In our line of work we perform Software Asset Management (SAM) assessments all the time. We ask clients many questions about how they manage their licensed software entitlements during these assessments and some of the questions pertain to the client’s company policy as it applies to SAM.

For instance, we ask interviewees whether they’re aware of company policy relative to SAM, or policy on software licensing, or on IT Asset Management in general, or maybe the policy on downloading software. We ask where these policies are stored and to whom they apply.

You’d be surprised how often we hear client employees say “there’s no policy for that”, or “I don’t know the policy for that”, or even “I don’t know where to look for the policy on that.”

Sometimes we discover the interviewee was just plain mistaken, and that SAM-related policies do exist, but the employee was just not aware of them. Sometimes we discover there are such polices at the client company, but they are written at the department level and thus might not apply outside the department.

Perhaps more frequently when we encounter confusion about company policy, it is because the employees present us with what are actually procedures instead of policies. These procedures are basically “how to” documents, and might include such things as how to handle PC acquisitions, how to manage application ownership, how to assign thin clients and virtual machines, and many similar tasks. Interviewees tend to be very familiar with the procedures in their own workgroup, and far less aware of those outside their workgroup, and yet each group expects members of other teams to be familiar with their procedures.

We also often hear about standards and guidelines as they apply to IT Asset Management. The descriptions we hear sometimes cast doubt over the effectiveness of these things, such as “…not everyone here follows the standard…” or, “…these guidelines tell employees what they need to do...”

While the distinctions between policies, procedures, standards, and guidelines might seem familiar to many, rest assured they are foreign to some.

So here are some sample definitions and examples of these things:

Policy: A set of high-level principles and rules, endorsed by company executives, that are mandatory and must be adopted by all employees and contractors, having effective dates, designed to help the company reach long-range goals, and which are typically published in a prominent place such as near the top of the company internal website. An example of policy might be “All PCs or similar devices connected to or interacting with the company’s internal network in any way will have working up-to-date virus-scan software on them and will be encrypted to ensure protection from malware and stolen data …”

Procedure: A series of steps to be followed as a consistent and repeatable method to achieve an end result. A “how to” instruction typically intended for internal departments. An example might be “Virus-scan will always be installed by the PC staff when the computer is received in department #1, and using the following step-by-step procedure …..”

Standard: A mandatory action or rule that gives direction and support to policies. An example might be “We will use Vendor #3’s virus-scan product called XXXX in support of the policy on malware protection.”

Guideline: Recommendations designed to streamline some processes according to best practices. These are open to interpretation and are not mandatory. An example might be “We recommend you update your virus-scan file when you login on Monday morning.”

Does your company have policies and procedures describing Software Asset Management? Do most employees and contractors know where to find them? Are they consistently communicated with all stakeholders?