ServiceNow's Exhibit No. 1003
`
`001
`
`

`
`(i)(B(t
`
`ITI L® Managing IT services
`
`London: TSO
`
`ServiceNow's Exhibit No. 1003
`
`002
`
`

`
`Published by TSO (The Stationery Office) and available from:
`
`Online
`www.tso.co.uk/bookshop
`
`Maii,Telephone, Fax & E-mail
`TSO
`PO Box 29. Norwich, NR3 I GN
`Telephone orders/General enquiries: 0870 600 5522
`Fax orders: 0870 600 5533
`E-mail: book.orders@tso.co.uk
`Textphone 0870 240 370 I
`
`TSO Shops
`123 Kingsway. London,WC2B 6PQ
`020 7242 6393 Fax 020 7242 6394
`68-69 Bull Street, Birmingham B4 6AD
`01212369696Fax01212369699
`9-21 Princess Street, Manchester M60 8AS
`0161 834 7201 Fax0161 833 0634
`16Arthur Street, Belfast BTl 4GD
`028 9023 8451 Fax 028 9023 540 I
`18-19 High Street, Cardiff CF I 0 I PT
`029 2039 5548 Fax 029 2038 4347
`71 Lothian Road, Edinburgh EH3 9AZ
`0870 606 5566 Fax 0870 606 5588
`
`TSO Accredited Agents
`(see Yellow Pages)
`
`and through good booksellers
`
`For further information on OGC products, contact:
`
`OGC Service Desk
`Rosebery Court
`St Andrews Business Park
`Norwich NR7 OHS
`Telephone +44 (0) 845 000 4999
`
`Published fc>r the Office of Government Commerce under licence fi'om the Controller of Her Majesty's Stationery Office.
`
`© Crown Copyright 2003
`
`This is a Value Added product which is outside the scope of the HMSO Core Licence.
`
`\
`\.
`
`Applications to reuse, reproduce or republish extracts of material in this publication should be sent to HMSO, Licensing Division, St Clements House, 2-16
`Colcgate, Norwich, NR3 1BQ Tel No (01603) 621000 Fm,; No (01603) 723000, E-mail: hmsolicensing@cabinet-office.x.gsi.gov.uk, or complete the application
`fcmn on the H!\ISO website www.hmso.gov.uk/copyright/licences/valueadded/appform.htm
`
`HMSO, in consultation with Office of Government Commerce (OGC), may then prepare a Value Added Licence based on standard terms tailored to your particular
`requirements including payment terms
`
`First published 2003
`Fourth impression 2004
`ISBN 0 11 330943 0
`
`Printed in the United Kingdom for The Stationery Office
`ID175257 C15 12/04 992800 19585
`
`Titles within the !TIL series include:
`
`Service Support (Published 2000)
`Service Desk and the Process oflncident
`Management, Problem Management, Configuration
`l\'ianagemcnt, Change Nlanagcment and
`Release Management
`
`Service Delivery (Published 2001)
`Capacity Management, Availability Management,
`Service Level Management, IT Service Continuity,
`Finanacial Ivlanagement for IT Services and
`Customer Relationship Management
`
`I CT Infrastructure Management
`Applications l\1anagement
`Planning to Implement Service lVIanagement
`Security Management
`
`ISBN 0 11 330015 8
`
`ISBN 0 11 330017 4
`
`ISBN 0 11 330865 5
`ISBN 0 11 330866 3
`ISBN 0 11 330877 9
`ISBN 0 11330014X
`
`ITIL back catalogue- an historical repository available as PDF downloads from www.tso.eo.uk/ITIL
`
`The managers' set
`The complementary guidance set
`Environmental management, strategy and computer operations set
`
`ServiceNow's Exhibit No. 1003
`
`003
`
`

