Audit Defense Your playbook for license compliance audits

Transcription

Audit Defense Your playbook for license compliance audits
Audit Defense
Your playbook for license
compliance audits
Introduction
President of Aspera Technologies Inc.
Christof Beaupoil
Co-founded Aspera in 2000
13 year’s experience in software asset and
license management
Masters in Mechanical Engineering and
Information Technology
Certified ITIL Foundation and Licensing
Specialist
Led numerous license management
projects for international corporations
Agenda
10 Steps
1. Announcement / Audit Announcement Letter (AAL)
2. Access / Confidentiality / NDA
3. Procedures / Data Formats / Tools
4. Timeline
5. Data collection
6. Data verification
7. Licensing Compliance Table (LCT)
8. Settlement
9. Transfers
10. Back to production
1 Announcement
Audit Announcement Letter (AAL)
IBM:
Sends Audit Announcement Letter (AAL)
Requests starting date of the review
Names contracted auditor
Sets vague scope
Customer:
To IBM





Communicates SPOC
Negotiates starting date
Questions scope
Questions right to audit
Questions auditor (already in
accountant role?)
Internal




DO NOT buy any licenses until
settlement
DO NOT try to remove software
DO NOT disclose any information until
confidentiality agreement is signed
NOBODY other than SPOC
communicates with IBM
2 Access / Confidentiality / NDA / Scope
Auditor:
Requests uncontrolled deep access into your organization
Tries to establish timeline
Customer:
To Auditor





Grants NO unrestricted access (“darkroom”)
Grants NO access to non IBM data
(e.g. 3rd party vendors, customer data)
Auditor may not keep data after audit
NO sweetener clause (Auditor may not
profit from audit result)
DOES NOT agree on timeline to Step 4
Internal


Teams up:
 Upper Management
 Legal
 IT
 Procurement
 License experts
 Local license managers
Welcome to the TLA/FLA
World of IBM
Welcome to the TLA/FLA World of IBM (1/3)
Agreements:
IPLA International Program License Agreement (see §11)
ILAN International License Agreement for Non-Warranted
Programs
ILAE International License Agreement for Evaluation of Programs
ILAR International License Agreement for Early Release of
Programs
IPAA International Passport Advantage Agreement (incl. SubCapacity Attachment)
ELA Enterprise Licensing Agreement
CEO Complete Enterprise Option
ESSO (International) Enterprise Software & Service Option
Welcome to the TLA/FLA World of IBM (2/3)
Licenses:
S&S Support & Subscription
SLA Software License Agreement
 LI License Information (edition and version specific)
 PLET/GA Program Announcement Letter / General Availability
FTL Fixed Term Licenses
PoE Proof of Entitlement
FCT Flexible Contract Terms
Welcome to the TLA/FLA World of IBM (3/3)
Metrics:
PVU Processor Value Unit
VC Virtual- (a.k.a. Sub-) Capacity
RVU Resource Value Unit
AUTH Authorized User
FL Floating User
…
…
…
FUSSI Floating User Single Session Single Install
AUSI Authorized User Single Install
3 Procedures
Data Formats and Tools
Auditor:
Provides ASA Workbooks
Provides scripts/instructions
Requests on-sites
Customer:
To Auditor





Reviews and extends ASA Workbook
Requests full details on FastPass reports
(auditor may not withhold
information/details)
Questions Missing Base License (MBL) rules
Agrees on rules for transitioned vendors and
PoE (hard-copy vs. invoices, POs)
Imposes own procedures and (scan) tools
Internal



Starts contract review and
entitlement collection
Evaluates available
internal tools and
resources
Agrees to internal
timeline for data
collection
4 Timeline
Auditor:
Will propose unfeasible timeline (time-pressure works only in favor of
IBM)
Customer:
To Auditor




Extends times for data collection
Adds steps for review of any output
Auditor produces
Introduces Quality Gates that need
to be passed before next phase
starts
Agrees on time frames, not dates
Internal

Plans for a long timeline
(12 – 18 months)
5 Data Collection
Auditor:
Provides FastPass / PPAO extract
Reviews collected data / requests additional information
 Screenshots
 Script output
Customer:
To Auditor


Many IBM metrics require
additional data collection via
script / admin log on
Does not provide script output
without review:



Count inactive/legacy users
High watermarks
Concurrent limited to
timeframes
Internal

Focuses on ENTITLEMENT collection




PoEs
Missing base licenses
Loads license data and assembles
effective license position
May restrict auditor’s access to selected
information – but may not
withhold access to licensing
relevant data
5.1 Passport Advantage Online (PPAO)
Key Focus
Missing licenses:
Transited Vendors (FileNet, Cognos, SPSS,…)
Missing trade-ups
Missing Site Numbers
Transferred entitlements (negative numbers)
Delayed/faulty transmission from reseller
Purchased outside of PPA:





