The Corporate Information Security Policy and these Standards are intended to address the proprietary nature and use of software that is purchased, leased, licensed, or developed by True Value.

The reproduction of computer software without required authorization violates copyright laws in many countries, including the U.S. In the U.S., unauthorized software reproduction is a federal offense, and exposes both individuals and the Corporation to criminal penalties including fines and imprisonment. Software Vendors conduct compliance audits and can charge $100,000 per violation.

The term "software" as used in this Policy and Standards refers to all computer programs, user manuals, training manuals, data, and related material, which have been purchased, leased, licensed, or developed by or for True Value.

Only software purchased, developed, or licensed by True Value and approved by the location's Information Technology Management may be installed on Corporate computing resources.

All employees are required to comply with software copyright laws and licensing agreements. Unauthorized duplication of licensed software and documentation is strictly prohibited.

All software developed by employees or contractors on behalf of True Value is corporate property and protected by copyright law from unauthorized use and duplication.

Purchase only Information Technology Management approved standard hardware and software through Information Services Purchasing at World Headquarters to ensure it is supportable. This will minimize technical support response time.

All employees should be trained on software products prior to using them.

All third party software installed on True Value computers must be properly licensed, such as with a corporate site license, server-based license, individual workstation license, or negotiated contract. All software must be purchased through Information Services Purchasing at World Headquarters.

A sufficient number of copies or seats of software must be purchased to ensure that it is used within the terms of the relevant licensing agreement.

For the majority of commercially available software packages, a customer purchases a license to use the software rather than purchasing the software itself, in many cases the media on which the software is shipped and the software documentation (e.g., user manuals) are sold as items separate from the software license. Although there can be no global definitive statement on what constitutes proof of license, the following are likely to be acceptable in most circumstances:

• A software license certificate issued by the software author.
• A contract schedule outlining authorized software usage signed by the software author or authorized supplier.
• A signed software license agreement.
• A purchase invoice from an authorized software supplier containing details of valid software version numbers.
• A formal statement of authorized use of software purchased centrally by True Value Information Services for use throughout the Corporation.
• In most cases, lawful appropriation of the media (e.g., CD) on which the software was delivered is proof of authorization to use a single copy of the software.

While locations may have more than one of these documents related to a single license (e.g., certificate and purchase invoice), this may not allow the location to use this as authorization to use more than one copy of the software.

In some cases, usually for older software, ownership of the user manuals is sufficient proof of license. This approach is less common today than in the past and should not be relied upon.

Much software is purchased at favorable prices by way of version upgrades or competitive upgrades from products supplied by other software houses. Often in these cases the supplier of the new software does not ask to receive the old licenses and, therefore, a location may have proof of licenses for both the old and new software. In these cases locations must not continue to use the old software once having installed the new software.

The reproduction of copyrighted software is prohibited unless authorized within the terms of the licensing agreement.

Demo software obtained on a trial basis must be removed after evaluation unless properly licensed.

Department specific software and files must be removed from microcomputers that are transferred to another department.

Personally owned software shall not be installed on True Value-owned computers or equipment unless a business justification is documented and approved by local management, Information Services Purchasing, and PC Services at World Headquarters.

Games may not be stored or used on True Value computers, except for those that are included with software licenses by True Value.

Public domain software, freeware, or shareware is not to be downloaded to True Value’s computers from external networks, bulletin boards, or other sources.

On a yearly basis, locations must perform a software self-audit to determine the software loaded on True Value’s computers. This audit must include networked and stand alone machines.

Networked PCs should be scanned at least weekly for changes. Data from stand alone machines must be sent to Information Services Purchasing at World Headquarters at least yearly for inclusion in the inventory database. File servers and application servers should be scanned automatically. All new machines must be scanned before deployment.

Locations must maintain a current, accurate inventory of all license information, as described above, and make it available for internal or external audit inspections.

Locations must maintain accurate records of the licensed status of all their installed software and update the Information Services Help Desk on at least a quarterly basis. Locations must be able to provide evidence of compliance to Corporate Information Services and/or Internal Audit upon request.

The source code for critical business systems must be acquired from vendors or placed in escrow, where possible.

Location IT managers are responsible for:

• Pursuing non-compliance actions against any individual within the department who refuses to comply with this Policy
• Approval of all new hardware and software purchases
• Providing necessary training to employees on software products
• Ensuring compliance with software license agreements by verifying that:
• All copies of software used at the location can be related to a software license
• Software is not accessed by more individuals than the software license permits
• Removing software that is not in compliance with these Policies and Standards.

Location PC users are responsible for:

• Reporting instances of illegal use of software or documentation copyright infringement to department management.
• Users must comply with the policy and standards outlined.