`
`••
`CONTENTS
`
`The Authors
`
`Foreword
`
`Preface
`
`1
`
`Introduction
`
`1.1 The IT Infrastructure Library
`
`1.2 What is SAM?
`
`1.3 The need for SAM
`
`1.4 SAM principles
`
`1.5 Benefits
`
`1.5.1 Managing risks
`
`1.5.2 Controlling costs
`
`1.5.3 Obtaining competitive advantage
`
`1.5.4 Enhancing employee motivation and the workplace environment
`
`1.6 The possible problems
`
`1.6.1 Conflict with decentralisation culture
`
`1.6.2 Lack of senior management support
`
`1.6.3 Lack of clear responsibilities
`
`1.6.4
`
`Imbalance between 'customised' and 'off-the-shelf' software perspectives
`/
`1.6.5 Underestimating the effort required to identifY installed software
`
`1.6.6 Legal requirements
`
`1.6.7 Lack of end-user support
`
`1.6.8 Lack of communication
`
`1.7 Costs
`
`1.8 Implementation approaches
`
`1.9 Minimum implementation recommendations
`
`1.9.1 Overall baseline recommendations
`
`1.9.2 National Audit Office recommendations
`
`1.10 World-class SAM
`
`1.11 How SAlvi maps to ITIL
`
`1.12 How this guide is organised
`
`ix
`
`Xl
`
`X111
`
`1
`
`2
`
`2
`
`2
`
`3
`
`5
`
`5
`
`7
`
`8
`
`8
`
`9
`
`9
`
`9
`
`9
`
`10
`
`10
`
`10
`
`10
`
`10
`
`11
`
`12
`
`12
`
`13
`
`14
`
`15
`
`15
`
`16
`
`111 •
`
`ServiceNow's Exhibit No. 1003
`
`004
`
`

`
`2 Context
`
`2.1 Special characteristics of software assets
`
`2.2 Legal context
`
`2.3 Software industry supply chain
`
`2.4 Other software industry players
`
`3 Making the business case
`
`3.1 Develop a vision and strategy
`
`3.2 Investigate the issues
`
`3.2.1 Determine requirements
`
`3.2.2 Analyse the gap
`
`3.2.3
`
`Identify and analyse alternatives
`
`3.3 Document the business case
`
`3.4 Sell the business case
`
`4 Organisation, roles and responsibilities
`
`4.1 Decision about centralisation
`
`4.2 Centralisation or decentralisation of SAM databases
`
`4.3 Respective roles of Procurement Management and ICT Management
`
`4.4 Roles and responsibilities
`
`4.4.1 Primary roles
`
`4.4.2 Complementary roles
`
`5 Process overview
`
`5.1 Overall management processes
`
`5.1.1 Overall management responsibility
`
`5.1.2 Risk assessment
`
`5.1.3 Policies and procedures
`
`5.1.4 Competence, awareness and training
`
`5.1.5 Performance metrics and continuous improvement
`
`5.1.6
`
`IT Service Continuity Management and Availability Management
`
`5.2 Core Asset Management processes
`
`5.2.1 Asset identification
`
`5.2.2 Asset control
`
`5.2.3 Status accounting
`
`5.2.4 Database management
`
`• lV
`
`19
`
`19
`
`20
`
`23
`
`24
`
`25
`
`25
`
`27
`
`27
`
`28
`
`28
`
`28
`
`29
`
`31
`
`31
`
`32
`
`33
`
`34
`
`34
`
`35
`
`36
`
`38
`
`38
`
`38
`
`38
`
`38
`
`39
`
`39
`
`39
`
`40
`
`40
`
`40
`
`40
`
`\
`
`ServiceNow's Exhibit No. 1003
`
`005
`
`

`
`5.2.5 Financial Management
`
`5.3 Logistics processes
`
`5.3.1 Requirements definition
`
`5.3.2 Design
`
`5.3.3 Evaluation
`
`5.3.4 Procurement
`
`5.3.5 Build
`
`5.3.6 Deployment
`
`5.3.7 Operation
`
`5.3.8 Optimisation
`
`5.3.9 Retirement
`
`5.4 Verification and compliance processes
`
`5.4.1 Verification and audit
`
`5.4.2 Licensing compliance
`
`5.4.3 Security compliance
`
`5.4.4 Other compliance (e.g. with other policies and procedures)
`
`5.5 Relationship Management processes
`
`5.5.1 Contract Management
`
`5.5.2 Supplier Management
`
`5.5.3
`
`Internal Business Relationship Management
`
`5.5.4 Outsourcing
`
`5.6 Special situations
`
`5.6.1 Mergers/demergers and reorganisations
`
`5.6.2 Downsizing
`
`5.6.3 Novation (customerlreseller/manufacturer legal changes)
`
`6
`
`Implementation overview
`
`6.1 Preparation
`
`6.2 Getting there
`
`6.3 Staying there
`
`6.4 Proving you are staying there
`
`7 Tools and technology
`
`7.1 Asset inventory tools
`
`7.2 Discovery tools
`
`40
`
`41
`
`42
`
`43
`
`43
`
`43
`
`45
`
`46
`
`46
`
`48
`
`48
`
`50
`
`51
`
`52
`
`52
`
`52
`
`52
`
`53
`
`53
`
`53
`
`54
`
`54
`
`54
`
`55
`
`55
`
`57
`
`57
`
`59
`
`59
`
`60
`
`63
`
`64
`
`65
`
`v .
`
`ServiceNow's Exhibit No. 1003
`
`006
`
`

