Crayon Logo
Authors Posts by Phil Heap

Phil Heap

Phil is the Products & Services Director at Crayon and has been an integral part of the Senior Management team for over 10 years, having joined the business in 2005. With over 20 years of ITAM experience, Phil is credited with being the original architect of the Crayon SAM-iQ platform.

by -
0 223

The new General Data Protection Regulation (GDPR) created by the European Commission and European Parliament will be officially applicable starting on May 25, 2018.

Due to the evolution by which end users process and consume data, the need for a new regulation was apparent as previous regulations such as the 1995 EU Data Protection Directive as well as the Data Protection Act 1998 were deemed insufficient to protect the sensitive personal information of individuals entrusted to data controllers.

As a result, organisations need to pay greater attention to their Cyber Security and data protection policies, to ensure they match GDPR requirements.

Here are few things to know about the GDPR and how it applies to you.

1: Why the GDPR was Drafted

Although the current legislation was enacted before the internet, newer technologies such as social media and cloud computing have raised the bar in terms of the amount of data we consume, as well as ways these data can be exploited.

And although much of the GDPR codifies existing guidance from already established data protection laws, the changes being introduced are intended to actuate a new mindset and culture shift about the use and security of data.

Bearing in mind top companies such as Facebook at their discretion use customer data for their services, the GDPR was drafted to give people more control over the use of personal information.

With the emergence of the digital economy, the GDPR seeks to strengthen data protection regulations by introducing stricter enforcement measures.

2: Who is Impacted?

One of the most crucial things for organisations to note is that the GDPR applies to them as long as they control and process the personal data of EU citizens within and outside the EU irrespective of the organisation’s physical location.

Chapter 1, article 4 of the GDPR defines the role of data controllers and data processors as:

Controller: “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”

Processor: “means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”

A controller could be a business organisation, an NGO or the government, while a processor could be an IT or audit firm doing the actual processing of data.

3: How Ready are You for GDPR?

As the official implementation of the GDPR draws close, with about seven months left; preparations for compliance should be in top gear.

Under the regulation, companies processing a considerable amount of data will be required to appoint a Data Protection Officer (DPO) who will advise on how best to prepare.

Companies will need to identify all personal data on their books, determine the reasons for holding such data and access how they are stored.

Where minors are involved, age verification before data collection should be standard procedure. Also, companies are mandated to obtain parental consent for data collected about their wards.

High-risk activities like data processing are prone to data leaks and identify theft. Therefore companies are expected to conduct regular Data Protection Impact Assessments (DPIA) to identify ensuing risks and develop plans to mitigate them.

4: What to do in Case of a Data Breach

Although most enterprises have laid-out procedures for dealing with Cyber Security threats; these methods must be reviewed under the scrutiny of the GDPR.

The GDPR brings with it new, mandatory breach notifications which attract heavy fines for defaulters. Once a data breach is detected, companies will have a 72-hour window to report it to the corresponding Supervisory Authority or risk penalties of up to €10, 000, 000 or 2% of their annual worldwide revenue (whichever is higher.)

Although the deadline is tight, if the breach is in the category of identity theft, then the affected individuals should be informed even before the Supervisory Authority is called.

5: Key Steps to Compliance

Nineteen months ago when the GDPR was initially drafted in April 2016, the best advice was to start preparations early. With less than seven months to go for full implementation on 25 May 2018, most organisations will not be GDPR complaint.

However, our FREE no obligations GDPR awareness questionnaire will expedite your preparation as it was drafted to help late implementers achieve compliance status in as little time as possible.

We will review your Cyber Security technology as well as data protection policies to check if they meet GDPR requirements.

Further, organisations need to understand the classification of the data they control, process and store as well as the legal basis for this.

The data protection policies of third-party suppliers that count as data processors must be checked to see if they comply.

Reviewing your data security policies and getting them into shape will be the first step in avoiding GDPR fines for lacklustre security measures.

Want to read more on this subject? See other articles on GDPR and Data Protection: 





by -
0 200

Although there already are directives on data protection and regulation, in less than 7 months from now, Europe’s data protection laws will undergo their biggest changes since they were made in the 90’s.

Considering the amount of data we create, collect, and process, the old laws just weren’t congruent enough to protect the personal data of subjects in today’s IT world of incessant cyber attacks and data breaches.

In light of this, the General Data Protection Regulation (GDPR) was created to overhaul how data controllers handle and process data.

An examination of the GDPR shows how your business can evolve with the times.

What Exactly is the GDPR?

Replacing the previous 1995 data protection directive, the General Data Protection Regulation (GDPR) is a new legislation for data protection laws.

Drafted by the European Commission, the GDPR is aimed at strengthening and unifying data security for entities in the European Union.

