InfoSec Staff's Role in Vendor AuditsProtecting Employee Privacy, Corporate Secrets
Many licensing contracts spell out that vendors can audit their customers' IT systems to assure that end users aren't violating terms of the agreements.
Audits requested by vendors could reveal information that the customer might want to keep secret, she points out. "Sometimes the data is not controlled and managed in a way that, perhaps, security would like," Barber says in an interview with Information Security Media Group conducted at the Gartner Security and Risk Management Summit.
She says audits could expose sensitive information about employees, customers and stakeholders, as well as business processes that organizations want to keep secret. "From a security perspective, that data really needs to be looked after," Barber says.
In the interview, Barber discusses:
- Gartner's recently published research report she co-authored: Eliminate Ethical Ambiguity of Software License Compliance by Enforcing Your Corporate Code of Conduct.
- How rapidly changing technologies could result in vendors and users interpreting terms of a contract differently. "There's a lot of fluffy terminology; at times you'll find that end users and vendors have different opinions on what that terminology means, and it's very difficult to pin it down."
- How differentiating between physical and virtual servers can complicate licensing agreements. For instance, she says, a customer might create six virtual servers on one physical server and expect to pay only one server fee, whereas the vendor would like to collect a fee on each virtual server. "Ethically," Barber asks, "should you be paying for those half-a-dozen virtual servers?"
As research director with Gartner's IT sourcing, procurement and asset management group, Barber specializes in software asset management and software audits. Before joining Gartner five years ago, Barber set up and managed the software asset management function at Centrica, a British multinational utility company.
Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.