Overview With the release of the long-awaiting ISO standard for software asset management (SAM), organizations now

have another reference to guide the development of business practices for SAM. The ISO standard provides a structure that focuses on the policies, processes and procedures that need to be present in order to accomplish SAM goals. Part 1 of the standard, published in May, 2006, identifies risk management, cost control and gaining competitive advantage as the three goals that can be achieved through proper execution of the processes for SAM. Whether your organization is pursuing those specific goals or has other priorities for the software asset management program, the standard offers a set of outcomes that can help build project task lists, requirements lists for product reviews or internal audit criteria. How Do I Use the ISO Standard? Like all standards, ISO 19770 provides a universal base upon which programs can be built, identifying outcomes and integrations that all programs should include. The next level of detail, the actual how to, is not offered in a standard because that level must incorporate the specific characteristics of an organization. Characteristics that impact the execution of a SAM program include the culture of the organization, the technology environment, the processes already in place and the opportunity for automation. To determine compliance to ISO 19770, organizations must relate their current processes to the structure in the standard and then assess compliance. Finally, the organization develops an action plan to fill in any gaps uncovered by this review. For a complete understanding of the ISO 19770, a copy of the standard can be purchased from ISO ([Link] or ANSI ([Link] and search for ISO 19770-1:2006. The conceptual framework for the standard is broken into three categories:

Organizational management Processes that define SAM How SAM processes interface with other lifecycle processes

Develop the Organizational Management Checklist Software asset management begins with organization support, in the form of authority to implement and enforce the program for the organization. The outcomes for a control environment for SAM identified are:

Corporate governance process Roles and responsibilities Policies, processes and procedures

Competence

Corporate Governance Formal recognition for the governance of software and related assets is emphasized, along with the development of the policies that are the foundation for any successful SAM program. Governance is tied closely to the assessment of risk in the standard so that the relationship between the program and the purpose it serves (reducing risk) is clearly defined at the corporate level. No statement of authority is complete without clarifying the scope and responsibilities to go along with that authority and a checklist developed from the standard would ensure these essential elements are part of the organizational statement. Roles and Responsibilities The owner for SAM responsibilities is the next facet of organizational management required by the standard, assuring that an individual has been identified who will develop management goals for SAM and then develops a plan to execute on those goals. The standard highlights the importance of planning and identifying the resources to complete it. The standard completes the identification of responsibilities with the need to measure and to communicate results against the plan. This section acknowledges that software asset management duties may be distributed in the organization, increasing the need to communicate the high level authorization as well as the responsibility throughout the organization. As simple as this suggestion seems, many software asset management programs are hampered by political issues that are eliminated by clear support from executive management. Policies, Processes and Procedures This section of the standard addresses the structure that is necessary to develop the rules and documentation that are the foundation for software asset management. Policies are the essential governing document, identifying the responsibilities of each individual in the organization regarding assets and their use. Processes are defined by outcomes, while procedures are the tasks that accomplish those outcomes. Although the standard does not list all policy topics necessary for a SAM program, it does specifically mention the importance of:

Corporate governance and the responsibilities of software and related asset management Compliance to legal and regulatory requirements Rules guiding procurement Requiring approvals Enforcement for violation

Competencies in SAM

The control or structure section of ISO 19770 ends with a set of outcomes directed at ensuring that the individuals responsible for software asset management have the training and certifications necessary to perform the work. Education on licensing is mentioned as software manufacturer-specific and mentions the need to understand what constitutes proof of licensing for each software manufacturer. Planning The organizational management describes the planning and implementation processes for SAM. Focus is placed on the structure for software asset management that is necessary for goal achievement. The relationship to the well-known planning elements of ISO 9001 is clear and referenced in the document. Of special note in this section is the acknowledgement of the value of automation, ensuring that processes are efficient and less error prone. Implementation Implementation structure is presented as the mechanisms for collecting information and reporting through regular status reports. With the depth of structure already described in this standard as well as other standards for project planning, there is little to add regarding implementation that has not already been covered. ISO 19770 refers to local SAM owners throughout the document, a practical addition to the standard since software asset management responsibilities are often distributed by location for todays multilocation and multi-national corporations. Monitoring and Review Monitoring includes the evaluation of everything developed to perform software asset management, auditing the structural elements for efficacy at meeting the management objectives for SAM. It establishes the requirement for periodic review, approval by the SAM owner and notes the possibility that service level agreements need to be considered during this process. Continual Improvement This section recognizes the importance of cyclical review and improvement, requiring a mechanism to collect and document suggestions throughout the year. he Processes that Define SAM The processes are categorized as inventory processes, verification and compliance and operations management in the ISO standard. Software assets have always been the most difficult to control, relating the intangible applications to the tangible documentation and media. The great variability in the labeling of component parts of a software application,

the ways software can be licensed and the difficulty in tracking versions of software require focus on inventory first, to be followed by the actual uses for the information. The following list provides an overview of the SAM processes outlined in the standard with some examples of the action items that organizations would need to have in place in order to be compliant. SAM Processes defined by ISO 19770: Software Asset Identification

Define the scope of software assets that should be managed Define the descriptive elements and license documentation that must be kept

Software Asset Inventory Management

Maintain an inventory of the physical software to insure proper storage of media Maintain an inventory of installed software Quantify software license usage

Software Asset Control

Build an audit trail of changes to software and changes that impact the software

Software Asset Record Verification

Reconcile what is installed on each platform to the installations approved Perform a license review to verify that proofs are available and accurately counted