Although we have existing data protection laws, as shown in the GDPR, there are significant changes for public as well as private bodies and businesses that handle personal data.

Adopted by the European Parliament and European Council after four years of deliberations and negotiations, the GDPR’s underpinning regulation and directives were published in April 2016.

The GDPR is unique in that, its reach is not bound to the EU, but is instead worldwide.

Hence any organisation in possession of the personal data of an EU citizen is bound to comply with GDPR laws.

GDPR: An Evolution, Not a Burdensome Revolution

Although, the GDPR is presented as the most significant change in data protection laws in more than two decades, on closer look, the changes are more of an evolution of existing data protection laws than a total revolution.

And this fact is backed up in a recent blog from the ICO where the UK’s Deputy Information Commissioner, Steve Wood insisted that “The new regime is an evolution in data protection, not a revolution”.

So, the new regulation is not as burdensome as some stakeholders make it to be. Granted, any reform of this magnitude will have an impact on any organisations operations as well as resources.

Forthwith, the GDPR is an evolutionary process, building on foundations already laid for the past 20 years with significant long-term impact not obvious at this point in time.

The GDPR’s Impact on Businesses

Irrespective of whether you are an individual, start-up or enterprise, if you fall into the category of personal ‘data processor’ or ‘data controller’, you are under the GDPR’s jurisdiction.

The GDPR demands of organisations impeccable security as well as accountability for how they use the personal data of individuals.

Fines of up to €20 million or 4 percent of gross annual turnover (whichever is greater) of companies who fail to report data breaches is common news by now.

Alongside mandatory security notifications, a clearer definition of what could be described as personal data, new rules around user consent, and greater rights of user’s access to information companies hold on them is required under the new legislation.

Meeting GDPR Compliance

If your organisation is over 250 employees in staff strength, processing data of more than 5000 entities; investigating the need for a Data Protection Officer (DPO) who will amongst others work towards and monitor compliance could accelerate your company’s GDPR efforts.

Regular Data Protection Impact Assessments (DPIA) are deemed necessary for most organisations and may be mandatory for yours to anticipate risks and develop contingency plans to mitigate them.

Thoroughly carried out DPIA’s can help put you on track to meet the GDPR’s requirement of ‘Privacy by Design.’

Although meeting GDPR compliance may seem an arduous process, our FREE no obligations GDPR awareness questionnaire will plot for your organisation a custom roadmap to meet compliance.


Want to read more on this subject? See other articles on GDPR and Data Protection: 





by -
0 217

The General Data Protection Regulation (GDPR) comes into effect on May 25, 2018, giving companies and data processors about seven months to comply.

However, compliance is easier said than done.

Although the GDPR’s jurisdiction is Europe, the regulation applies to data subjects established both in the EU and outside.

This time next year, the GDPR will be in force, yet, many businesses are unaware and therefore unprepared for this sea of change in data protection laws that’s bound to sweep away defaulters for non-compliance.

With the effects of the GDPR sure to reverberate far beyond the EU itself, here is a five-step checklist that will help improve your readiness for these reforms.

Step 1: Understand GDPR Territorial Requirements

Although the GDPR borders organisations within the EU, it is important to note that it also covers EU denizens whose data are collected and processed by companies outside the EU.

Further, it is important data processors understand and define the territorial scope of the regulation as it applies to them. As long as your company provides any kind of goods or services across EU borders, you are bound to process and control customer data as stipulated by GDPR guidelines.

To understand GDPR obligations on data controllers outside the EU, organisations will need to interact with a Data Protection Authority known as the national Supervisory Authority designated in the country where their main administrative office is located.

Therefore, you should determine where your establishment makes its most important decisions concerning data processing and security to know the corresponding Supervisory Authority to contact.

Step 2: Set Up a Cross-functional Team Responsible for Compliance

The challenge of compliance for a comprehensive program such as the GDPR cuts across function and departmental units in an organisation.

Typically, a program of this nature does not have a single executive head solely responsible for compliance.

Therefore, the successful transition of the company will require the involvement of its composite units such as IT security, Accounting, Legal, Finance and others.

A compliance team comprised of unit heads within the company will be better positioned to draft a road-map based on the company’s overall strategy for a successful GDPR compliance.

This way all departments will be in sync to meet the GDPR’s strict requirements for data controllers and processors.

Step 3: Review and Plan for Compliance

Yes, this is an obvious one. But with less than eight months to go for the GDPR to begin, stats show that a lot of companies aren’t aware of the changes going on, talk less of making preparations.

So, most organisations will not be ready for the GDPR.

You don’t want to be one of them!

With fines as high as €20,000,000 for a data breach, a detailed review of your data processing and protection methods should identify areas that could cause compliance problems.

