|
Our Auditing Guide |
||
|
Every week hundreds of people are given the responsibility of carrying out a software (and often hardware) audit of their organization's PCs. Many will never have carried out this role before. This is our brief introduction to the audit process. All aboardAn auditor may be asked to carry out the audit by a director or high-level manager, but even so getting management 'buy-in' to the audit process should be a priority. The board should be convinced of the benefits of the process in order to smooth implementation Users tooUsers need to be treated with care. If the audit is seen as a threat then cooperation will be hard to find. Consider an 'amnesty' (with board backing) for unlicensed software, providing it is removed within a set period. Inform users of what is going on, particularly if they will be asked to fill in on-screen forms. However, it may be helpful to conduct an unannounced 'silent' audit first, provided that the results are used with discretion. Software Installation ControlBefore carrying out an audit (other than for test purposes) a reliable method of controlling new software installations should be put in place. Without this, new software will be installed on your network while you are analysing your results. Centralised software purchasing is a great help with this, and can also save money. Company policy should prohibit the installation of unauthorized software. A fully 'locked down' network (where users cannot physically install software) is the only 100% certain method, but this approach can prevent innovation and may overload IT support with requests for new software. Insisting that all software is purchased via a single point will certainly help license compliance. Decide what data is 'must have', and what is 'nice to have'Its very easy to get carried away collecting information on everything from asset tags to mouse serial numbers, but remember there is a cost associated with maintaining each item of data. Storing the serial number of every mouse may seem a good idea, but they are regularly replaced and the serial number will need updating each time this happens. Updating the data may cost more than the new mouse, and support staff may not feel the task is justified and therefore not carry it out. In summary:
Consider what you already knowIndustrial users sometimes have old DOS PCs running specialist control software, so they may think they need an audit tool that supports DOS. However, if these PCs are dedicated to one role it may be a simple task to manually identify the installed software. Also it may be very unlikely that anyone would add additional software on such a PC, especially if access is restricted. Therefore, better accuracy on your majority platforms may be a more important criteria for your audit tool than support of DOS PCs. Also be cautious with 'legacy' systems that are difficult to rebuild if the audit software should cause any problems. Any machines that are 'special purpose' could be treated in this way; for example a small number of Macs used only as a graphics workstations. A Mac Scanner may be the ideal solution, but again, for dedicated machines, the installed software may be fairly simple to list manually, and it may be unlikely that unofficial software will be installed (particularly if the machines are 'locked down'). Alternatively if Macs are used as general purpose machines (no separate PC is provided for email etc.) then a Mac Scanner becomes a much higher priority. Where is your data going?Many companies already have, or are planning to implement, an asset database of some kind. If this is the case then your audit tool must provide information for that system, not try to re-invent the wheel. Your audit tool should be a quick, clean and simple way of collecting the required data, not necessarily provide the whole asset management database and reporting system. This does imply of course that there should be a quick and simple method of getting the collected data from the tool to your chosen asset database. Some audit tools claim to provide a 'total solution' in the field of asset management, but they can rarely compete with a specialist (or custom) asset database. They may also not provide the software recognition quality of specialist software audit products. Sites are also tied in to that product, and it can be difficult to replace, for example, just the help desk part. Data may also need be available via a separate company help desk or management information system, so the priority here is to ensure that your audit tool provides an effective way of getting data into whatever Oracle, SQL, MS Access etc. systems that might need it now or in the future. An SQL-only database might sound a good idea today, but is not so ideal if your company switches to Oracle in the future. One truly universal export format is plain CSV (comma separated variable) which can be imported into all of the systems mentioned above. However, check that the export is in 'relational database' format with a 'table' for software, one for PCs etc. Flat-file exports (usually a single file) where PC information is repeated over and over again are not suitable for importing into a database. Test and test againFew IT staff would roll out a new product over their whole network without a limited test first - treat your audit tool in the same way. We suggest selecting a small group of users who are told of what is happening and instructed to report any problems. This is a good stage to try out the most likely audit tools and select the most appropriate for your situation. Pay special attention to any complaints that hard disks are 'thrashing' or software is unresponsive - your audit tool should not be interfering with users' normal work. Questions, QuestionsIf you are using questionnaires or forms filled by the end user, test them out on a pilot group first. Check that your proposed audit tool allows questionnaires to be sent to selected groups of PCs, and doesn't force you to send to all at once. Try and keep the number of questions as small as possible (less than 10 is best) and use drop down option boxes rather than free-text fields where possible. Some audit tools offer a 'combo-box' question where the most common options are presented in a drop-down but the user can type an alternative if necessary. Check that your audit tool does not suddenly 'pop-up' a window over the user's work; a discrete flashing task-bar icon or similar should be used instead. The bare PC trickNo audit tool guarantees to give 100% results, and there will always be certain files that are not recognized as belonging to known installed products. Here's one way that you can safely eliminate the many extra 'utility' or 'secondary' executables shipped with most products. This could save a lot of time on your full-scale audit.
*not necessarily true if your audit tool uses file size to identify program files - slightly different versions of these products could still show up as 'unknown'. Aperio uses property or version information which rarely changes between product releases. Deploy your audit toolThis operation should be necessary only once because once your audit tool is deployed it should be able to 'self upgrade' when you decide to install a new version. Some tools allow Windows 2000 'push' deployment although this method is usually less than 100% effective in practice as it requires very specific administrator access to workstation PCs. The most common deployment method is still to use login scripts. Although some knowledge is required in how to set them up they provide a reasonably simple way of rolling out a product to large numbers of PCs. Check your resultsOnce you've completed your initial audit, your results need to be verified in some way. Finding your POPsThis simple title may hide more work than the rest of the audit process! Your task is to find Proof of Purchase (POPs) for each licensed product. Media or packaging may be considered adequate, but a detailed invoice or actual software license is better. The Accounts department may be a good place to start. A centralized software procurement policy makes this part much easier. Don't make the mistake of thinking this has something to do with software serial numbers - it does not. A set of unique serial numbers is no guarantee of licensed software, nor do duplicated serial numbers necessarily mean under-licensing. License reconciliationOnce you have a list of licenses owned and a list of software installed, the next step is to compare the two. Where installed product exceeds licenses held a decision must be taken whether to uninstall the software or to purchase extra licenses. If licenses exceed the number of installed products (this does regularly happen!), consider ways of using these assets. If the licenses are for old versions of a product, it is often cheaper to upgrade from these than to purchase full new licenses. If you have licenses that are simply spare, consider who else might benefit from the software that you can legally install for no extra charge. Keep it upOnce you've completed your initial audit, you'll need to monitor the situation on a regular basis. This job is much easier if your audit tool has the facility to highlight newly installed products rather than just displaying a complete list each time. One factor that is very hard to test for is the resilience of the tool's software recognition system to future releases of products. However, dependence on file size as a means of identification will almost always mean that the next release of a product will once again become 'unidentified', and you'll have to teach it to recognize each new release. Don't forget you'll need to upgrade your audit tool occasionally to make sure it can report the latest operating systems and CPU types etc. Don't buy an audit tool unless the publisher can tell you exactly what it will cost for upgrades. Consider tools that allow rental rather than purchase option - the outlay is much less and access to the latest versions is usually included. |
||