Software licensing compliance

Conduct license reconciliation to confirm adequate licensing

Software asset security compliance

Ensure that there are appropriate controls on masters and distribution copies of software

Conformance verification for SAM

Confirm compliance to this standard through proper policies, procedures and documentation

Relationship and contract management for SAM

Define responsibilities for supplier management

Develop a supplier review procedure Ensure that contractual details are documented

Financial management for SAM

Develop a formal budget for the acquisition of software Compare actual expenditure against budgeted amount

Service level management for SAM

Service level agreements are developed for all steps in the software lifecycle Hold regular reviews of performance against service levels

Security management for SAM

Secure information through access controls Document controls and procedures

The SAM Application of Standard Life Cycle Processes In this section of the standard, lifecycle processes that are not specific to software are identified. The standard relates the processes to SAM and presents the application of the process to software asset management. The lifecycle processes identified are:

Change management Acquisition Software development Software release management Software deployment Incident management Problem management Retirement

Coordination with these external processes assures achievement of the control and documentation of software. Points of particular interest include:

Standard software configurations are required as part of the Acquisition process Verification for authenticity for licenses is highlighted Controlled acceptance testing is required, although the details of that process are not specified in 19770 Software deployment requires a back out procedure Problem resolution reflects prioritization and analysis of underlying causes Removal of unlicensed software from use is not considered a resolution to a licensing shortfall problem as an obligation is created through use

ISO/IEC 19770 is an international standard about Software Asset Management (SAM) and consists of three main parts. 1. ISO/IEC 19770-1 is a process framework to enable an organization to prove that it is performing software asset management to a standard sufficient to satisfy corporate governance requirements and ensure effective support for IT service management overall. 2. ISO/IEC 19770-2 provides a software asset management (SAM) data standard for software identification tags. 3. ISO/IEC 19770-3 will provide a software asset management (SAM) data standard for software licensing entitlement tags. In addition, an overview document with an introduction and glossary for the ISO/IEC SAM standards and a technical report on tag management are being developed.

ISO/IEC 19770-1: Processes

ISO/IEC 19770-1 is a framework of Software Asset Management (SAM) processes to enable an organization to prove that it is performing software asset management to a standard sufficient to satisfy corporate governance requirements and ensure effective support for IT service management overall. This part of ISO/IEC 19770-1 describes the life cycle processes for the management of software and related assets.[1][2] A revision of this standard was published in 2012. This revised standard is designed to allow the implementation of SAM processes to be "accomplished in multiple increments and to that increment most suited to the needs of the organization."[3]

ISO/IEC 19770-2: Software identification tag

ISO/IEC 19770-2 provides a software asset management (SAM) data standard for software identification (SWID) tags. Software ID tags provide authoritative identifying information for installed software or other licensable item (such as fonts, or copyrighted papers). This process starts with the software manufacturer/publisher who will use this standard to enable their software to be accurately identified, making the software significantly more manageable from a software asset management perspective. Providing accurate software identification data also improves organizational security, and lowers the cost and increases the capability of many IT processes such as patch management, desktop management, help desk management, software policy compliance, etc. This standard provides much more than just software identification however, by allowing other members of the SAM eco-system to add their own attributes to the software identification process (including who distributed the software, who may have re-packaged the software, if the software is following an ISO 20000 / ITIL release process, etc.).

SWID tags can also be created by software purchasing organizations. Tags can be created for commercial software that is purchased but does not include a SWID tag. SWID Tags can also be utilized to track software built in-house as well. A draft of this standard was initially developed by a committee of the International Business Software Managers Association (IBSMA). The last version of the draft standard created by the IBSMA committee went out for public review in May 2007. In October 2007, members of ISO/IEC Working Group 21 (ISO/IEC JTC 1/SC 7/WG 21) met in Montreal and created an "other working group" (OWG) to continue the development of the 19770-2 standard with the goal of finalizing the standard in time for the ISO Plenary meeting to be held in May 2008 in Berlin. At that time, Steve Klos of Agnitio Advisors, was appointed as the convener of the other working group (OWG). In late December 2007, the OWG was allowed to restart work on the standard. According to the schedule ISO/IEC JTC1/SC7 plenary meeting took place in Berlin May 18 23, 2008. The JTC1/SC7 resolutions included appointment of Krzysztof (Chris) Baczkiewicz, IT Standards Support Department Manager for Eracent, as the Editor of both 19770-2 Software Identification Tag and 19770-3 Software Entitlement Tag standards. This standard was finalized and published in November 2009. As the document was nearing publication, a non-profit organization called [Link][4] was formed. The organization was formed under IEEE-ISTO[5] with the initial founding members being Symantec, CA Technologies, Microsoft and ModusLinkOCS. The organization will act as a registration and certification authority for ISO/IEC 19770-2 software identifiation tags (SWID Tags) and will provide tools and services allowing all SAM eco-system members to take advantage of SWID tags faster, with a lower cost and with more industry compatibility than would otherwise be possible. [Link] continues to promote the use of the standard by commercial organizations and has been recognized for its service to the software community by ISO/IEC JTC1 SC7 WG21. [Link] received the Platinum Contributor award for its efforts today - see [Link] for more details. Some software installation packaging tools utilize SWID tags. These products include:

Caphyon's Advanced Installer Flexera Software's InstallShield Flexera Software's InstallAnywere Open Source - WiX