To begin, ask yourself these questions:

  • How secure is my business data, and is it backed up regularly?
  • Are my servers continually monitored against threats?
  • Do my data collection method and consent terms follow GDPR stipulations?

These are a few of really crucial questions you must ask yourself as you prepare for GDPR compliance.

Also, companies should review all contracts entailing data processing given these reforms.

Step 4: Conduct a Data Protection Impact Assessment for Traceability

Before the commencement of major projects, carrying out a Data Protection Impact Assessment (DPIA) will prove prudent for organisations.

A DPIA is a systematic process to assess the potential impact a project will have on the privacy of the parties involved.

Working with the relevant parties and stakeholders, the DPIA should be conducted throughout the system development phase of the project, especially before any data is collated in the first place.

This will entail mapping out functional activities that require data processing, keeping a record of where all personal data will come from and what will be done with them, understanding the legalities for processing them, and who will have access to the data.

By this, the company would have fulfilled the GDPR requirement of “Privacy by Design”.

Step 5: Automate Your Compliance Process

An integrated solution for complying with the GDPR’s mandate on “Privacy by Design” is automation.

You may have systems in place to perform risks and pen tests; however, continuous automation of your compliance process takes it up a notch.

Automating your process will take your organisation out of a reactive mode to a proactive one. This way your systems, including software-based compliance controls are continuously GDPR compliant based on your DPIA results.

Testing work environments and production systems for loopholes become as common as running a routine IT Security audit.

GDPR compliance will become a part of your business planning and systems development stage.

This will enable anyone in the IT, finance or other business departments have access to real-time compliance data, using this information to correct any GDPR compliance issues.

With the GDPR’s deadline looming, a wait-and-see approach to compliance could be perilous.

Get acquainted with the regulation’s guidelines by taking our FREE GDPR awareness questionnaire to put your organisation ahead on the compliance scale.


Want to read more on this subject? See other articles on GDPR and Data Protection: 





by -
0 185

Never heard of it you say.

Well, if your organisation is in the European Union or processes the personal data of EU individuals—customers, employers or business associates, then not only does the GDPR concern you, you are at risk of severe financial and reputational penalties for non-compliance.

In fact, with less than eight months to the full enactment of the General Data Protection Regulation (GDPR), enterprise leaders should be implementing new policies and procedures for the new laws.

The GDPR which commences in May 2018 imposes responsibilities on data processors that provide goods and services, standardising and boosting data security across the EU region.

Here’s a primer on how data controllers can prepare for compliance.

What is Personal Data?

The Data Protection Act (DPA) defined personal data as data relating to a living person identified either from the data or from information in conjunction with other data that is in or is likely to come into the possession of a data controller.

Under The GDPR, personal data has a broader definition, with it defined as data relating directly or indirectly to an identifiable person by reference to an identifier such as a name, an ID, online data, or by physical factors like location, physiological, cultural and social features.

Although the DPA and GDPR share similarities in definition, the GDPR is more comprehensive, encompassing a broader scope of personal data under its protection.

For companies not sure what may be classified as personal data in their dealings with end users, extra caution in collecting and securing as little data as possible, and not storing any information longer than necessary is a quick start to GDPR compliance.

Most Companies are Unaware and Unprepared for GDPR

Despite the vastly increased level of fines companies will face for GDPR noncompliance, a lot of companies in the EU are unaware of an impending act such as the GDPR.

The main surprise to small businesses may be fines of up to 4% of their annual turnover or a whooping €20m for noncompliance.

A recent survey carried out by Vanson Bourne of over 500 IT decision makers in companies with more than 1000 employees revealed that 75% agreed they face serious challenges in being compliant with the GDPR.

A general lack of awareness was blamed for companies’ unpreparedness.

However, with less than eight months to the proper implementation of the GDPR, now is the time to act.

Interpreting the GDPR Requirements and Guidelines

Although there is a growing awareness of the GDPR among company executives, many are still in the dark regarding its scope and breadth, seeing it as just an augmentation of current data regulations.

While there are areas of the GDPR that are the same as existing laws like the 1998 Data Protection Act (DPA), it is essential organisations differentiate the GDPR’s new framework and requirements in the EU as regards data protection.

For organisations processing volumes of end user data, constant communication with their national Supervisory Authority concerning the interpretation of GDPR laws will fast-track compliance.

What Do I need to Do to Prepare?

There’s quite a lot you should do to prepare for the GDPR, educating yourself for full compliance is crucial.

However, as the countdown to GDPR implementation shrinks, with most businesses unprepared, it is important you define the scope of your preparedness from a business perspective to determine what should be ready before the official kick-off in May 2018.

