The Initiative for Software Compliance (iSC) was established some time ago as a non-profit company to establish standards for auditing large companies regarding the legality of their software, i.e. have all the licence fees been paid!
The iSC standard was applied by specialist auditors and problems fixed by appropriate system houses. Legal compliance with software licences was the obvious starting point. The Business Software Alliance (BSA), an agency funded by the software industry, is quite rightly very active and there has been some high profile cases of gross under payment of licence fees detected in significant enterprises. It is a common misconception that software "theft" is the exclusive domain of Asian pirates, but it is not. In fairness the problems within the enterprise do not stem from deliberate copying of software in order to avoid payment, but from un-monitored proliferation. Nevertheless the directors of these companies are responsible and can face serious consequences; ignorance is no defence!
However it soon became obvious that software licencing was not the only legal compliance requirement. Compliance with the Data Protection Act was high on the agenda, a problem compounded by different details of the law in different countries, but also checking for correct procedures in computer misuse and where applicable the companies act. Computer misuse has long been an issue, but it has multiplied in significance of late with the impact of the Internet and e-mail. Thus while the initial target of iSC was to test compliance with external legal requirements, there is now a need to test any standards that a company wishes to impose on its own staff as well.
In the light of the expansion of the scope of legal compliance needs, iSC has changed its name (but not its initials) to Information Security Compliance. iSC provides a comprehensive compliance programme, the copyright aspect of which is now incorporated in the UK standard for information security, BS7799. Most countries have similar developments, but national differences cause serious problems for multi-national corporations. There are active bodies currently trying to establish a European standard, but this is a complex task.
An audit to the iSC standard can cost between �10,000 and �40,000, depending upon the size of the company. Such an investment makes sense to any large enterprise, given the problems that operating illegally would create, particularly for the directors. But legal compliance is not constrained to large companies, it applies to everyone! Nobody knows for sure, but it is likely that as much as 50% of software installed on home PCs has been illegally copied. It is probably impractical to police this, except to make examples of individuals, but there are many companies of a size between the individual and the giant corporation, the so called Small and Medium Enterprises (SME). They will not (and probably can’t afford to) pay the fees needed to undertake a full audit, but they are still vulnerable to a visit from BSA or the like!
iSC has tried more than one approach to augmenting their enterprise programmes with a solution for the SME market, with little success to date. They have reached the conclusion that self-assessment is the only practical answer. The availability of the Internet is another factor which can provide a solution to the problem of getting the software tools to the individual SME. Thus iSC have developed a computer program which asks multiple questions aimed at collecting data about the company, from which the legal requirements can be assessed, and about what the company is actually doing, from which the needs for change (if any) can be derived. The program will create the necessary recommendation report, but it will of course do nothing to implement those recommendations! The responsibility to comply with the law still resides with the company.
The problem of the wide range in size of companies which come within the SME bracket still remains. Indeed some companies with a bigger turnover may have less need for IT than some smaller companies. Just where the boundary lies as to which companies can cope with the cheaper self-help system and which need to employ the specialist auditors will depend upon specific circumstances and availability of suitable internal resources. Based on previous experience, iSC has taken the stance that while the cost of an audit can be negotiated, the cost of downloading the self-help program from the Internet has to be a fixed charge, independent of company size.
Companies should visit the iSC Web site ( to get more general information, while responsible SMEs should visit No one should ignore these problems.
