Software Piracy – A Mammoth Challenge

We always hear about companies getting penalized for software piracy breaches.

But the real question to be asked is:  Why do individuals or companies use pirated software’s even after the product companies and regulations are increasingly offensive on such piracy.

Some of the reasons could be:  the high cost of the product, inadequate monitoring controls, prevalent culture or ethics in terms of individuals and companies.

Why would companies want to pay heavy fines for piracy breach even when there are alternatives in the form of open source?  If financial or economic factors were leading to software piracy, then lowering the cost of software by product companies could be a possible solution, which would have an adverse impact on the product company in terms of revenue.

But in fact, cost does not seem to be the prime factor what leads to software piracy. The main reason for software piracy would be the fact that digital assets are not valued much compared to traditional or tangible assets. It is this perceived low value which actually makes people to devalue a product and get into the piracy game. Access to internet makes it easy access to pirated software’s.

There are various different mechanisms used by the product companies to manage the piracy issues, including:

1) Copy Protection of the source by making it difficult to copy/replicate to different media

2) Licensing model in which the product would require a product key (software or hardware) to function

3) DRM which would require a connection between the server and the client

But these methods have their own drawbacks and are not fool proof in today’s age for a product company to prevent software piracy.

So then, what should a company do to prevent piracy?

This is a debatable topic which requires more focus in the Information Security arena.

In fact, the solution would boil down to changing the perception on how a software/product is valued by individuals or companies who are using such products. Companies must define their own Governance and Compliance Policy to ensure that they are not breaching any software agreement.

Some of the simple governance steps to avoid breaches and ensure software and licensing compliance could include:

1) Use software management system to track their usage of software/licenses

2) Perform audits or use audit tools to ensure compliance

3) Provide awareness to the employees about licensing and software purchase

4) And more importantly, purchase the required software and adequate licenses

Software piracy is complex and needs to be studied in more detailed manner to have a comprehensive solution to this mammoth challenge.


Documentation Requirements of the new standard (ISO/IEC 27001:2013)

The much awaited new standard ISO/IEC 27001:2013 has been released on 25th September. This is the first revised change that has been made to the standard in 8 years. The new standard is more focus and aligned to the organization objectives. As this buzz go on in the industry there is also much confusion over the implementation on this standard. I would like to put forth my comments on the documentation requirements from the perspective of the new standard released.

Even though there are some of the mandatory documents required as per the new standard ISO/IEC 27001:2013 such as (IS Policy, IS Scope, etc.) nothing much has changed pertaining to the old standards document requirements. One needs to maintain all the IS procedure documents and records of implementation as evidence. Hence i have mentioned a list of documents which I feel is required for an organisation to have to implement Information Security. Also please note that this list should not be limited to the only documents required, and the organization should maintain other documents as per the environment of information security implementation.

1)     IS Policy

2)     IS Scope

3)     IS Objective

4)     Risk Assessment Process

5)     Risk Treatment Process

6)     Risk Assessment & Treatment Reports

7)     Statement of Applicability

8)     Internal Audit Procedure

9)     Corrective Action Procedure

10)   Information Security Metrics

11)   Document Control Procedure

12)   ISMS Operating Procedures

13)   Communication Procedure

14)   Contractual & Regulatory Requirements

15)   Security Incident Management Procedure

16)   Acceptable Usage Policy

17)   Information Classification & Handling Procedure

18)   Documented Records

19)   Security Roles, Responsibility & Competency document

20)   Management Review Records