Organisations need to identify which aspects of the regulation are critical to compliance, understanding the legal requirements and the ensuing risks in involved.

Therefore, an in-house interpretation of the GDPR requirements to uncover any existing gaps and the immediate measures to rectify them should be a top priority.

Data security has always been important. However, it’s become sacrosanct. Take our FREE GDPR awareness questionnaire to get your business on track to meet the requirements for next year’s implementation date.


Want to read more on this subject? See other articles on GDPR and Data Protection: 





by -
0 190

The EU’s General Data Protection Regulation (GDPR) has begun its run-up to full implementation in May 2018.

From proposal to enforcement, the GDPR timeline of events shows how the regulation will replace the 1995 Data Protection Directive (95/46/EC) which was created to govern and regulate all businesses processing the personal data of EU citizens within and outside the EU.

The GDPR touted to be the biggest reform of data protection laws in over twenty two years will boost data security and protection for consumers, expediting increased privacy sentience for enterprises.

But what does this mean for SMEs? Below are some key considerations for making your company GDPR compliant.

1: Review Consent of Customer Data Use

Understanding the personal data of customers and how to process it is a crucial part of GDPR SMEs will need to address.

Although customers previously may have given consent upon initial interaction, this does not give SMEs the leeway to use their data however they like.

In fact, under the GDPR, enterprises caught using personal data for purposes other than previously stated upon collection will be prosecuted. It is also important to indicate how long these personal data will be used and retained.

Also, SMEs are required to furnish their customers with their Data Subject Rights which entails transparency of information, communication, and modalities for the exercise of their rights on their data.

Therefore, a review of consent of the entire current customer base may be needed as the GDPR requires clear-cut terms, so individuals are fully informed, and their consent can be freely given or not.

So, general data clauses and vague contract terms will no longer be adequate.

Should the reason why personal data is required by service providers be unclear, and how these data will be used, customer consent may be deemed invalid.

2: Reinforce Your Data Security

Intensive pentesting tests to determine where security vulnerabilities in your organisation lie must be carried out.

Enterprises with the resources to carry out a pen-test won’t have problems doing this internally, or else, outsourcing to a reputable company to do this is a good idea.

Failure to do so may expose your company to hackers and data breaches, compromising sensitive customer data.

Moreover, heavy GDPR fines are in place to punish organisations with weak IT security. For this reason, a thorough IT Security audit is sacrosanct.

Moreover, SMEs must setup necessary notifications to ensure prompt detection, analysis and remediation to meet GDPR standards and maintain compliance in case of a breach.

A comprehensive risk and technology optimisation assessment by Crayon will help get your IT security infrastructure to a GDPR ready state.

3: Employ a Data Protection Officer (DPO)

For businesses processing considerable volumes of sensitive customer data, particularly large enterprises; the function of a data protection officer (DPO) has been mandated by the GDPR.

A DPO’s main job is to ensure your company is compliant with the GDPR’s obligations. Therefore, it is imperative this person be an expert on business practices and IT security, data protection law, and information held within the organisation as regards customer and employee data.

The DPO must be involved in critical decision-making in every aspect of data protection and security, reporting routinely to the chief officer within the organisation.

It is important to note that an existing employee may fill the role of the DPO; the position may be outsourced as well.

However, under GDPR, some I and O leaders depending on current responsibilities may not take on the role. Consulting with your national Supervisory Authority should clarify who exactly should fill this office.

4: Prepare Your Staff to Recognize and Abate Cyber Attacks

As the GDPR approaches, many SMEs to this day still fall short when it comes to data breach preparedness and best data security practices.

An organisation must draw out exactly how it will deal with a breach, and appropriate procedures to mitigate it.

Tight data encryption and secure data transfers will not be enough; IT staff must be trained to understand and identify what constitutes a cyber attack.

Employee error has been reported as the biggest culprit to security threats in SMEs, therefore, to enhance staff data monitoring capabilities, training in business IT security should be a regular drill.

5: Get In Touch with Your National Supervisory Authority

For SMEs to ensure total GDPR compliance, it is crucial they be in constant communication with their national Supervisory Authority also known as the Data Protection Commissioner (DPC).

A supervisory authority’s office, known as the Information Commissioners Office (ICO) in the UK is present in each country in the EU.

In the event of a cyber attack or data breach, reporting to your Supervisory Authority within three days as mandated by the GDPR will be the first step in evading the heavy fines that will be imposed on organisations that fall victim to a breach and miss the 72-hour deadline.

90% of large organisations reported a data breach in 2015, with 74% of SMEs reporting the same. This shows that although preventing an attack may be impossible, being ready is key to mitigating whichever ensuing damage.

The new EU regulation for Data Protection becomes a mandatory requirement in May 2018, the need to get your business ready is now!