`
`7.3 Metering tools
`
`7.4 Licence Management tools
`
`7.5 Contract Management tools
`
`7.6 Demand Management tools
`
`7.7 Deployment Management tools
`
`7.8 Security tools
`
`7.9 Procurement tools
`
`7.10 Vendor Licence Management technology
`
`8 Partners and SAM
`
`8.1 SAM guidance materials
`
`8.2 SAM consultancy
`
`8.3 Outsourcing of SAM functions
`
`8.4 Audits
`
`8.5 Certification
`
`8.5.1 SAM and licence compliance certifications
`
`8.5.2 Personal certifications
`
`8.5.3 General procedural certifications
`
`8.6 Conferences and workshops
`
`8.7 Licensing advice
`
`8.8 Historical purchase records and effective licensing
`
`8.9 Current purchase records
`
`8.10 Directories and assessments of SAM tools
`
`8.11 SAM tools
`
`8.12 Implementation assistance for SAM tools
`
`8.13 Special considerations for reseller relationships
`
`9 Mapping SAM to ITIL and other approaches
`
`9.1 SAM andiTIL
`
`9.2 SAM and BS 15000
`
`9.3 SAM and ComT®
`
`9.4 SAM and other management frameworks and guidelines
`
`10 Bibliography
`
`10.1 Associated reference books and documents
`
`10.2 Appropriate guidelines and standards
`
`• Vl
`
`66
`
`67
`
`67
`
`68
`
`68
`
`68
`
`68
`
`69
`
`71
`
`72
`
`72
`
`72
`
`73
`
`73
`
`73
`
`74
`
`74
`
`75
`
`75
`
`75
`
`77
`
`77
`
`77
`
`78
`
`78
`
`79
`
`79
`
`84
`
`85
`
`88
`
`89
`
`89
`
`90
`
`ServiceNow's Exhibit No. 1003
`
`007
`
`

`
`Appendix A
`
`Terminology
`
`A.1 Acronyms used in this guide
`
`A.2 Glossary of terms
`
`AppendixB
`
`Software licensing overview
`
`B.1 When licences are required
`
`B.2 Basic types oflicences
`
`B.2.1 Duration
`
`B.2.2 Measure of usage
`
`B.2.3 Upgrades
`
`B.2.4 End-user type
`
`B.2.5 Licence management responsibility
`
`B.2.6 Other
`
`B.3 Types oflicences by sales channel
`
`B.4 Counterfeits
`
`B.5 What is 'proof oflicence'?
`
`B.6 Physical management of software licences
`
`B.6.1 Physical characteristics
`
`B.6.2 High risk ofloss
`
`B.6.3
`
`Implementing an effective physical management system
`
`B. 7 Other common licensing problems
`
`AppendixC
`
`Considerations in selecting SAM tools
`
`C.1 General points of consideration
`
`C.2 Practical guidelines for the selection of SAM tools
`
`AppendixD
`
`Possible SAM database contents
`
`D.1 Software licence inventory
`
`D.2 Installed software inventory
`
`D.3 Source documentation
`
`D.4 Working documentation
`
`D.S Media
`
`D.6 Guidance documentation
`
`D.7 Hardware inventory
`
`AppendixE
`
`Choosing a SAM partner
`
`AppendixF
`
`The detailed contents of a SAM business case
`
`91
`
`91
`
`92
`
`105
`
`105
`
`106
`
`106
`
`106
`
`107
`
`107
`
`107
`
`107
`
`108
`
`109
`
`110
`
`111
`
`112
`
`113
`
`113
`
`113
`
`115
`
`115
`
`116
`
`119
`
`119
`
`123
`
`123
`
`125
`
`125
`
`125
`
`125
`
`127
`
`131
`
`Vll •
`
`ServiceNow's Exhibit No. 1003
`
`008
`
`

