S 2.88 Licence management and version control of standard software

Initiation responsibility: Agency/company management

Implementation responsibility: Head of IT Section, Head of organisation

Without suitable version control and licence control, experience shows that a wide assortment of versions rapidly comes to be used on an IT system or within an organisational unit, some of which may be used without a licence.

Only licensed software must be used on all IT systems within an institution. This provision must be made known to all employees and the administrators of the various IT systems must ensure that only licensed software is used. To do this they must be equipped with suitable tools for licence control.

Frequently, within an institution, different versions of standard software are used. Within the context of licence control it must also be possible to gain an overview of all versions used. In this way it can be guaranteed that old versions are replaced by newer ones as soon as this is necessary, and that when licences are returned, all versions are deleted.

In addition to this, the various configurations of the installed software must be documented. As a result, it must be possible to acquire an overview of which IT system which settings, relevant to security on a standard software product, were specified by the approval and which were actually installed. Thus, for example, it can be rapidly clarified on which computers macro-programming has been installed on product XYZ and on which it has not.

Additional controls:

• Which provisions are in force?

• Are different versions of a standard software product in use?