Many software discovery tools already utilize SWID tags. These products include: Altiris, Aspera License Management, CA Technologies discovery tools, Eracent's

EnterpriseAM, Flexera Software's FlexNet Manager Platform, HP's DDMI and Software Management Suite. Adobe has released multiple versions of their Creative Suites products with SWID tags. Symantec has also released multiple products that include SWID tags and is committed to helping move the software community to a more consistent and normalized approach to software identification and eventually to a more automated approach to compliance (see [Link] %20Statement%[Link]). The US Federal Government has identified 19770-2 SWID tags as an important aspect of the efforts necessary to manage compliance activities, logistics and security. The 197702:2009 standard has been approved to be added to the US DoD Information Standards Registry (DISR) as an emerging standard in September 2012. This means that the DoD can start to specify that SWID tags as a desired requirement for software acquisitions today, and within 12 to 24 months after the DISR approval, the DoD will be able to transition the purchase requirements from desired to mandated.

ISO/IEC 19770-3: Software entitlement tag

ISO/IEC 19770-3 will provide a software asset management (SAM) data standard for software licensing entitlement tags. Software entitlement tags are computer files that provide authoritative identifying information about software licensing rights. The ISO/IEC 19770-3 Other Working Group ("OWG")[6] was convened by teleconference call on 9 September 2008. Seven subcommittees were defined and a regular meeting schedule was chosen. The mandate for this OWG will extend through the May 2009 ISO/IEC Plenary conference. It is anticipated that a Final Committee Draft will be submitted by the OWG to WG21 at that time. John Tomeny of Sassafras Software Inc was appointed as the convener of the ISO/IEC 19770-3 Other Working Group by Working Group 21 (ISO/IEC JTC 1/SC 7/WG 21). In addition to WG21 members, other participants in the 19770-3 OWG may be any "individuals considered to have relevant expertise by the Convener".[7] As mentioned above, Krzysztof (Chris) Baczkiewicz of Eracent also holds the role of the Editor for the ISO/IEC 19770-3 standard.

Assessment Models
There are a few assessment models available for end-users or service organizations to use when evaluating SAM processes. This are provides links to a variety of sources

Microsoft's SAM Optimization Model

Microsoft in association with a number of SAM consulting organizations created an assessment model that's based on the ISO/IEC 19770-1 standard, but that provides a much more practical set of measures for organizations that may just be getting into a SAM program, or still have newer SAM programs under development. This assessment model focuses on 10 specific key competencies each with very specific key performance indicators that give a very understanding of the maturity of an organization SAM program. Company Agnitio Advisors Web site [Link] Description This site has a white paper and other information on the SAM Optimization Model. To get access to the whitepaper, register on the site and proceed to the file download section. [Link]/sam This site has a lot of information available for SAM programs. Much of the information is provided for download so you can use the tools and access the documents directly from your system. While your on the site, try out the ROI calculator you may find it helpful to justify your SAM program when working with upper managers. [Link] Event ID: 1032369765 - this is a recorded

Microsoft

Microsoft Momentum

presentation providing information about the Microsoft SAM Optimization Model.

ISO/IEC 19770-1 Assessments

Conformance with ISO/IEC 19770-1 is relatively difficult at the moment since conformance requires that all processes defined in the standard are in place. ISO is working to develop a tiered assessment and conformance model and as those definitions progress, programs to handle the assessments will become more readily used by corporations. In the mean time, it is beneficial for organizations to assess their SAM processes against the ISO/IEC 19770-1 standard to determine process areas that may provide a larger risk profile than an organization is comfortable with, or to find potential areas for savings! Obviously, improving productivity or increasing corporate agility are also benefits of effective SAM programs and of the best practices defined in the ISO/IEC 19770-1 standard, but the real drivers of SAM programs tend to be based on cost savings. To do a self-assessment, or when working with a 3rd party to do an independent assessment against the standard, you should first get a copy of the standard and understand the details presented in the document. You can find details on where to get a copy of the standard in the section detailing ISO/IEC 19770-1 information. After you've purchased and reviewed the standard, you may be interested in checking out the following sites: Company Agnitio Advisors Web site [Link] Description By registering on this site, you can get a free personal use copy of an assessment template that focuses on the 27 higher level sections defined in the standard. This template will assist you in any in-house assessment and

ISO/IEC Tiered approach to conformance with ISO/IEC 19770-1

Microsoft Momentum

may also be helpful when working with a 3rd party assessment organization to track your own findings as a comparison to their findings. [Link] Working Group 21 (WG21) is developing a tiered approach to conformance with ISO/IEC 19770-1. Go to the official WG21 web site for the latest information on the tiered approach to conformance. [Link] Event ID: 1032365106 this is a recorded presentation discussing the process of doing an assessment against ISO/IEC 19770-1.

Communications Forums
There aren't a lot of areas for practitioners, tool vendors, and software publishers to discuss SAM topics in an environment that's non-threatening, but informative. The following forums and informal groups may be of interest to ask questions, get answers and provoke discussions.

Company Agnitio Advisors

Web site [Link]

Linkedin Groups

[Link]

Description Register on this site and you'll get access to forums discussing everything from ISO standards, to tools to training classes. Registration is open to anyone and there is no restriction other than registration to access the forums and post questions/comments/issues and suggestions. There are at multiple SAM groups that have been created in linked in: Global Society for Asset Managers Licensing and SAM ISO 19770 IT Asset Management Global SAM Optimization Model SAM User Platform Software Asset Management IAITAM provides knowledge and advice to the IT Asset Management community around the world! This organization is one of the larger user communities focused on IT Asset Management and the forums are hosted for members only.