`
`•
`
`Appendix G
`
`Example contents of a software policy
`
`G.l Sample policy on the use of hardware and software
`
`G.2 Acknowledgement ofhardware/softwme policy
`
`Index
`
`133
`
`133
`
`134
`
`137
`
`•
`
`Vlll
`
`ServiceNow's Exhibit No. 1003
`
`009
`
`

`
`THE AUTHORS
`
`Guidance was distilled from the experience of a range of people working in Software Asset
`Management (SAM), IT Service Management and/or ICT Infrastructure Management.
`
`Colin Rudd, Director ofiT Enterprise Management Systems Ltd (ITEMS), was the lead author.
`Colin has been working in the IT industry for over 30 years. He has been heavily involved in the
`development of the 'New ITIL', authoring or contributing to the production of many of the
`individual modules. He was also responsible for the design of the overall framework for the new
`library. Colin was recognised by the IT Service Management Forum (IT SMF), which is the IT
`Infrastructure Library (ITIL) user association, in 2002 with its lifetime service award for his work
`in the area ofiT Service Management.
`
`The project was managed by David Bicket, Senior Manager, Deloitte and Touche. David also
`contributed extensively to its design and writing.
`
`Contributions to the content and the final (htality Assurance (QA) review were provided by Paul
`Diamond, Director, KPMG; Richard Bull, Manager, KPMG; Shaun Frohlich, Chairman, Teksys
`Ltd; and Richard Best, Business Manager- Software Asset Management, Teksys Ltd.
`
`In addition, a wide-ranging group of organisations participated in the overall Qb. process,
`including meetings, discussions of proposed contents, and reviewing drafts. Considerable time
`was required for this effort, against tight deadlines. Extensive thanks are due to all of those
`participating, who include:
`
`Marina Schroder
`Brian Davies
`Paul Noonan
`Jenny Dugmore
`Shirley Lacy
`
`Aspera OHG
`Barclays Bank PLC
`Bytes Technology Group
`ConnectSphere
`ConnectSphere and Chair, BCS Configuration Management Specialist
`Group
`Eamonn McDonough Department ofTransport, UK Government
`Hewlett Packard
`Barry Joyce
`Hewlett Packard
`Marianne Rinde
`Ronald B. Falciani
`IBM Corporation
`IBM United Kingdom Ltd
`David Ward
`Microsoft UK
`David Phillips
`Microsoft UK
`Vaughan Smith
`Siemens Information & Communications Networks
`Wolfgang Basing
`Systems Management International
`David Gilchrist
`Vantico
`M.J. Perry
`Ronda Kiser
`Whirlpool
`WPP
`David Nicoll
`Denise E. Mason
`Xansa
`
`lX II
`
`ServiceNow's Exhibit No. 1003
`
`010
`
`

`
`\
`
`.X
`
`ServiceNow's Exhibit No. 1003
`
`011
`
`

`
`II
`
`1111
`
`FOREWORD
`
`Organisations are increasingly dependent on electronic delivery of services to meet Customer
`needs. This means a requirement for high quality IT services, matched to business needs and User
`requirements as they evolve.
`
`OGC's ITIL (IT Infrastructure Library) is the most widely accepted approach to IT Service
`Management in the world. ITIL provides a cohesive set of best practice, drawn from the public
`and private sectors internationally, supported by a comprehensive qualification scheme, accredited
`training organisations, implementation and assessment tools.
`
`Bob Assirati
`
`OGC
`
`Xl.
`
`ServiceNow's Exhibit No. 1003
`
`012
`
`