Embedded
Passport Advantage Express
Enterprise Licensing Agreement (ELA)
Complete Enterprise Option (CEO)
(International) Enterprise Software & Service Option (ESSO/iESSO)
Export option is available only per site – Auditor has
Access via FastPass and can provide full export
5.2 ILMT
Over counting:
Missing Bundle Rules (Check LI)
Hyper Threading
Counting of Deactivated Cores (Check LI)
Wrong product/edition
Incomplete product names (e.g. missing edition)
Ghost installs/false positives
Keeps high water marks
Virtual vs. full capacity
Does not apply failover/standby/testing/clustering rules
(Check LI)
6 Data Verification
Auditor:
May ask to verify data in on-site visits
 Positive testing: Picks server from workbook and confirms data
 Negative testing: Picks device that is NOT in workbook and confirms no
IBM software on it
 May try/ask to run additional scripts
Customer:
To Auditor

Restricts auditor’s
physical access – but
answers license relevant
questions and provides
data for verification
Internal



Checks all workbooks for problems described
in 5.x
Loads workbooks – this will show additional
gaps and inconsistencies
Use License data/compliance view in audit
environment to close inconsistencies in
workbooks (choose edition, choose
metric)
7 Licensing Compliance Table (LCT)
Auditor:
Manually assembles LCT – always has errors/interpretations
Will not include S&S without base licenses
Uses Version less for products under maintenance
Draft status -> will push for EXIT Meeting
Customer:
To Auditor


Does NOT agree to present
LCT to IBM (Exit Meeting)
until numbers are corrected,
confirmed, and agreed
In EXIT Meeting: Explicitly
mentions any disagreements
with the auditor, makes sure
included in meeting minutes
Internal


Compares to internal compliance view
Checks for:







Multi metric products
Not considered licenses
Wrong editions
Not applied bundling rules
Sub-capacity vs. full capacity
Release dates for out of S&S positions
Over-licensing (Change in metric?
Change in product name?)
8 Settlement & Audit Relief
IBM:
Will make a settlement proposal based on §11.2 “Resolution” of IPLA:
 Missing base license: Purchase license with two years of RETRO S&S
 Missing S&S: Purchase reinstatement with two years of RETRO S&S
 Typically applies valid discount level
Will propose audit relief (no legal action) only for disclosed
incompliance / resists base-lining
Customer:
To IBM





Uses installation dates for less retro S&S
Uses documented disagreements on LCT
as leverage
Pushes for base-lining
No partial settlements
Includes ALL negotiated terms into
settlement agreement
Internal

Makes sure that executive
management understands
the audit results
9 Transfers
IBM:
Settlement was for Group Balance
Will request to create internal compliance per site
Might audit single sites in the future
Customer:
To IBM


Receiving site triggers transfers on
PPAO through transfer form (IBM)
Giving site gives approval
Internal


Joins base licenses and S&S in
same site
Negotiates internal cost allocation
10 Back to Production
IBM: n/a
Customer:
To IBM

Makes sure that agreed
license position is properly
reflected in PPAO
Internal



Adds “baseline” / new licenses to the
production system
Applies audit/settlement rules and
exceptions to the system (e.g. bundling
rules, DG rights, metric selections,
full/sub-capacity decisions)
Sets up process to maintain manually
collected software data
Thank You
Questions?
The Company
Aspera Technologies Inc.

Founded in 2000

Co-founders and management team:
Christof Beaupoil – Co-founder, President, Aspera Technologies Inc.
Bernhard Boehler – Co-founder, CEO, Aspera GmbH
Olaf Diehl – Managing Director, Business Development & Operations
Keith Sauvant – Co-founder, Managing Director, Research & Development

Parent company: USU Software AG

Employees: 92

Partners in: Australia, Benelux, France, Scandinavia, South Africa, and the UK

Portfolio: Tools, LaaS, Managed Services, Master Catalog, Consulting, Project
Management

Customers: 24 Fortune Global 500 companies, very large, large, and medium sized
organizations, government and civil services bodies
Awards, Certifications, and Evaluations
Awarded:
Best Asset
Management Solution
KPMG certifies Aspera
SmartTrack
This tool assessment and certification
was provided by KPMG Deutschland AG.
and
Best Web Services
Solutions
Aspera SmartTrack reached 100% with
the maximum level of accuracy for Lab
Simulation and Request Catalog.
Best IT Services
ECPweb.com Tools
Manager – Annual
Evaluation
Aspera is the market leader.
SmartTrack best meets the demands of
large companies who wish to effectively
manage software assets for their server
and desktop environments.
Contact
North America:
Europe:
Aspera Technologies Inc.
470 Atlantic Ave., 4th Floor
Boston, MA 02210
Aspera GmbH
Dennewartstrasse 25-27
52068 Aachen, Germany
Your personal contact:
Shawn Smith
Tel.: +1 508-473-6373
Email: [email protected]
Your personal contact:
Alexander Lodenkemper
Tel.: +49 241-963-3290
Email: [email protected]
www.aspera.com
Aspera GmbH and Aspera Technologies Inc. check and update the information in this presentation on an ongoing basis. Despite this, data may have changed. Therefore, Aspera cannot be held liable for the up-to-dateness of this document. The content and
structure of this document are protected by copyright. Any reproduction of the information and data contained herein, especially the use of texts, text passages or illustrations, requires written prior consent of Aspera Technologies. Aspera, SmartTrack,
FlowControl, ICM, CMM, FM, MM, and the license management logo are registered trademarks of Aspera GmbH in Germany and/or other countries.