IAITAM forums

[Link]/[Link]

Copyright Information
Software legal procedures fall under title 17 of US Code - copyrights. Section 106 of the 1976 copyright act provides the owner of materials the exclusive rights to their materials. This includes reproduction of the materials. Software is protected with these ideas in mind and copyright penalties can be very severe. Company US Government Web site [Link] Description This site provides education, searchable records, details on how to file a copyright and specific links to law and policy information.

Industry Trade Organizations

Software publishers want to help their customers stay compliant with software entitlements, but they also need to protect their intellectual property especially if an entity using their software is doing so willfully. Industry trade organizations work as specialists in the intellectual property and copyright areas and help end-users through training, services and marketing. They will also, at times, represent software publishers when required to ensure end-user organizations are honoring the intellectual property rights of the software publisher. Company Business Software Alliance (BSA) Web site [Link] Description This site provides information for employers (who are liable for the actions of their employees), maintains a list of resources that can help with SAM and also provides a free audit tool anyone can download and use. This site provides

Software & Information Industry

[Link]

Association (SIIA)

information on conferences, training, news and news letters focused on both software and content (i.e. music, video, etc).

News Resources
With Software Asset Management being a specialized field, there are few resources available for good, impartial news on the subject. Take a look at the following and send us feedback if there are others you would like to see added to the list. Company The ITAM Review Web site Description [Link] The ITAM Review is an

online community for worldwide ITAM professionals with a mission to provide independent industry news, reviews, resources and networking opportunities to Vendors, Partners, Consultants and End Users working in the areas of IT Asset Management, Software Asset Management or Software Licensing.

Professional Organizations
There are organizations out there working to help their members with details on how to implement and leverage SAM programs. Company International Association of Information Technology Asset Managers (IAITAM) Web site [Link] Description This site provides a number of papers,

Investors in Software

presentations, knowledge base, etc for Asset Management in general. SAM is only a portion their focus, they also provide information on hardware asset management. [Link] This organization is working to "advance professionalism in software asset management and related IT asset management, to enable individuals and organisations to improve effectiveness and efficiency".

SAM Training
There are some organizations offering training focused on Software Asset Management. Company International Association of Information Technology Asset Managers Web site [Link] Description This organization provides training for Software Asset Management and IT Asset Management. Courses allow for a certification at the successful completion of a test, but the certification is by

LicenseLogic

[Link]

and for IAITAM and is not managed by a 3rd party organization. This organization specializes in training for software asset .management and copyright information. LicenseLogic provides a test for certification purposes and certification is provided through SIIA, so is recognized by an industry organization.

Software Publisher SAM sites

Software publishers provide a lot of detail about SAM processes, procedures and policies. The following is a listing of the larger resources available Company Adobe Web site [Link]/elicensing/licensemanagement/sam/ Description This Adobe site Adobe provides general information about Software Asset Management as well as definitions of tool types, SAM partners, etc. This site has a

Microsoft

[Link]/sam

Microsoft SAM test review materials

lot of information available for SAM programs. Much of the information is provided for download so you can use the tools and access the documents directly from your system. While your on the site, try out the ROI calculator you may find it helpful to justify your SAM program when working with upper managers. [Link] Microsoft provides a certification test for partners who decide to specialize with a focus in SAM programs. This test, number 70673 has a test guide that provides numerous resources to both Microsoft documentation as well as to

other references on the web.

Standards based information

There are a number of standards out there focused on helping with SAM programs. The primary standards available are part of the ISO/IEC 19770 standard.

ISO/IEC 19770-1:2006 Information technology -- Software asset management -- Part 1: Processes

Company Agnitio Advisors Web site [Link] Description This site provides information about ISO/IEC 19770-1 as well as basic templates endusers can use to do their own selfassessments. Agnitio Advisors also provides assessment services to help you understand how effective your SAM program is today and how it cam be improved. [Link] IiS is a not-forprofit organisation limited by guarantee under English law (Company Number 0542717) with a mission to support and advance professionalism in software asset

Investors in Software

management and related IT asset management, to enable individuals and organisations to improve effectiveness and efficiency. Investors in Software played a major role in the development of the ISO/IEC 19770-1:2006 Standard. ISO (International Organization for Standardization) is the world's largest developer and publisher of International Standards. ISO is a network of the national standards institutes of 157 countries, one member per country, with a Central Secretariat in Geneva, Switzerland, that coordinates the system. ISO is anongovernmental organization that forms a bridge between the public and private sectors. On the one hand, many of

International Organization for Standardization

Order a copy of the standard

its member institutes are part of the governmental structure of their countries, or are mandated by their government. On the other hand, other members have their roots uniquely in the private sector, having been set up by national partnerships of industry associations.

