Overseeing Compliance of Security Operations ◾ 235
© 2011 by Taylor & Francis Group, LLC
Some software packages may use usage meters to track actual use of the soft-
ware. A software license with a usage meter does not limit the number of users, but
monitors the usage and charges according to volume of use. Another type of license
is shareware or freeware. e name of this type of license is misleading because even
though the software is available for free downloading from the Internet, the use of
the software is often on a trial basis after which the user is expected to pay for a
license to continue to use it.
e Business Software Alliance (BSA) is an organization that represents the com-
mercial software industry and promotes the reporting and prosecution of software
theft. e Canadian Alliance Against Software eft is another example similar to
the BSA. e Recording Industry Association of America (RIAA) is a trade group
representing the recording industry. e RIAA is involved in the licensing and roy-
alties within the recording industry. Scanning enterprise systems for the illegal
storage and sharing of video and audio recordings is necessary to avoid liability for
hosting such activity.
Digital Rights Management (DRM) is an enforcement mechanism for access
control and what can and cannot be done with a software le, audio le, video le,
or document le. Copyright law prohibits unauthorized copies of digital les or
other media (e.g., audio tapes, video tapes). DRM extends beyond this to restrict
the number of viewings or restrict copies to certain types of devices, e.g., Sony
restricts the copying of some music les from the music CD to a hard drive.
Software piracy is a romantic phrase that veils the reality of the situation, i.e.,
software theft is a crime. Licensing is a serious issue and the rise of watchdog orga-
nizations and litigation against violators requires good software license manage-
ment. e level of culpability goes up with explicit intent to steal software as well
as with negligence in taking reasonable steps to avoid being an unwitting host for
illegal activities. Any organization is only expected to do so much to avoid illegal
activities, but you must do at least that much. Working out exactly what to do,
resource allocations to do it, and budget allocations is a matter of discussion among
information technology, security, executives, governance, and legal departments.
Configuration Settings
Tracking hardware and software is good, but not enough. e conguration set-
tings of the hardware and software are also necessary to track. ese settings enable
appropriate functionality as well as restrict other functionality. e functional-
ity restrictions are to safeguard the systems and the data residing on the systems.
Unauthorized modication of these settings may place the enterprise at risk by
permitting unauthorized remote access, exltration of data, installation of unau-
thorized software, use of unauthorized devices such as USB drives, etc.
Policy will state the need for standard congurations, and standards will articu-
late the parameters and the parameter settings. Conguration tracking will elicit
these settings from servers, PCs, and other devices and compare them against the