Putting the BS in the BSA
Author: Steven Zolman
The Business Software Alliance (BSA) has recently announced that they’re going to offer a “certification” for IT SAM. http://www.itassetmanagement.net/2011/11/15/vendor-audit-forbearance/
The requirements aren’t fully defined on their website, but the gist is that you pay the BSA to get certified. You allow the BSA to audit your implementation of their standards (who knows what else they may audit while there). And then you get a two-year audit forbearance from BSA member organizations including Adobe, Microsoft, Symantec and others (see the entire list here).
Our recommendation? Do NOT Sign Up for this program without carefully reading the BSA materials and program specifics, and even when you do, you may very well agree that the program offers more risk than it does benefit. What’s clear is that this is not a free pass for being out of compliance and it doesn’t ensure anything other than paying the BSA to monitor you when they have previously had no legal right to do so before.
The BSA is a trade association, and is NOT independent in any way as its members are software suppliers that pay the BSA to shake down clients for largely trumped up compliancy allegations. The BSA has but ONE goal: making sure its members are paid for every license used. This, in and of itself, isn’t problematic. Suppliers should get paid for the rightful use of their products. Although, a supplier funded trade association is a questionable structure as a watchdog.
From what is available online, it appears that signing up for this program allows BSA “auditors” the right to do the audit. Again, this is akin to allowing the fox to guard the proverbial henhouse. Additionally, without a Client signing up for this specific provision, generally speaking, the BSA has NO right to ever audit your use of any software program. So giving them this right in exchange for “forbearance” isn’t worth the trade-off.
To understand this clearly requires knowing that “forbearance” doesn’t mean immunity. Rather, it means that they will likely not take action during the two years of the program, but the knowledge they gain through the audit can be used the day after the program ends, ostensibly to locate potential infringers who can then be the target of more invasive (and costly) audits.
Our analysis? This is a wolf in sheep’s clothing; don’t invite the wolf in to watch your henhouse.
NET(net)’s Website/Blogs/Articles and other content is subject to NET(net)’s legal terms offered for general information purposes only, and while NET(net) may offer views and opinions regarding the subject matter, such views and opinions are not intended to malign or disparage any other company or other individual or group.