ISO/IEC 19770-1:Revised Information technology -- Software asset management -- Part 1: Processes

The SAM Process standard - ISO/IEC 19770-1:2006 is going through a revision cycle to include 4 tiers of conformance. Now, instead of an all or nothing conformance, organizations can address specific process areas and achieve conformance for a specified tier. Along with the tiers new training is available for individuals who want to receive a recognized certification of knowledge - this training is provided by the BSA through its SAM advantage program ([Link] Finally, various best practice libraries such as the IAITAM Best Practice Library ([Link] include cross references to the various process areas defined in the 19770-1 standard. The revision work is available for an extended public review process that will continue from now until March 1, 2011. To download a free copy of the preview, visit the websites of the following organizations each of which is a liaison to the WG 21 team:

BSA - Business Software Alliance IAITAM - International Association of IT Asset Managers ISACA/ITGI - Information Systems Audit and Control Associations / IT Governance Institute itSMFI - IT Service Management Forum International

Please ensure that all feedback is provided through the survey link specified in the documet, or though e-mail to enquiries@[Link] All associations working to develop this standard are working with WG 21, and the Development Group and are recommending feedback go through the survey site. In particular, neither the

US TAG, nor any of it's members have any mandate to consolidate feedback for this development effort at this time. For further information about downloading and the review process, please visit the official website of WG21 at [Link] Refer to one of the liaison companies (all of which are listed above) who are helping to move SAM standards forward in a productive and effective manner, download the draft copy of the revision to this important standard and provide your input directly to the working group!

ISO/IEC 19770-2:draft Information technology Software asset management Part 2: Software identification tag
Note - the ISO/IEC 19770-2 draft specifying software identification tag structures was submitted as a final draft international specification (FDIS) in May of 2009. It is expected to be in FDIS status for 2 months followed by a vote by all SC7 national specifications bodies. If the FDIS version is approved, ISO editorial will then provide final ISO edits to ensure the document meets ISO standards, then the document will be published and available for purchase. It is expected that the 19770-2 draft will be available as a published international standard in 2009. Company Agnitio Advisors Web site [Link] Description Steve Klos from Agnitio Advisors was the convener of this standard and provided played a major role in the development of the standard. The Agnitio Advisors web site has information regarding this standard. The standard will become a final committee draft (FCD) in September of 2008. At that time, distribution of the draft

Amazon

Investors in Software

standard is no longer allowed. After ISO reviews the standard, votes on it and eventually improves it for publication, the standard will be available from the [Link] site. Order a printed copy of the [Link] will standard provide printed copies of the standard. If you prefer to get the electronic version, you can purchase it from ANSI, or ISO. [Link] IiS is a not-forprofit organisation limited by guarantee under English law (Company Number 0542717) with a mission to support and advance professionalism in software asset management and related IT asset management, to enable individuals and organisations to improve effectiveness and efficiency. Investors in Software played a major role in the development of the ISO/IEC

International Organization for Standardization

19770-1:2006 Standard. Order an electronic copy of the ISO (International standard Organization for Standardization) is the world's largest developer and publisher of International Standards. ISO is a network of the national standards institutes of 157 countries, one member per country, with a Central Secretariat in Geneva, Switzerland, that coordinates the system. ISO is anongovernmental organization that forms a bridge between the public and private sectors. On the one hand, many of its member institutes are part of the governmental structure of their countries, or are mandated by their government. On the other hand, other members have their roots uniquely in the private sector, having been set up

[Link]

[Link]

by national partnerships of industry associations. [Link] is a non-profit organization formed under the structure of IEEE-ISTO. [Link] is a membership driven organization designed to be the registration authority for ISO/IEC 19770-2 software identification tags (SWID tags). TagVault provides a forum for information sharing resources among software publishers, tool providers and SAM practitioners. TagVault will provide a shared library of technical knowledge and software tools including consistent

Working Group 21

[Link]

cross-vendor, cross-platform APIs. Working Group 21 (WG21) officially, this is ISO/IEC JTC1 SC7 WG 21 - is the working group responsible for Software Asset Management specifications. This web site provides the latest information on SAM standards currently available and those under development.

ISO/IEC 19770-3:draft - Software asset management - Part 3: Software entitlement tag

Company Web site ISO/IEC 19770-3 other working group [Link]/iso Description John Tomeny is the convener of the other working group developing the ISO/IEC 19770-3 draft standard on software entitlement tags. The web page hosted on the sassafras web site provides details on how to join the OWG as well as some details and status about the development of the standard. Working Group 21 (WG21) officially, this is

Working Group 21

[Link]

ISO/IEC JTC1 SC7 WG 21 - is the working group responsible for Software Asset Management specifications. This web site provides the latest information on SAM standards currently available and those under development.

Standards Organizations
There are multiple organizations focused on the development or administration of IT based standards. Company Official ITIL web site Web site Description [Link] stands for [Link]/home/[Link] Information Technology Information Library. ITIL provides whole eco-system centered around setting up and managing the best practices of service management. [Link] ISO provides standards on a wide range of topics. Of particular interest to SAM ecosystem members are ISO/IEC

Official ISO web site

Official web site for the ISO/IEC [Link] JTC1/SC7 Working Group 21 (WG21) (Software Asset Management)

Official W3C web site

[Link]

Official IETF web site

[Link]

20000 and the ISO/IEC 19770 series. Working Group 21 (WG21) is the working group responsible for Software Asset Management specifications. This web site provides the latest information on SAM standards currently available and those under development. This website provides an extensive array of recommendations for internet based standards work. Information on how to define XML Schema document (XSD's), and how to use XML based data can be found on this site. IETF provides standards that cover a wide range of network and Internet items.

What is ITIL?
ITIL is the most widely adopted approach for IT Service Management in the world. It provides a practical, no-nonsense framework for identifying, planning, delivering and supporting IT services to the business.

