1、BSI Standards Publication BS ISO/IEC 19770-2:2015 Information technology Software asset management Part 2: Software identification tagBS ISO/IEC 19770-2:2015 BRITISH STANDARD National foreword This British Standard is the UK implementation of ISO/IEC 19770-2:2015. It supersedes BS ISO/IEC 19770-2:20
2、09 which is withdrawn. The UK participation in its preparation was entrusted to Technical Committee IST/15, Software and systems engineering. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the necess
3、ary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2015. Published by BSI Standards Limited 2015 ISBN 978 0 580 87685 1 ICS 35.080 Compliance with a British Standard cannot confer immunity from legal obligations. This British Standard w
4、as published under the authority of the Standards Policy and Strategy Committee on 31 October 2015. Amendments issued since publication Date T e x t a f f e c t e dBS ISO/IEC 19770-2:2015 Information technology Software asset management Part 2: Software identification tag Technologies de linformatio
5、n Gestion de biens de logiciel Partie 2: tiquette didentification du logiciel INTERNATIONAL STANDARD ISO/IEC 19770-2 Reference number ISO/IEC 19770-2:2015(E) Second edition 2015-10-01 ISO/IEC 2015 BS ISO/IEC 19770-2:2015ii ISO/IEC 2015 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2015, P
6、ublished in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Per
7、mission can be requested from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 copyrightiso.org www.iso.org ISO/IEC 19770-2:2015(E)BS IS
8、O/IEC 19770-2:2015ISO/IEC 19770-2:2015(E)Foreword v Introduction vi 1 Scope . 1 2 Normative references 1 3 Terms, definitions, and abbreviated terms . 2 3.1 Terms and definitions . 2 3.2 Abbreviated terms . 2 4 Conformance . 3 4.1 SWID tag conformance . 3 4.2 Application conformance . 3 4.3 Platform
9、 conformance 3 5 Interoperability guidance . 3 5.1 Overview 3 5.2 SWID tag modification 3 5.3 SWID tag relationships. 4 5.3.1 Overview . 4 5.3.2 Pre-installation data attribute 4 5.3.3 SWID patch attribute 4 5.3.4 SWID supplemental attribute . 5 6 Implementation of software identification tagging pr
10、ocesses . 6 6.1 General requirements and guidance 6 6.1.1 XML and XSD . 6 6.1.2 SWID tags based on earlier revisions of this part of ISO/IEC 19770 . 6 6.1.3 SWID tag installation and removal . 6 6.1.4 SWID data storage and transmission . 6 6.1.5 Unique registration ID (regid) . 7 6.1.6 Tag identifie
11、r . 8 6.1.7 Unique software identification tag file name 8 6.1.8 Software identification tag discovery 8 6.1.9 Languages 8 6.1.10 Authenticity of software identification tags . 9 6.1.11 File hash definitions 9 6.1.12 Use of standardized data types in XSD definition 10 6.1.13 Using Evidence or Payloa
12、d .10 6.1.14 Redistributable software components.10 7 Platform requirements and guidance .10 8 Elements .11 8.1 General 11 8.2 Minimum SWID tag data values required .12 8.3 Recommended SWID tag data values .13 8.4 XML element and attribute names 13 8.5 Data values 14 8.5.1 SoftwareIdentity .14 8.5.2
13、 Entity .18 8.5.3 Evidence .20 8.5.4 Link .20 8.5.5 Meta .24 8.5.6 Payload 25 8.6 Type and attribute definitions 26 8.6.1 Directory 26 8.6.2 File .27 ISO/IEC 2015 All rights reserved iii Contents PageBS ISO/IEC 19770-2:2015ISO/IEC 19770-2:2015(E)8.6.3 FileSystemItem .27 8.6.4 Ownership 29 8.6.5 NMTO
14、KEN and NMTOKENS 30 8.6.6 Process .30 8.6.7 Rel 30 8.6.8 Resource .31 8.6.9 ResourceCollection .31 8.6.10 Role .32 8.6.11 SoftwareMeta .32 8.6.12 Use .35 8.6.13 VersionScheme .35 Annex A (informative) XSD changes between revisions 36 Annex B (normative) XML schema definition (XSD) .39 Annex C (infor
15、mative) UML structure of SWID tag schema 59 Annex D (informative) Sample tags 61 Bibliography .72 iv ISO/IEC 2015 All rights reservedBS ISO/IEC 19770-2:2015ISO/IEC 19770-2:2015(E) Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission
16、) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and
17、IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC
18、JTC 1. The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of document should be noted. This document was drafted in accordance with t
19、he editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives). Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details of
20、 any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents). Any trade name used in this document is information given for the convenience of users and does not constitute an endorse
21、ment. For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the WTO principles in the Technical Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information The committee respons
22、ible for this document is ISO/IEC JTC 1, Information technology, Subcommittee SC 7, Software and systems engineering. This second edition cancels and replaces the first edition (ISO/IEC 19770-2:2009), which has been technically revised. ISO/IEC 19770 consists of the following parts, under the genera
23、l title Information technology Software asset management: Part 1: Processes and tiered assessment of conformance Part 2: Software identification tag Part 5: Overview and vocabulary The following parts are under preparation: Part 3: Software entitlement schema Part 4: Resource Utilization Measurement
24、 (RUM) Part 7: Tag management The following part is planned: Part 22: Guidance for the use of ISO/IEC 19770-2 Software Identification Tag information in Cyber Security ISO/IEC 2015 All rights reserved vBS ISO/IEC 19770-2:2015ISO/IEC 19770-2:2015(E) Introduction Overview International Standards in th
25、e ISO/IEC 19770 family of standards for Information Technology (IT) asset management (ITAM) address both the processes and technology for managing software, hardware, and related IT assets. Because IT is an essential enabler for almost all activity in todays world, these standards must integrate tig
26、htly into all of IT. For example, software identification (SWID) tags have the capacity to assist in other management functions outside the scope of financial-focused or compliance- focused ITAM processes. From a technology perspective, ITAM standards for information structures provide not only the
27、data interoperability of software management data, but also provide the basis for many related benefits such as more effective security in the management of software. ITAM standards for information structures also facilitate significant automation of IT functionality, such as improved authentication
28、 of software and automated linking to identify vulnerability information for more automated exposure identification and mitigation. Purpose of this part of ISO/IEC 19770 This part of ISO/IEC 19770 provides an International Standard for software identification tags. The software identification tag is