Our detailed FREE GDPR awareness questionnaire will ensure you meet the requirements.


Want to read more on this subject? See other articles on GDPR and Data Protection: 





by -
0 1758

Improving IT security is not just about adding firewalls and making sure anti-virus is up to date. Software asset management (SAM) can help in finding old, vulnerable versions of software on the network. Here, we show how SAM can improve security in your organisation.

What you need to know about software asset management and IT security

License Compliance is normally the first thing that is thought about when it comes to Software Asset Management (SAM). But we should take a much wider view and think about how SAM helps in other areas of IT and across the business, most significantly in the area of Information security.

One of the principle roles of SAM is to make sure all IT systems are recorded and managed for the purpose of Software license compliance. IT security also needs to make note of all devices in the infrastructure to ensure an appropriate level of security is in place.

Comparing devices in the device inventory with those found by endpoint security systems is likely to produce three things: a list of devices both in the SAM database and IT security database; those only found by SAM tools; and those only found by IT security tools.

This helps both the SAM manager and the IT security manager focus on those devices they should be managing but don’t appear in the respective databases.

Another way that Software Asset Management can assist with IT security is by making sure that relevant details from the SAM inventory are shared with the IT security manager, so they can check for older software versions that may no longer be supported or may not have the appropriate patches to close security flaws. SAM managers and Security managers should also work towards devising an authorised software list or catalogue of authorised software that software is procured from. That way security and compliance can be assessed before its brought in to the organisation.

The SAM manager should also verify that any licenses that have been allocated to individuals are being used by the intended recipients. This information can be extremely vital to IT security as the license allocation could highlight access areas that are still granted to users who no longer require it, or who no longer even work for the company.

Knowing what’s what with home workers

Telecommuting or working from home has become very popular over the last few years with many employees hardly setting foot in the office. Secure VPNs and Direct Access are now often in place to make sure your infrastructure can be accessed at anytime and from anywhere.

IT security should know who accesses the network through these secure connections, and how devices are used outside the office; for example, are they using it to download and install software they shouldn’t? Knowing exactly what software is being used and by whom, can minimise the risk of malware infecting the network.

Also with more employees that “bring your own device” to the company, this can dramatically increase the possibility of unlicensed software appearing within the infrastructure. A strong policy framework including BYOD is essential, as this will go a long way to ensuring risk is reduced and increase confidence that the organisation can remain compliant (whether the software has a company-owned license or personal one).

Cloud is another consideration for SAM and IT security managers. If part or all IT is moved to the cloud, the changes to infrastructure and architecture along with the introduction of 3rd party service providers adds another layer of complexity and also must be managed effectively to stay fully compliant and protected. But that’s a huge topic in itself and probably one for another day

SAM as an organisation’s vanguard

Software asset management should be at the frontline of an enterprise’s security strategy as they are both important contributors to strong IT governance. Combining SAM with Information security at the end point and at the core will underline otherwise invisible events and help in identifying suspicious or strange activity down to the individual device or user.

If an organisation does this, it will know just how valuable having SAM and IT security alignment really is.

by -
0 1351

Sometimes SAM can be more difficult than it needs to be. We look at some of the mistakes an organisation can make when it comes to software asset management and how best to avoid them.

Software asset management (SAM) can be a time consuming task requiring many people to carry it out. It is difficult enough even when users do what they are supposed to do. Failure to compile and produce accurate installation information can lead to costly errors.

So what are the common errors organisations make when it comes to software asset management and how can these be avoided?

SAM is not a silver bullet

Many organisations think of implementing SAM as a quick fix or silver bullet that will somehow sort everything out there and then. While the tools on the market are great, it needs to be backed up with the right processes and the right people in order to make this a success.

Doing everything at once

Another mistake enterprises make is trying to do everything at once. Deploying a SAM solution is a journey and should be done bit-by-bit. All too often an organisation will spend vast amounts of their budget without anything to show for it. This can lead to such projects begin shut down by upper management.

Having a thorough roadmap is essential and the ISO 19770-1 standard can help in devising one. This demonstrates that the entire enterprise should support the SAM deployment and vice versa.

Making SAM too complex

A SAM project can get out of hand and become an untamed beast that is unwieldy and cumbersome. Getting this back on track requires the organisation to get back to basics. This means figuring out what sources you should use that are reliable and rebuilding the model from there. Implementing things such as automated approvals, financial chargebacks and software stack rationalisations are great but these need to be kept as simple as possible at the outset.

Forgetting about software in a merger or acquisition

Software is an asset that often gets overlooked when companies merge or get acquired. While it brings a lot of value to a firm, it can also create a lot of risk. Don’t assume that when purchasing a company, the software assets are thrown in. Even if they are included in the handover terms, you must document this. Licenses have to be novated to the new organisations and proof of this retained.