ITIL: Overview and Benefits

ITIL advocates that IT services must be aligned to the needs of the business and underpin the core business processes. It provides guidance to organizations on how to use IT as a tool to facilitate business change, transformation and growth. The ITIL best practices are currently detailed within five core publications which provide a systematic and professional approach to the management of IT services, enabling organizations to deliver appropriate services and continually ensure they are meeting business goals and delivering benefits. The five core guides map the entire ITIL Service Lifecycle, beginning with the identification of customer needs and drivers of IT requirements, through to the design and implementation of the service into operation and finally, on to the monitoring and improvement phase of the service. Adopting ITIL can offer users a huge range of benefits that include:

improved IT services reduced costs improved customer satisfaction through a more professional approach to service delivery improved productivity improved use of skills and experience improved delivery of third party service.

ITIL Users
ITIL has been adopted by thousands of organizations worldwide, such as NASA, the UK National Health Service (NHS), HSBC bank and Disney. ITIL is also supported by quality services from a wide range of providers including examination institutes, accredited training providers and consultancies, software and tool vendors and well known service providers such as IBM, Telefonica, HP and British telecom (BT). A comprehensive qualifications scheme offering a variety of training courses and certifications has been developed against the guidance. This scheme can help organizations to effectively implement ITIL, achieving success by ensuring that employees have the relevant knowledge, skills and techniques, but most importantly, ensuring the entire organization is using a common language and are fully invested in the process. ITIL Best Practices also underpin the foundations of ISO/IEC 20000 (previously BS15000), the International Service Management Standard for organizational certification and compliance. Organizations can therefore implement ITIL to achieve organizational certification.

19770-1
ISO/IEC 19770-1 is the Software Asset Management process standard. It is aligned to Service Management (ISO/IEC 20000-1), and contains 27 process areas, with objectives and detailed outcomes defined for each. The first generation was published in 2006. The second generation was published in 2012. It retains the original content (with only minor changes), but splits the standard up into four tiers which can be attained sequentially. These tiers are: Tier 1: Trustworthy Data Tier 2: Practical Management Tier 3: Operational Integration Tier 4: Full ISO/IEC SAM Conformance There is a white paper available about the revision. Please see the 'File Repository' tab of this website to download the file entitled ISO SAM Processes - A Play In Acts. More information on the past and recent work of the Tiered SAM Processes development group is at: [Link] There are plans to revise 19770-1 in several years in generation 3 to be a full Management System Standard. Please see the 'File Repository' tab of this website to download the file entitled Breaking Down the Silos - The Future of ISO Standards for SAM and ITAM

Overview and how to purchase

The ISO/IEC 19770-2:2009 standard specifies the structure and basic usage of software identification. The standard is available for purchase from the ISO and ANSI online stores, or your country's standards body. The XSD is also available for electronic access from the ISO website. Any organization regardless if they are a software publisher, or a software purchaser, can create standardized software identification (SWID) tags that are installed at the same time a software product is installed.

Benefits of SWID tags

Installing software that has a SWID tag lowers the cost of software asset management by increasing the accuracy and consistency of software identification. Software asset management (SAM) programs are less expensive to implement and will support a broader portfolio of software. Since SWID tags provide a consistent set of values, large organizations that have multiple discovery tools across business units, locations or platforms now have a way to consolidate and reconcile inventories. Benefits of SWID tags extend well beyond software compliance activities encompassing any IT process that relies on accurate software inventory including security compliance, patch management, desktop management, help desk processes and corporate policy compliance. Organizations gain significant value for operational security programs. Cost savings are recognized by all members of the SAM ecosystem from the publishers, to tool and service providers to the software purchasers.

What's in a SWID tag?

SWID tags are XML files that follow a standard structure for detailed information about the specific software product. The standard defines 7 mandatory elements and 30 optional elements. The standard also allows for extensions to the structure of SWID tags to ensure the tags provide any data required by the publisher, tool provider, software purchaser or registration/certification authorities. Finally, due to the fact that the SWID tags are XML files, it is possible for additional information to be added to a tag by a downstream user. For example, an organization deploying software may want to indicate who tested and released a particular product and when - that information can now be included in the SWID tag and collected during inventory processing.

The importance of SWID tags for entitlement management

SWID Tags have been designed to work hand-in-hand with software entitlement tags (based on the draft ISO/IEC 19770-3 standard). When 19770-3 is published and implemented, organizations across the software ecosystem will see a significant automation in compliance tools as well as many new and interesting tools in the license optimization space.

Additional Information Resources

[Link] is the certification authority for SWID tags and a non-profit program of IEEE-ISTO. Since the standard was published in 2009, [Link] has proactively ensured that the market has the tools, technology and information available to create, digitally sign and use software tags. The overall goal of [Link] is to ensure the initial implementation of SWID tags is done as smoothly, quickly and at the least cost possible for all members of the software market. That means that [Link] also specifies the certification requirements to ensure consistent use of the element data values that the SWID tags provide.

