Review software licensing agreements to ensure compliance with the agreements.

UCF ID: 01140

Control Type: Process or Activity

Status: Live

Supporting and supported controls

This control directly supports:

Establish and maintain a software product acquisition methodology. [UCF Control ID 01138]

There are no supporting controls.

Authority documents complied with:

FFIEC IT Examination Handbook – Development and Acquisition, Pg 43, Pg 45 thru Pg 48, Exam Obj 6.1; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3, App F § SA-6, App F § SA-7; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, SA-6, SA-7, SA-7.4, SA-7.5, SA-7.6; The Standard of Good Practice for Information Security, SM4.3.1(b), SM4.3.5, SM6.7.7, CI1.3.1(c), CCI1.3.5, SD4.4.2(c), SD4.4.5; DoD Instruction 8500.2 Information Assurance (IA) Implementation, DCPD-1; ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000, ¶ 8.1.5(11)

Banking and Finance Guidance

The organization should review all licensing agreements to ensure it is abiding by the agreements. The software license agreement should state how many people can use the software, what locations it can be used at, the duration of the licenses, if it is permissible to retain and use back-up copies at a remote site in cases of an emergency, and the minimum notice required for termination. The licensing agreement should also include information on dispute resolution; agreement modifications; representations and warranties; regulatory requirements; protection against bankruptcy; and payment schedules. [Pg 43, Pg 45 thru Pg 48, Exam Obj 6.1, FFIEC IT Examination Handbook – Development and Acquisition]

US Federal Security Guidance

System and Services Acquisition (SA): Organizations must: (i) allocate sufficient resources to adequately protect organizational information systems; (ii) employ system development life cycle processes that incorporate information security considerations; (iii) employ software usage and installation restrictions; and (iv) ensure that third-party providers employ adequate security measures to protect information, applications, and/or services outsourced from the organization. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

Ensure license agreements are in place for all shareware. [DCPD-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation]

NIST Guidance

App F § SA-6 An organization should assure that software and associated documentation must be used in accordance with contract agreements and copyright laws. If software and associated documentation is protected by quantity licenses, the organization should employ tracking systems to control copying and distribution. The use of publicly accessible peer-to-peer file sharing technology should be controlled and documented to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.
App F § SA-7 The organization should create and enforce policy governing user installation of software. This policy should require user privileges and identify what types of software downloads and installations are permitted (e.g., updates and security patches to existing software) and what types of downloads and installations are prohibited (e.g., software that is free only for personal, not government, use). The organization should also restrict the use of install-on-demand software. [App F § SA-6, App F § SA-7, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3]

Organizational records and documents should be examined to ensure the usage, downloading, and installation of software follow explicit rules; these actions are reviewed and analyzed regularly for inappropriate or unusual activity; suspected violations are investigated; any findings are reported to appropriate officials and necessary actions are taken; and specific responsibilities and actions are defined for the implementation of the software usage restrictions control and the user installed software control. Any problems discovered during the implementation of the software usage restrictions control and the user installed software control should be documented and used to improve the controls.
Test the system's rules enforcement for user installed software by attempting to download and install prohibited software. Test network traffic by using a network packet analyzer to ensure prohibited software is not installed and operational on the network. Test the system for prohibited software by using a scanner to list all installed software and comparing that list against the approved software list.
Interviews should be conducted with personnel involved in reviewing and analyzing software for appropriate usage. Interviews should be conducted with personnel involved in reviewing and analyzing software installed by users and with personnel who document the rules for users downloading and installing software. [SA-6, SA-7, SA-7.4, SA-7.5, SA-7.6, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

ISO Guidance

Operational Issues. An organization should implement safeguards which assure that all procedures maintain the secure, correct and reliable functioning of the IT equipment and related system(s) used. This should be achieved by implementing organizational procedures. Operational safeguards are necessary in combination with other, for example, physical and technical, safeguards. Safeguards in the area of operational issues are listed below.
11. Correct Software Use
It should be ensured that no copyrighted material is copied, and that the license agreements are obeyed for proprietary software. [¶ 8.1.5(11), ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000]

General Guidance

Asset management documentation should cover software licensing. The organization should purchase the appropriate number of licenses and be able to provide proof of ownership. Third party agreements should contain a clause stating details of any software licensing arrangements. [SM4.3.1(b), SM4.3.5, SM6.7.7, CI1.3.1(c), CCI1.3.5, SD4.4.2(c), SD4.4.5, The Standard of Good Practice for Information Security]