`
`•
`
`Xll
`
`ServiceNow's Exhibit No. 1003
`
`013
`
`

`
`PREFACE
`
`The ethos behind the development of the IT Infrastructure Library (ITIL) is the recognition that
`organisations are increasingly dependent upon IT to satisfY their corporate aims and meet their
`business needs. This growing dependency leads to growing needs for quality IT services -quality
`that is matched to business needs and user requirements as they emerge. ITIL provides the
`guidance that will help to match that quality against the needs and cost in order to provide the
`best IT match for the business.
`
`This is true no matter what type or s1ze of organisation, be it national government, a
`multinational conglomerate, a decentralised office with either a local or centralised IT provision,
`an outsourced Service Provider, or a single office environment with one person providing IT
`support. In each case, there is the requirement to provide an economical service that is reliable,
`consistent and fit for purpose.
`
`ICT Infrastructure Management is concerned with the processes, organisation and tools to
`provide a stable IT and communication infrastructure, and is the foundation for ITIL Service
`Management processes, promoting a quality approach to achieving business effectiveness and
`efficiency in the use of information systems. ITIL Service Management processes are intended to
`be implemented so that they underpin but do not dictate the business processes of an
`organisation. IT Service Providers will be striving to improve the quality of the service, but at the
`same time they will be trying to reduce the costs or, at a minimum, maintain costs at the current
`level.
`
`For each of the ICT Infrastructure Management processes described in this book, one or more
`roles have been identified for carrying out the activities and producing the deliverables associated
`with the process. It should be recognised that it is often possible to allocate more than one role to
`an individual. Conversely, in larger organisations, more than one individual may be required to
`fulfil a role. The purpose of a role, as described in this book, is to locate responsibility, not to
`suggest an organisation structure.
`
`Xlll •
`
`ServiceNow's Exhibit No. 1003
`
`014
`
`

`
`••
`
`•
`
`XlV
`
`ServiceNow's Exhibit No. 1003
`
`015
`
`

`
`0 INTRODUCTION
`
`Most organisations today are dependent for their continued operation upon Information
`Technology (IT), or Information and Communications Technologies (ICT) as it is increasingly
`being called. Software is the most critical element of ICT and most organisations make huge
`investments in software, whether internally developed or externally procured. However,
`organisations often do not invest commensurate effort into managing these software assets.
`
`This guide has been developed to assist with understanding what Software Asset Management
`(SAM) is, and to explain what is required to perform it effectively and efficiently as identified in
`industry 'best practice'. These guidelines can be tailored to fit any organisation, regardless of size.
`
`This guide should be of interest to anybody involved in the acquisition, development, operation,
`use or retirement of software within an organisation. It should be of particular interest to two
`types of individuals:
`
`• Directors and other members of senior management with corporate governance
`responsibility, including responsibility for software assets and the risks associated with
`them. These individuals will be most concerned with this introductory chapter.
`
`•
`
`Individuals responsible for investigating or implementing improved processes and
`systems for SAM. These individuals should be interested in the entire guide.
`
`1.1
`
`The IT Infrastructure Library
`
`This guide is complementary to the core materials of the IT Infrastructure Library (ITIL) and is
`intended to be consistent with all of its principles and processes. ITIL is the most widely accepted
`approach to IT Service Management in the world. ITIL provides a comprehensive and consistent
`set of best practices for IT Service Management, promoting a quality approach to achieving
`business effectiveness and efficiency in the use of information systems.
`
`The ITIL label is owned by the Office of Government Commerce (OGC) of the UK
`Government, and was initially developed to provide guidance to UK Government departments.
`It has subsequently achieved acceptance worldwide, and a number of software manufacturers' own
`methodologies are aligned with it. It is fast becoming a de facto standard used by some of the
`world's leading businesses. A British Standard (BS 15000) has also been devhloped that has close
`links with ITIL. This guide is closely aligned with BS 15000 and is also compliant with the ISO
`9000 quality standard.
`
`This guide may be used by organisations that are already committed to ITIL best practice
`approaches in all areas, and also by organisations that are adopting such guidance on a more
`limited basis. If this is the first ITIL guide to be used within an organisation then it is strongly
`recommended that more is learnt about the full range of guidance available from ITIL (see
`www.itil.co.uk and also the related user group website at www.itsmfcom).
`
`SAM is part of overall IT Service Management, and must be understood in this context. The
`SAM database, for example, is logically part of the Configuration Management Database
`(CMDB) that supports all ofiT Service Management. These interrelationships between SAM
`and all ofiT Service Management as defined by ITIL are explained in Section 1.11 and, in more
`
`detail, in Chapter 9. There is also repeated reference to other Service Management areas 1.
`
`ServiceNow's Exhibit No. 1003
`
`016
`
`