Don’t assume outsourcing means no responsibility for SAM

Outsourcing has become mainstream for many organisations but while you might outsource a lot of things in your organisation, software license compliance is never going to be one of them.

You need to ensure that you know the impact on your license risks from third party services and the decisions they make. Vendors will always expect you to account for all software usage and that you have the correct licenses to cover deployment. Even when you outsource SAM itself, compliance is always going to be that the buck that stops with you.

BYOD and your licenses

Users may think it is easy to bring their smartphone and tablet into work, but from an SAM point of view, things are a little more complex. Especially when it comes to Microsoft licensing rules. Do you need to license the software on someone else’s device when they bring it into the organisations or do you license access, such as when accessing email on an Exchange server? If so, its very likely you need device Client Access Licenses for devices provided you haven’t already purchased User Client Access Licenses.

Did you forget to re-harvest software licenses?

Many organisations forget that when PCs are decommissioned, there are still software applications on them with their associated licenses. You must not forget to take these back.

Another thing that is universally overlooked is software installed on machines that is never used. Go beyond simple deployment versus entitlement and use your discovery tools to see what is actually being used. Applications sitting idle on a machine are wasting tons of money. Run a report today and see what is and isn’t being used.

by -
0 7670

Picking the right SAM tool shouldn’t be the only thing you think about, it’s more about driving the outcomes required from the enterprise and optimising investment

There are plenty of choices when it comes to SAM tools. However, picking the right one isn’t just about the tool itself, it also about knowing what you want out of the tool and processes that go alongside them. Buying a SAM tool cannot be rushed into without a second thought. The right tool will be essential to the success of your software asset management plans.

What do you really want?

Every organisation is different and will thus have different requirements. This means there will be differing products on the market to service those needs. Organisations have to work out what they need from a SAM tool and how they are going to implement it into an ecosystem of procedures and processes to create an environment of continual compliance and licence optimisation.

This means thinking about things such as inventory and discovery; metering; license management; usage stats; mobile device management; datacentre management; and virtualisation and cloud environment management. It also means a greater conversation within the organisation about what software is needed where in the organisation and how it can be managed in an optimised way.

Also to be considered are such things as whether you want agent or agentless technology; how you want reports generated; and how SaaS applications are discovered, tracked and licenses managed for the most efficient use.

If your organisation is almost entirely mobile then a complex mobile device management solution would be preferable to a general SAM tool, even when SAM tools often integrate MDM into their suite of functionalities.

Do you need to do everything?

All organisations have their own individual needs. You not only have to think about what is in the organisation now but what may be needed in the future. This means careful planning and probably the creation of multiple scenarios.

If we assume that your organisation wants one SAM tool to do everything (desktops, laptops, mobile, servers, virtual and cloud), while the tool won’t specialise in a particular field, it may well fulfil all requirements in some form.


Ease of use: SAM tools can be complex beasts but this shouldn’t prevent them from being easy to use. The interface should allow you to carry out SAM tasks easily and without it being time consuming.

Good support: You will need support from the vendor of your SAM tool during deployment and the ongoing management of the tool within your organisation.

Software metering: As part of a SAM project, you will want to optimise software licenses and usage and will require actionable data outputs to achieve this.

Inventory and discovery: You need to know what assets you have in your organisation.

License management: Tools have to be able to manage the major software license types that are out there on the market and in use within your organisation. This should also include software running in virtual and cloud environments.

Specialised license management: If you invested heavily in SAP, IBM or Oracle, some SAM tools provide support for licenses from these vendors and the complicated license management processes they entail.

Datacentre and server management: Many firms have datacentres and most will have servers running within their infrastructure. Software running in these environments will still have software that needs to be managed and monitored.

Virtual and cloud software management: VMware, Hyper-V, AWS and Azure are environments with software that needs to be managed. A SAM tool will need to glean information from these in order to keep you abreast of what is running in these cloud environments.


Will it fit in with what I have already?

You also have to ensure that any SAM tool introduced into your organisations will integrate or at least work with solutions already in place, such as ITSM tools, MDM solutions, etc. You need to find out if there are any compatibility issues that would prevent them working together. The existing tools would have had money and time invested in them.

If you buy a SAM tool that deploys agents on systems, those agents will have to be included on images used to build machines for your organisation. This may seem like a small thing, but it will have an impact. Also, if a user has admin rights, do they have the ability to remove a SAM agent? If so this could mean one less machine it has oversight of.

Making a list, checking it twice

To recap, there are a number of things to remember when choosing a SAM tool.

Will you get support?

Is it compatible with other tools you use?

What will the impact be on your business and users?