29、 a standardized data structure containing software identification information about a software product that supports new and automated management functions. Product information provided in the software identification tag structure will often be provided in an XML data file, but the same SWID tag pro
30、duct information may be accessible through other means depending on the computing device being managed. SWID tags are created by a SWID tag producer, for example a software creator who develops and distributes software or a tool and/or service provider. SWID tag data is utilized by SWID tag consumer
31、s, for example a discovery tool or service that collects information from a computing device for a variety of purposes such as license compliance, software security, or logistics operations. Providing authoritative and detailed software identification information makes the management of software les
32、s expensive and provides support for significantly more automation for IT processes in the security, compliance, and logistics areas. This part of ISO/IEC 19770 has been developed to facilitate automation of IT processes through the use of software identification tags and for applications which use
33、those tags, for the purposes of security, compliance, and logistics automation. This part of ISO/IEC 19770 includes information which facilitates human intelligibility (such as edition and colloquial version name), but it is unrealistic to expect to create, manage, and use software identification ta
34、gs without the use of automated capabilities built into specialist or generalist tools. The extent to which such capabilities are provided by specialist commercial products, open-source-type products, or platforms themselves, will depend on market developments over time. This part of ISO/IEC 19770 s
35、upports software asset management processes as defined in ISO/IEC 19770- 1. This part of ISO/IEC 19770 is also designed to work together with ISO/IEC 19770-3 which will provide an International Standard for software entitlement schema. Software identification tags will benefit all stakeholders invol
36、ved in the creation, licensing, distribution, releasing, installation, and on-going management of software. Key benefits associated with software identification tags include the following. a) The ability to consistently and authoritatively identify software products that need to be managed for any p
37、urpose, such as for licensing, security, logistics, or for the specification of dependencies. Software identification tags provide the meta-data necessary to support more accurate identification than other software identification techniques. b) The ability to identify groups or suites of software pr
38、oducts in the same way as individual software products, enabling entire groups or suites of software products to be managed with the same flexibility as individual products.vi ISO/IEC 2015 All rights reservedBS ISO/IEC 19770-2:2015ISO/IEC 19770-2:2015(E) c) The ability to automatically relate instal
39、led software with other information such as patch installations, configuration issues, or other vulnerabilities. d) Facilitate interoperability of software information between different software creators, different software platforms, different IT management tools, and within software creator organi
40、zations, as well as between SWID tag producers and SWID tag consumers. e) Facilitate automated approaches to license compliance, using information both from the software identification tag and from the software entitlement schema as specified in ISO/IEC 19770-3. f) Provide a comprehensive informatio
41、n structure of the structural footprint of products, for example the list of software components of files and system settings associated with a product to identify if files have been modified. g) Provide a comprehensive information structure that identifies different entities, including software cre
42、ators, software licensors, packagers, distributors external to the software consumer, as well as various entities within the software consumer, associated with the installation and management of the product on an on-going basis. h) Through the optional use of digital signatures by organizations crea
43、ting software identification tags, the ability to validate that information is authoritative and has not been maliciously tampered with. i) The opportunity for entities other than original software creators (e.g. independent providers or in-house personnel) to create software identification tags for
44、 legacy software, and for software from software creators who do not provide software identification tags themselves. This part of ISO/IEC 19770 is divided into the following clauses and annexes: Clause 1 defines the scope; Clause 2 describes the normative references; Clause 3 describes the terms, d
45、efinitions, and abbreviated terms used in this part of ISO/IEC 19770; Clause 4 defines conformance; Clause 5 provides interoperability guidance; Clause 6 describes the implementation of software identification tagging processes; Clause 7 contains platform implementation requirements and guidance; Cl
46、ause 8 describes the elements of the tag; Annex A contains information on why the changes to the SWID tag schema are necessary; Annex B contains the XML schema document for the tag; Annex C provides a UML diagram of the SWID tag schema; Annex D provides sample tags. ISO/IEC 2015 All rights reserved
47、viiBS ISO/IEC 19770-2:2015BS ISO/IEC 19770-2:2015Information technology Software asset management Part 2: Software identification tag 1 Scope This part of ISO/IEC 19770 establishes specifications for tagging software to optimize its identification and management. This part of ISO/IEC 19770 applies t
48、o the following. a) Tag producers: these organizations and/or tools create software identification (SWID) tags for use by others in the market. A tag producer may be part of the software creator organization, the software licensor organization, or be a third-party organization. These organizations a
49、nd/or tools can broadly be broken down into the following categories. 1) Platform providers: entities responsible for the computer or hardware device and/or associated operating system, virtual environment, or application platform, on which software may be installed or run. Platform providers which support this part of ISO/IEC 19770 may additionally provide tag management capabilities at the level of the platform or operating system. 2) Software providers: entities