`
`throughout this guide. The terminology used in this guide is consistent, to the extent practical,
`with terminology throughout the rest of ITIL, whilst also retaining consistency with software
`industry terminology.
`
`SOFTWARE ASSET
`MANAGEMENT
`
`I .2 What is SAM?
`
`Software Asset Management means different things to different people. The definition used
`within this guide is as set out in the box.
`
`Definition
`
`Software Asset Management (SAM) is all of the infrastructure and processes
`necessary for the effective management, control and protection of the software
`assets within an organisation, throughout all stages of their lifecycle.
`
`SAM does not include Hardware Asset Management, which will not be covered within this guide
`except for those aspects that are necessary for effective SAM. (Collectively, Software Asset
`:Management and Hardware Asset Management can be referred to as IT Asset Management, or
`ITAM.) Generally speaking, SAlVI is more complex and more demanding than Hardware Asset
`Management and therefore the SAM processes need to be greater in scope and more
`comprehensive in content. As a result, systems that can handle SAM can normally be expected to
`handle Hardware Asset Management as well. Furthermore, it must be stressed that it is essential
`for hardware assets to be managed as well as software assets, even though not covered by this
`guide.
`
`The coverage in this guide is intended to be manufacturer and platform neutral, to the extent
`practical. Specific products are not mentioned, nor is there focus on specific architectures such as
`mainframe or client/server. Most of the coverage should be equally applicable to PC workstations
`as to servers and mainframes, and even to network communications equipment such as routers.
`
`1.3
`
`The need for SAM
`
`The underlying justification for SAM is the need to apply good corporate governance to an
`organisation's software assets. These typically include much of an organisation's asset base, are
`critical to its continued operations, and underlie some of an organisation's main legal and
`contractual obligations. This is a common-sense justification, but it is increasingly being
`reinforced by statutory or regulatory corporate governance requirements, such as Turnbull in the
`UK and Sarbanes-Oxley in the US. Consequently, the ultimate responsibility for good corporate
`governance of software assets lies with an organisation's senior management, and success or failure
`in this area ultimately rests with them .
`
`•
`
`2
`
`ServiceNow's Exhibit No. 1003
`
`017
`
`

`
`INTRODUCTION
`
`The importance of SAlVI is illustrated by a quote from George Cox, the Director
`General of the Institute of Directors (IoD) in the UK:
`
`'The role and importance of externally acquired software has changed dramatically
`in recent years, to the point now where it has to be regarded as a business asset and
`managed as such. Software Asset Management has become an imperative, not an
`option. Sofnvare licences are business assets. Without them directors expose their
`business and themselves to constraints and to legal and financial risk.'
`
`There is also a broader justification for SAl\11, which is all of the benefits it helps to deliver.
`Further detail about these is given in Section 1.5.
`
`1.4
`
`SAM principles
`
`The overall objective of all SAM processes is that of good corporate governance, namely, the
`management of an organisation's software assets, including the management of the risks arising
`from the use of those assets.
`
`The objective of SAM
`
`To manage, control, and protect an organisation's software assets, including
`management of the risks arising from the use of those software assets.
`
`A scaleable, structured approach needs to be adopted in order to achieve this for each
`organisation. The sequencing of the events involved in this structured approach is illustrated in
`Figure 1.1.
`
`3
`
`ServiceNow's Exhibit No. 1003
`
`018
`
`

