necessary to activate a product online via the manufacturer's licensing server, the licence can expire subsequently and the product can be deactivated. If possible, products that do not have to be activated online should be selected.

If it is possible and economically reasonable, licences with an unlimited period of time should be preferred. Thus, functional restrictions can be prevented when the licence has expired or the system time differs significantly.

Review questions:

• Is there a provision that only licensed software is to be used and has this provision been made known to all employees?
• Are the administrators equipped with tools for licence control?
• Is an overview of all software versions available?
• Are the different configurations of installed software documented?