How easy is it to deploy to local machine?

Can you manage it on a daily basis?

Do you have the right server to host the tool?

Can your tool manage virtual or cloud-based software?

How often does the vendor update the SAM tool?

How is data collected and are resources tied up with this data is collected?

How will this help in meeting organisational goals in compliance and efficiency?


Don’t expect the tool to do it all for you

Any SAM tool is only as good as the knowledge and structure you deploy to optimise it’s use. Without the necessary skills sets to assimilate the data outputs against the complex landscape of publisher licensing agreements a SAM tool will only get you so far, and that may not be as far as you would like! Enterprises are increasingly looking to appoint expert SAM partners to help them establish and manage a credible SAM environment across their business and at the same time optimise the deployment and use of the chosen SAM tool. If you believe you lack the band width or skill set required to do this yourself then this approach is probably the first decision you need to take before you procure the SAM tool!

In conclusion

Every organisation is different, but the principles of choosing a tool are broadly the same. It has to be the right one for your environment that helps in meeting broader goals of your organisation and optimising its software investments and maintaining compliance. If you have any doubt regarding your ability to optimise an investment in a SAM tool think about appointing an expert SAM partner who can help you understand what your organisation needs and how this can be achieved and this will determine the appropriate tool and approach to help reach those goals.

by -
0 1683

Many firms fail to comply with their software agreements and as a result pay unbudgeted audit fees. We look at what steps you can take to be proactive.

Cloud, social and mobile mean that today’s enterprise applications are being implemented and used in ways beyond those anticipated by legacy license agreements. Datacentre consolidation, shared services and international expansion could break restricted use rights.

Outsourcing can also exceed limitations on third party use. Extranets, portals, and integrated applications architectures makes the division between direct and indirect users harder to define. Virtualisation, multiple core processors and multiple threads complicate CPU and server-based license schemes.

The drop in new license revenues has also led software companies to make more repeated audits. Often, these audits would only happen when someone blew the whistle on suspicious licensing practices, whereas nowadays software vendors tend to audit as part of standard business practices.

Indeed, businesses can be audited many times a year across their portfolio of software. And it’s possible each audit could result in liabilities running into the millions. But organisations can take steps to mitigate this risk throughout license acquisition, during the software asset management process (SAM), and in response to a provider audit.

1 – Focus on the license agreement

Risks during auditing can be decreased by targeting important areas of the license agreement. If different licensing models are available, the business should choose a arrangement that — outside of offering a cost-effective solution — permits confidence in compliance. A per-user or per-device licensing system may not be suitable for an environment with inadequate desktop configuration and asset management.

Organisations should apply license agreements as flexibly and wide-ranging as possible to avoid separate pools of licenses and using approaches like “exchange rights” where unused licenses of one product can be exchanged for licenses required for another piece of software.

There should also be reasonable limitations on audit rights to prevent the audit being too intrusive and offer even-handed resolutions for inadvertent non-compliance. Organisations need to have adequate notice and be able to delay audits for mitigating situations.

Organisations should be able to review software asset management processes with their software provider. Establishing that SAM practices are vigorous should mean that an auditor may not have to perform an intrusive, time-consuming audit.

2 – Shift to ongoing compliance

Once an organisation has demonstrated an agreement that avoids infringement and protects the business for the worst excesses of an audit, the focus can move onto ongoing operational compliance applying a full-bodied approach to SAM. A best practice is creating license compliance and centralised tracking as a fundamental competence within IT.

The compliance team should be included in any license purchasing and involved in the enterprise change management process to detect any unexpected licensing effects. The team should also carry out recurring data verification audits to corroborate the output of any automated discovery tools and confirm enterprise license entitlements.

Most organisations now understand that Excel and manual methods are no longer adequate. SAM is presently perceived as a required core function in IT service management, and it’s offered as a component in the vast majority of the ITSM toolsets. There are additionally standalone SAM tools, some of which are acknowledged by large software vendors as alternatives to their own license management software.

 3 – Manage the audit and define processes

When an organisation is audited, a common error its to accept the process and results. Rather, the business ought to plan effectively for the audit, stay engaged with the audit and prepare to discuss the outcome.

When notified, the business should look again at the license agreement to comprehend   the premise under which the audit was demanded. Older agreements may not have anticipated audits or may considerably constrain the audit scope and/or resolutions for non-compliance.

The business should coordinate with the auditor to comprehend the planned range and method, as well as verifying the license agreements and entitlements that will be used as the basis for the audit.

The auditor may base their investigation on standard licensing terms (rather than any negotiated agreement) or be ignorant of particular entitlements, such as those allocated after an acquisition.