ISO/IEC 19770-3 Vision:

International Standards for Software Asset Management (SAM) provide a model to follow in setting up and operating an asset management system specifically oriented to the management of software assets. The model incorporates the features on which experts in the field have reached a consensus as being the international state of the art. Through the use of the SAM family of standards, organizations can develop and implement a framework to manage their software assets and prepare for an internal or external assessment of their SAM processes. ISO/IEC 19770-3 focuses on capturing and defining the information necessary to describe how software may be used, known as the entitlement. This standard will provide a framework and criterion of measurement for creating unambiguous definitions of entitlements. The -3 tags will assist in effective software licensing reconciliation, demonstration of compliance, software cost reduction, and proof of ownership. The following is a summary of the ISO/IEC 19770-3 Software Entitlement Tag, and how it

fits into the SAM ecosystem. A companion standard; ISO/IEC 19770-2, published in 2009, provides a standard for authoritative identification of software installations. The -2 tags assist in complete and positive identification of installed software. While entitlement tags, specified in 19770-3, are designed to work with 19770-2 software identification tags, the two standards are independent and do not require the presence of each other's tags to deliver value. ISO/IEC 19770-3 is intended to be sufficiently supported and implemented by software manufacturers, modifiers and users alike to ensure the viability of achieving and validating conformance.

Implementation:
Standardization of software entitlements provides uniform, measurable data for the license compliance processes of Software Asset Management ("SAM") practice, making it possible to demonstrate ownership of entitlements, reconcile and demonstrate compliance, and optimize licensing for cost reduction.

Adoption:
For highest value in the market, it is critical for software publishers to provide -2 and -3 tags directly as part of their process. However, both 19770-2 and 19770-3 tags are designed for full implementation by any member of the SAM ecosystem (end-users, tool providers, service providers, resellers, software publishers, etc.) without dependency on other ecosystem participants. Ideally, software manufacturers will include 19770-2 identification tags with their software products and provide 19770-3 entitlement tags through their order fulfillment systems. These process enhancements will help every member of the SAM ecosystem to accurately identify and manage software usage and entitlement consumption. The value of the 19770-2 or the 19770-3 standards does not depend upon software publisher adoption for SAM practitioners to experience the benefits of this work. Both the 19770-2 tags and the 19770-3 tags can be created/implemented by any member of the SAM ecosystem. If a software vendor is unable or unwilling to participate, the industry can still produce viable tags. End users may build their own 19770-3 tags, both for legacy software and to conduct allocation of entitlements through creation of tags internally within their organization. This provision will make it possible: a) for SAM ecosystem adoption in absence of publisher adoption, and b) to optimize the usefulness of 19770-3 tags for SAM practitioners (end-users) to effectively reconcile, demonstrate entitlement ownership, and optimize licensing for cost reduction at any operational level within their organization. Software Asset Management (SAM)

Assessments Agnitio Advisors recognizes that in order to make high value recommendations to an organization regarding their SAM program, first you need an apples to apples comparison of the current program, the IT environment and their future goals and objectives related to SAM. The best method to accomplish this is to do an assessment that includes a gap analysis of a SAM program prior to making any changes. There are different levels of assessment that can be done for an organization that range from doing a self-assessment to having an outsourcing organization come in and do an assessment with multiple options in-between. Agnitio Advisors provides assessment services based on the ISO/IEC 19770-1 standard as well as the Microsoft SAM Optimization Model. These include free templates organizations can use for their own self-assessment efforts if desired. Details of these options are provided below:

ISO/IEC 19770-1 SAM processes - Free Assessment Tool

ISO/IEC 19770-1:2006 (currently going through a revision phase) essentially requires an organization to have all SAM processes in place in order to be considered conforming to the standard. The current self-assessment template (found here - free account required and you must be logged in to the site to download the template) allows organizations to gain an understanding of what a SAM assessment is and where they believe their programs strengths and weaknesses are. The assessment template is a Microsoft Excel template (the current download version is designed to be utilized on Windows devices, contact us for support on Macintosh systems) that structures the assessment into 6 different areas. The Template is selfdocumenting meaning that users do not need to pay for additional course material, or go through any formal training efforts to utilize the template. The Agnitio Advisors assessment methodology incorporates an added dimension that enables organizations to analyze the maturity of the people, process and technology as they

apply to SAM programs. Some organizations, for example, may have a very good process for defining the roles and responsibilities of various practitioners and may have the training to back up the process, but may utilize a tool that does not allow specialized processing based on the roles and responsibilities of the person using the tool. The assessment measurements are loosely based on the Microsoft SAM Optimization Model - essentially a 4 point numeric scale. This allows organizations to link a 19770-1 assessment directly against a Microsoft SAM Optimization Model assessment if desired. The assessment levels (and their equivalent Microsoft SAM Optimization Model levels shown in parenthesis) are shown below:

0. We Fight Fires (Basic) - minimal to non-existent controls, no accountability and limited to no tools implemented. 1. We're Gaining Control (Standardized) - some controls defined, individuals receive minimal training and assigned to some roles with a few tools that capture basic data required for SAM. 2. We enable Business (Rationalized) - controls and processes defined, individuals receive regular training and assigned to most roles required for effective compliance and tools provide accurate and reliable data for SAM. 3. We're a strategic asset (Dynamic) - controls and processes defined, reviewed and regularly updated. Individuals receive regular and specialized training in how to maximize the value of the organizations software assets. Tools provide realtime compliance and usage data that is used strategically to apply software assets to maximize benefits to the organization.

As the revision of the ISO/IEC 19770-1 standard is going through the final phases to be published (expectation is for the revision to be available in 2012), the Agnitio Advisors assessment template will be updated to reflect the new tiered approach. The tiers defined in the revised standard are:

Tier 1 - Trustworthy Data Knowing what you have so you can manage it Tier 2 - Practical Management Improving management controls and driving immediate benefits Tier 3 - Operational Integration Improving efficiency and effectiveness Tier 4 - Full ISO Conformance Achieving best-in-class strategic SAM

Further updates on the revision can also be found by taking the BSA SAM Advantage training program which is designed around the revised version of the standard.