`
`SOFTWARE ASSET
`MANAGEMENT
`
`The development of a vision
`and strategy for SAM
`
`The development and
`communication of an overall
`SAM policy
`
`The development and
`implementation of SAM
`processes and procedures
`
`Regular review and
`improvement
`
`Ongoing performance of SAM
`processes with concurrent
`maintenance of information
`
`The SAM database
`
`Figure 1.1 -The principles of SAM
`
`The most important requirement for a SAlVI project is to have a clear vision and strategy that are
`owned by senior management. They should be the driver for initiating everything else in SAM,
`and in particular they drive the processes of creating the business case. This area is discussed in
`Chapter 3. This vision and strategy should include any overarching vision and strategy for
`Configuration Management as a whole, i.e. for all ofiCT and not limited just to SAM.
`
`Overall policies need to be established and communicated effectively to the entire organisation.
`Corresponding responsibilities also need to be clarified and communicated. These issues are
`addressed in several places throughout this guide, including in Chapter 4 'Organisation, Roles
`and Responsibilities', Section 5.1 'Overall Management Processes', and Appendix G 'Example
`Contents of a Software Policy'.
`
`Detailed processes need to be defined and implemented, including automated capabilities and
`written procedures. The majority of the content of this guide addresses this area, including, in
`particular, Chapter 5 'Process Overview' and Chapter 6 'Implementation Overview'.
`
`Key messages
`
`II Board-level sponsorship and commitment is essential to ensure successful
`SAM
`
`II Policies and procedures that are practical and mandatory for everyone touching
`IT assets (procurement to retirement) must be developed, implemented and
`monitored for adherence.
`
`Once SAlVI is implemented, there will be ongoing performance of SAlVI processes with
`concurrent maintenance of information in the set of SAM databases (which is part of the
`
`4
`
`ServiceNow's Exhibit No. 1003
`
`019
`
`

`
`INTRODUCTION
`
`Configuration Management Database or CMDB in ITIL terminology) that will need to be
`tackled. SAM should be subject to the same disciplines of Service Management as all ICT
`services and infrastructure, as discussed in the core ITIL publications. For example, SAM cannot
`continue to function properly without attention to areas such as continuity of operations and
`Capacity Management. However, these more general topics are not discussed in detail in this
`guide.
`
`The basis of any good SAM system is accurate and up-to-date SAM information, together with
`the processes for control of its accuracy. The SAM databases also provide essential information for
`the integration of SAM processes with other ICT and business processes. They should be
`considered logically as a single database, but may consist of several physically separate, but linked,
`databases. In highly decentralised organisations, each autonomous unit may have its own
`autonomous database, but there needs to be central collection of some data to achieve some of the
`greatest benefits of SAM. This area is discussed more in Chapter 4 'Organisation, Roles and
`Responsibilities'.
`
`There also needs to be a regular process of review and improvement affecting all areas already
`addressed. At one level there should be review for compliance with defined policies and
`procedures and, where appropriate, corrective action. There may be opportunities for
`improvements in efficiency and effectiveness, and definitions of responsibilities. Vision may also
`change, perhaps in response to changing market opportunities and threats or technological
`developments. These issues are briefly addressed in Section 5.1 'Overall Management Processes',
`but repeating the entire process described above, at least for review purposes, is necessary
`periodically.
`
`Key message
`
`It is impossible to implement an effective SAM process without the successful
`design, development, implementation and maintenance of accurate SAM
`databases, automatically updated from the live infrastructure.
`
`1.5
`
`Benefits
`
`The potential benefits of well-implemented SAM are significant and should usually greatly
`exceed the implementation and operating costs. There are many\ways of categorising these
`benefits. Paragraphs 1.5.1-1.5 .4 list the most significant benefits experienced by many
`organisations.
`
`1.5.1
`
`Managing risks
`
`SAM facilitates the management of significant business risks including:
`
`IIIII Legal and financial exposure: There is risk to the organisation if licensing terms for
`externally procured software are not properly observed. This exposure may arise from
`enforcement agencies directly (e.g. police or customs), from industry associations (e.g.
`Business Software Alliance (BSA) or Federation Against Software Theft (FAST)) or
`from software manufacturers. It may be initiated by tip-offs from disgruntled
`
`5.
`
`ServiceNow's Exhibit No. 1003
`
`020
`
`