Having comprehended the planned audit method, the organisation should self-audit to assess compliance and isolate risks. Entitlement information may be amassed from consolidated databases, purchase orders, license keys or certificates, or invoices.

Once the audit has commenced, the business and auditor should both define the audit process. Audits should promptly end if non-compliance is not shown within a certain timeframe.

There should be a single point of contact during the audit process to address internal problem resolution and allow for suitable responses.

The business should also insist on a draft report from the auditor to tackle inconsistencies in data. This needs to be done before costs are examined.

An initial settlement demand is a starting point for negotiations, especially when non-compliance was unintentional. Counter-offers may be based on maintaining future compliance rather than backdated compensation.

If your business can argue a fair position, the software vendor may consider the offer so as to meet personal bonus deadlines of reporting of revenue. Many enterprises are now engaging the assistance of expert SAM Consulting partners to allow them to implement the above type of activities as they either do not have the expertise available within their own team or what expertise they have is unable to scale to the requirements. If in doubt, find a SAM expert to help, youll almost certainly save many times the cost in better optimisation of your software assets and the mitigation of liability that would otherwise be uncovered by a publisher audit.

The unavoidable

Organisations can no longer avoid audits if they have a large portfolio of software on their estates. But by arranging licensing agreements correctly, reducing compliance doubt through strong SAM procedures, and actively involving the vendor during software audits, businesses can mitigate the risks and subsequent possible costs from these measures.

by -
0 1419

How SAM-iQ Will Help You Become an 'IT Rock Star' for Your Enterprise

What Are The 10 Key Metrics You Need To Track For Effective Software Optimisation?

How can you justify the investment in Software Asset Management (SAM) if you’re not measuring both the performance of your SAM team and the benefits that the SAM program is providing?

Whilst there’s no shortage of best practice advice around in the SAM market today, there is still a distinct lack of help in terms of how to actually implement and measure SAM processes, the effectiveness of tools, accuracy of data and so on.

Of course there are best practice frameworks like ITIL together with an international standard (ISO 19770-1), but whilst these both provide sound guidance of the ‘What’ and the ‘Why’ they don’t really provide all-important support in the form of ‘How To.’ This means that there is a real challenge in proving SAM effectiveness for most organisations.

Why? Well, very often SAM owners get blindsided by the different priorities, objectives and ways of setting up the necessary metrics to measure things. So, despite there being documented SAM best practices available for reference and guidance, there is deemed to be a level of interpretation required in order to set and measure metrics specific to a business’s needs.

At Crayon we speak to many C-level leaders who tell us that they know they need to address SAM/ITAM but just don’t see the benefits. They feel that they never seem to improve, so it’s hard to identify how close they are to reaching their goals and objectives.

We respond by asking how they are measuring it. And the reply often is: “I don’t think we are.”

Trying to interpret SAM reports with either your internal teams or from SAM service providers can sometimes be a real challenge, as they never seem to highlight the successes, or measure the improvement in a way that clearly demonstrates value.

That is why with the release of SAM-iQ, Crayon’s unique approach to planning, implementing, maintaining and optimising your complex technology through effective SAM deployment, we have introduced a brand new online platform that provides an immediate and dynamic dashboard view of your key SAM status.

To ensure that demonstrating success to your senior management sponsors has never been easier, Crayon has developed a best practice approach to SAM. We provide you with the training, the guidance and the tools, but also give clear, measurable objectives and KPIs that will eliminate the need for your own interpretation and ensure you are enabled to provide clear and concise ‘value based reporting’ back to your team.

Here are 10 of the many key metrics SAM-iQ helps you implement, track and measure:


  1. The number of completed tasks leading toward achieving specific/all objectives
  2. The number of allocated tasks leading toward achieving specific/all objectives
  3. The status (percentage complete) of each allocated task and objective
  4. The status (percentage complete) of the overall project phases and stages
  5. The number of policies and procedures that have been developed and implemented
  6. SAM maturity levels benchmarked against other organisations and against other best practice (SAM Optimisation Model, ITIL, ISO 19770-1)
  7. The annual (currency) spend against each software vendor
  8. Budgeted software spend vs actual software spend (currency)
  9. Capex vs Opex spend (currency comparison)
  10. Amount of cost (currency) avoided due to harvesting licenses already owned instead of purchasing new ones


By understanding each KPI and its metric, IT leaders can easily track their own progress and the progress of their team, together with the ability to demonstrate to third party stakeholders how investments in complex technology are being optimised and where there is a need for additional resource and/or technology investment, wider adoption and/or sponsorship.

The winning combination of having the right people, processes and technology in place and then introducing the capability to capture and report on the metrics we describe above, will revolutionise your IT estate management and maximise your ROI from IT investments.

For your FREE trial of SAM-iQ contact your local Crayon team today or visit us at