ISO/IEC 19770-1 SAM processes - Assisted Assessments

The free template provides more than enough information for an organization to do an in-house assessment of a SAM program. Individuals who have a familiarity with the requirements of license compliance will not need additional training or any additional books to do manage the assessment. This is especially true if they are members of an industry association such as the International Association of IT Asset Managers (IAITAM) or have taken any training from IAITAM. However, there are frequently times when an organization wants or needs to have an independent 3rd party do an assessment of a SAM program. Working with a 3rd party allows for an honest assessment that is not based on any pre-conceived notions of the program that often comes with internal assessments. Agnitio Advisors is experienced with helping organizations implement assisted assessments in an efficient and economical manner. In addition to the Excel Template provided for free (see above), Agnitio Advisors assisted assessments utilize interviews, surveys and data collection methodology that allows for much richer data analysis than a simple spread sheet can provide. Our assessors have direct experience as SAM practitioners with SAM Tool Development with SAM Tool Assessment and Review and above all are tool and service provider agnostic. Our assessors recognize that most organizations need to focus on the business justifications for why a SAM process needs to be implemented and ensure that we understand the goals your organization has for a SAM program so we can provide a realistic and approachable set of guidelines for improving a SAM program that meet the business requirements. There is no substitute for experience and Agnitio Advisors consultants have real world experience developing technology for SAM tools, implementing policies, processes and procedures as well as doing internal and external audits for software compliance activities. Working with an organization that does not have this background, you are likely to get a canned, one-size fits all approach to your SAM assessment without the

benefit and depth of knowledge that come from consultants who done this work. Agnitio Advisors is unique in this regard - we only hire consultants who have real-world experience and who fully understand not just the material they are providing, but also why that material is being presented. If you are looking at working with an organization to do an assisted assessment, ask the providers what experience the assessors and managers have outside their own organization in the SAM ecosystem. If you are interested in doing an assisted SAM program assessment, contact us for further information.

Microsoft SAM Optimization Model Assessments

Microsoft provides extensive documentation on SAM programs, policies and procedures on their website. Microsoft has also established a program with their Partners to help organizations understand and implement SAM programs - this is being done through the SAM Services program. Microsoft created these SAM Services to proactively assist Microsoft customers to build a more effective SAM program. Agnitio Advisors worked with Microsoft to develop the training program Microsoft gives to their Partners that deliver these services to ensure that Microsoft customers get a consistent and valuable experience for the three SAM services of SAM Baseline, SAM Assessment or SAM Deployment Services. There are some customers and some situations where an organization may want to utilize these services, but may want to have them provided independently of Microsoft and/or may want to utilize these services for additional or other software publishers. Agnitio Advisors extensive knowledge of the Microsoft services as well as the fact that we

developed and have delivered some of the partner training for these services puts us in a unique position to provide independent baseline reviews or assessments. If your organization is interested in applying these services independently of Microsoft, contact us for further details.

There is no substitute for Experience

The old adage of, "there is no substitute for experience" rings true and Agnitio Advisors consultants have real world experience developing SAM tools, implementing policies, processes and procedures as well as doing internal and external audits for software compliance activities. Agnitio Advisors has also been instrumental in developing the training Microsoft uses with their SAM partners to develop a consistent delivery of the SAM services. Working with an organization that does not have this background, you are likely to get a canned, one-size fits all approach to your SAM assessment without the benefit and depth of knowledge that come from consultants who have actually done this work. Agnitio Advisors is unique in this regard - we only hire consultants who have realworld experience and who fully understand not just the material they are providing, but also why that material is being presented and how it can be applied within a customer environment. If you are looking at working with an organization to do an assisted assessment, ask the provider what experience the assessors and managers have outside their own organization in the SAM ecosystem. Microsoft System Center 2012 Configuration Manager can help you maintain corporate compliance and control while empowering employees to use the devices and applications they need to be productive. Configuration Manager provides key management capabilities around application delivery, desktop virtualization, device management, and security that make it possible to enable productivity amidst device proliferation while also reducing costs.

Discover Configuration Manager

Application Delivery
In the 2012 release, Configuration Manager takes a new "user-centric" approach to application delivery. You can establish policies and relationship rules that allow Configuration Manager to evaluate user identity, application dependencies, device type,

and network connection in order to deliver the optimum application experience to users from whatever device or devices they happen to be using.

Desktop Virtualization
Configuration Manager is key component of Microsoft Desktop Virtualization solutions. It provides asset, usage, and desired configuration management for personal and virtual desktops on a single infrastructure. It also integrates with Microsoft Application Virtualization (App-V) to deploy and manage virtual and physical applications, allowing you to easily scale application deployment throughout the enterprise as fully streamed virtual applications, locally delivered packages, or both.

Device Management
With the SP1 release, the Configuration Manager console interoperates with Windows Intune to manage all mobile devices through a single tool. IT can manage and deploy policies, as well as provide asset and compliance reporting across Windows RT, Windows Phone 8, iOS, and other devices.

Security
Configuration Manager serves as the management infrastructure for System Center 2012 Endpoint Protection. By aligning the client compliance and remediation capabilities of Configuration Manager with the antimalware and vulnerability protection features of Endpoint Protection, you can manage and protect your entire client infrastructure in a single solution. This consolidation can help you lower infrastructure costs and improve insight into the health and safety of your entire client environment.