Educause Security Discussion
mailing list archives
Re: Vendors, Data and Escrow (Oh my!)
From: "St Clair, Jim" <Jim.StClair () GT COM>
Date: Mon, 24 Nov 2008 09:31:21 -0500
A very reasonable concern, Daniel. Can we assume all of these provisions are not built into the contract?
In addition to Service Level Agreements, your contracts should have provisions for "disentanglement" (how to get out of
it) and the data and code and information be escrowed to support it, as well as business continuity reasons.
I have seen a large government contract get extended and over-funded because the agency literally did not have
requirements established to maintain access to all of this subject information when the contract expired. The agency
ended up in "mother may I?" negotiations with the vendor to facilitate transfer to a new contract winner.
James A. St.Clair, CISM, PMP
Global Public Sector
Grant Thornton LLP
E jim.stclair () gt com
The people in the independent firms of Grant Thornton International Ltd provide personalized attention and the highest
quality service to public and private clients in more than 100 countries. Grant Thornton LLP is the U.S. member firm of
Grant Thornton International Ltd, one of the six global audit, tax and advisory organizations. Grant Thornton
International Ltd and its member firms are not a worldwide partnership, as each member firm is a separate and distinct
In the U.S., visit Grant Thornton LLP at http://www.grantthornton.com/.
From: The EDUCAUSE Security Constituent Group Listserv on behalf of Sarazen, Daniel
Sent: Mon 11/24/2008 9:29 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Vendors, Data and Escrow (Oh my!)
I have a scenario and questions for you:
If you had a University department that outsourced its primary database management activity to a vendor with less than
5 years of operating history and few than 20 employees, would you feel comfortable? Would you be OK with your data and
the database being hosted on the vendor's servers? Would you still feel comfortable if the vendor outsourced the
maintenance of that server to a 3rd party?
We do have language in our contract that requires the vendor, upon termination, to provide all finished and unfinished
documents, data, studies, and reports prepared by the contractor. But there is nothing that requires that the code and
data be placed into escrow.
Do you have any thoughts, or initial concerns? My primary concern is that the vendor could go out of business before we
get the database and data. Is that a reasonable concern?
:: Daniel Sarazen, Information Technology Auditor
:: University Internal Audit
:: University of Massachusetts President's Office
:: 781-724-3377 Cell
:: 508-856-8824 Fax
:: Dsarazen () umassp edu
University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA 01545 : www.massachusetts.edu
In accordance with applicable professional regulations, please understand that, unless expressly stated otherwise, any
written advice contained in, forwarded with, or attached to this e-mail is not intended or written by Grant Thornton
LLP to be used, and cannot be used, by any person for the purpose of avoiding any penalties that may be imposed under
the Internal Revenue Code.
This e-mail is intended solely for the person or entity to which it is addressed and may contain confidential and/or
privileged information. Any review, dissemination, copying, printing or other use of this e-mail by persons or entities
other than the addressee is prohibited. If you have received this e-mail in error, please contact the sender
immediately and delete the material from any computer.