Voted Best Answer
Jan 25, 2016 - 10:08 AM
When a software vendor or more typically their Partners "invite" your or offer to "help" you with your licensing you are right to get nervous.
I would recommend a delaying strategy rather than a rejection so you maintain control while you try to prepare. You will need time to find and prepare your strategies. It's not if there's a gap but how big.
Your first objective will be to control information flow and a robust NDA preventing any release of information without your written permission should be put in place. This should also stretch to the data sources they are allowed analyse.
On the Terms of Reference, this is where the negotiate starts. Have the scope as narrow as possible to avoid fishing expeditions. This is particularly important on large estate or where the auditor represents several vendors. If you can get a desktop only review, go for it. Also try to narrow the geographic scope.
Partner Selection, you'll want to get 3rd party help to analyse all of the information you are being asked to provide before it goes anywhere, this includes any email correspondance and even the agendas for meetings. I recommend looking for a company who have ex-auditors on their staff as well as technical analysts. If possible try to avoid Microsoft Partners or your VAR as they are inclined to be conservative and less inclined to push back on Microsoft.
On the data, you can negotiate for a self assessment, where you just provide the ELP and where available the CIDC. If you are planning a big purchase this is definately a strategy to lead with. Next stop will be a request for SCCM or MAP files. You can also expect the partner to offer (insist) to install and run their tools free of charge. Avoid this if possible as you loose control of the data and typcially they dig much deeper than your SAM team have.
Even if you are an experienced SAM professional don't try to take on an audit/review on your own.