`
`SOFTWARE ASSET
`MANAG EiviENT
`
`employees (whistle blowers- potentially for a reward of circa £10k); by supplier
`knowledge (e.g. the reseller that fails to get a contract knowing the competitor's
`pricing cannot include licences); by software manufacturer analyses of customer
`purchasing; or by 'accident' (e.g. a police sweep through an entire building requiring
`companies to prove their licences). The characteristics of externally acquired software
`assets underlie these m<~or exposures. Further detail is given in Section 2.1. In
`summary, the characteristics of commercial software assets underlie the following
`maJOr exposures:
`
`software being resident/installed without licences being purchased
`loss of proof oflicences which have been purchased, including licences underlying
`upgrades
`complex terms and conditions which may be breached unknowingly
`incorrect reliance on resellers.
`
`IIIII Damaged reputation: An organisation's reputation may be damaged by the publicity
`that results iflegal problems become publicly known. Likewise, an ICT department's
`reputation may be damaged within the organisation and within the ICT community if
`it experiences major unexpected problems related to the control of software assets, e.g.
`licensing, roll-outs, or support.
`
`IIIII Unexpected financial and workload impact: Problems related to software assets, e.g.
`licensing, can have significant unexpected financial impact in areas such as cash flow,
`which can then impact on other planned activity. Likewise, ad hoc efforts to address
`licensing issues in response to external events can require major unplanned amounts of
`time from management and operational personnel, regardless of whether there is any
`ultimate direct financial impact.
`
`IIIII Security breaches including unauthorised disclosure of confidential information:
`Security may be breached, and confidential information may be disclosed because of
`failure to implement adequate measures for security patch distribution.
`
`Key message
`
`'About 95% of exploits occur after bulletins and patches are put out ... the reason
`the exploit is effective is because the patch uptake is too low.' The chief security
`strategist for a major software manufacturer
`
`IIIII Unexpected problems with acquisitions/mergers/demergers: Failure to address
`SAM issues properly including licensing during 'due diligence' activity for
`acquisitions/mergers/demergers can expose the organisation to significant unexpected
`financial risk and operational impact.
`
`IIIII Interruption of operations: The problems caused by poor SAM can sometimes affect
`continuity of operations, e.g. shutdowns caused by legal reasons, virus infections, or
`poorly deployed software updates. Conversely, good SAM can mitigate problems that
`might otherwise affect operations severely, e.g. being able to deploy security patches
`more quickly.
`
`IIIII Unsupportable operations: There can be a risk of certain software-dependent
`operations being unsupportable without good SAM. For example, there may be
`critical applications reliant upon unlicensed software that ceases to be available for
`
`Ill 6
`
`ServiceNow's Exhibit No. 1003
`
`021
`
`

`
`INTRODUCTION
`
`sale, preventing the possibility of continuing to use it while becoming compliant.
`Likewise, software manufacturers may cease upgrade and technical support for some
`products. Good SAlVI processes and related management planning should minimise
`such exposures.
`
`1.5.2
`
`Controlling costs
`
`Proper SAlVI allows for significant cost savings, not only in direct expenditure on sofnvare, but
`also in related process and infrastructure costs. Some specific ways in which cost control can be
`improved as a result of good SAM are:
`
`• Better negotiating position: Knowing with certainty that an organisation is
`compliant with licensing terms and conditions gives it a strong negotiating position
`with sofnvare manufacturers. Conversely, if there is a lack of clarity about the
`correctness of licensing, the reseller or software manufacturer may use that uncertainty
`to its negotiating advantage, with the possibility of a software audit being threatened
`to help close a deal that may not be in the organisation's best interest.
`
`•
`
`Improved strategic infrastructure planning: Better knowledge about what is being
`installed/used, and better deployment capabilities, will facilitate the assessment of
`strategic software alternatives. For example, it is common for multinational companies
`to find dominant usage of one software manufacturer's products, with small pockets of
`competitive products that can typically be replaced under existing agreements at little
`or no additional cost. Alternatively, it will be easier to plan major infrastructure
`changes, including to competitive products.
`
`• Prevention of software over-deployment: Proper SAM will help identifY where
`software is needed, rather than just where it is installed, e.g. by monitoring active
`usage. A common finding is that standard configurations as installed are over-specified
`compared to what end-users actively use. Better identification of end-user needs can
`significantly reduce software and hardware requirements and costs as a result. Pull
`technology can allow for real-time deployment according to end-user requirements
`without the costs of comprehensive global deployments. Existing software investment
`will not be eliminated, but future costs may be greatly reduced by controlled
`redeployment of released licences. This i