Standardiseret tilgang til Software Asset Management ISO19770 ISACA Medlemsmøde 2013 Jan Øberg ØBERG Partners 1
WG21 historien ISO19770 arbejder i WG21 under ISO Etableret i 2001 Første standard 19770-1 frigivet 2006 Ledes i dag af David Bicket 2
19770 familien Software Asset Management 3
19770 familien 19770-1 Software Asset Management processer 19770-2 Software Identification Tag 19770-3 Software Entitlement Tag 19770-5 Terminologi / overblik 19770-7 Tag Management 4
Organizational management processes for SAM 4.2 Control environment for SAM 19770-1 SAM proces struktur (Frigivet) Corporate governance processes for SAM Roles & responsibilities Policies, processes and procedures Competences 4.3 Planning and implementation processes for SAM Planning for SAM Implementation of SAM Continual improvement of SAM Monitoring and review of SAM Core SAM processes 4.4 Inventory processes for SAM Software asset identification Software Asset inventory Software Asset control Processes 4.5 Verification for SAM and Compliance processes for SAM Software Asset record verification Software licensing compliance 4.6 Operations Management processes and interfaces for SAM Relationship and Contract Management for SAM Financial Management for SAM Conformance verification for SAM Security Management for SAM Software Asset security compliance Service Level Management for SAM Primary process interfaces for SAM 4.7 Life cycle process interfaces for SAM Change Management process Software development process Software deployment process Acquisition process Software Release process Incident Management process Problem Management process Retirement process 5
Fire implementeringstrin Fuld ISO/IEC SAM overholdelse. Opnår Best-in- Class strategisk SAM Troværdige data. Man ved hvad man har, så man kan styre og kontrollere det Praktisk ledelse. Forbedre ledelses kontrol & umiddelbare forbedringer Operationel integration. Forbedrer effektivitet og anvendelighed 6
Trin1 processer Eksempel Organizational management processes for SAM 4.2 Control environment for SAM Corporate governance processes for SAM Roles & responsibilities Policies, processes and procedures Competences 4.3 Planning and implementation processes for SAM Planning for SAM Implementation of SAM Continual improvement of SAM Monitoring and review of SAM Core SAM processes 4.4 Inventory processes for SAM Software asset identification Software Asset inventory Software Asset control Processes 4.5 Verification for SAM and Compliance processes for SAM Software Asset record verification Software licensing compliance 4.6 Operations Management processes and interfaces for SAM Conformance verification for SAM Software Asset security compliance Relationship and Contract Management for SAM Financial Management for SAM Security Management for SAM Service Level Management for SAM Primary process interfaces for SAM 4.7 Life cycle process interfaces for SAM Change Management process Software development process Software deployment process Acquisition process Software Release process Incident Management process Problem Management process Retirement process 7
19770-2 Software IdentificationTags(Frigivet) Specificerer en XML-baseret struktur med metadata til kontrol af installeret software Formål er at skabe sporbarhed mellem software entiteter Markedsudbredelsen varetages af en non-profit organisation TagVault 8
TagVault.org Certificeringsmyndighed til software identifikationsmærke Non-profit Medlemsdrevet Fokus på markedets krav (Autoritativ og konsistens) Supporterer SAM Eco-system Certificerings proces Software tag bibliotek Software værktøjer og Services Best practices Nuværende bestyrelse er: Symantec, CA Technologies, Moduslink, Microsoft 9
19770-3 Software EntitlementTag (under udvikling) Specificerer en XML-baseret struktur med metadata til kontrol af software brugsrettigheder Formål er at skabe sporbarhed mellem software entiteter og anvendelses-/brugsret 10
19770-5 Overblik og terminologi (Frigivet) Definition af terminologi anvendt i SAM Overblik og sammenhænge mellem de enkelte standarder i SAM familien 11
19770-7 Tag management (under udvikling) Etablerer en guide og baseline for styring og kontrol af alle Software Tags defineret i ISO/IEC 19770 standarden. (Lifecycle styring og kontrol) Fokus området er: Korrekt sammenligning af data i forhold til, hvad der er installeret/anvendt i forhold til licens og korrekt anvendelsesmåde Anvendelse SAM tagging data i nye teknologi miljøer, som f.eks. Virtualisering og Cloud. Korrekt anvendelse af SAM taggingdata i forholdt til distribution, implementering og udfasning af software Anvendelse af SAM tagging data i forbindelse med interne / eksterne audits Anvendelse og håndhævelse af SAM taggingstandarder i forbindelse med software arkitektur design Opnåelse af ensartede og korrekte data på tværs af software leverancekæden 12
Fremtiden Tilpasning til ISO20000 (Etablering af Studygroup) Tilpasning til ITIL og COBIT Organisatorisk og proces vurderingsmodel baseret på ISO15504 og ISO33002 ISO19770 Embedded devices Certificeringsprogram Vejledninger til implementering i forskellige organisatoriske miljøer ISO19770 og Cloud ISO19770 og BYOD Metadata standarder f.eks. Medie Tags Device Tags Adaptability Tags 13
COBIT SAM ITIL Eksample COBIT 5 Code COBIT Process Name ISO/IEC 19770 Alignment ITIL v3 Process EDM04 Ensure Resource Optimisation Software Asset Identification MEA01 APO01 Monitor, Evaluate and Assess Performance and Conformance Software Asset Control Software Asset Record Verification Software Licensing Compliance Conformance Verification for SAM Software Asset Inventory Management Corporate Governance Process for SAM Competence in SAM Monitoring and Review of SAM Manage the IT Management Framework Roles and Responsibilities for SAM Continual Improvement of SAM Policies, Processes and Procedures for SAM Capacity Management Configuration Management Service Reporting Service Measurement Continual Service Improvement APO06 Manage Budget and Costs Financial management for SAM Financial Management APO07 Manage Human Resources Planning for SAM Roles and Responsibilities for SAM Skills Framework for the Information Age (SFIA) 1 APO09 Manage Service Agreements Service Level Management for SAM Demand Management APO12 Manage Risk Change Management Process Software Deployment Process Service Portfolio Management Service Catalogue Management Service Level Management Service Reporting Change Management Release and Deployment BAI04 Manage Availability and Capacity Software Asset Inventory Management Availability Management Capacity Management BAI06 Manage Changes Change Management Process Change Management BAI07 Manage Change Acceptance and Transitioning Software Release Management Process Software Deployment Process BAI09 Manage Assets Software Licence Compliance Software Asset Inventory Management Acquisition Process Retirement Process BAI10 Manage Configuration Software Asset Identification Software Asset Control Software Asset Record Verification Software Licensing Compliance Conformance Verification for SAM Transition Planning and Support Release and Deployment Service Validation and Testing Service Evaluation Configuration Management Configuration Management DSS02 Manage Service Requests and Incidents Incident Management Process Incident Management Request Fulfilment 14
Yderligere information ISO19770.org (Officielle web site) WIKI ISO19770 TagVault.org (Software Tag non-profit organisation) IAITAM.org (International netværksorganisation med fokus på Software & Hardware Asset Management) itsmf.dk 15
Email: jo@oberg-partners.com Tlf: 40 36 91 31 www.oberg-partners.com