Home page logo

educause logo Educause Security Discussion mailing list archives

Re: Vendors, Data and Escrow (Oh my!)
From: "St Clair, Jim" <Jim.StClair () GT COM>
Date: Mon, 24 Nov 2008 09:31:21 -0500

A very reasonable concern, Daniel. Can we assume all of these provisions are not built into the contract?
In addition to Service Level Agreements, your contracts should have provisions for "disentanglement" (how to get out of 
it) and the data and code and information be escrowed to support it, as well as business continuity reasons.
I have seen a large government contract get extended and over-funded because the agency literally did not have 
requirements established to maintain access to all of this subject information when the contract expired. The agency 
ended up in "mother may I?" negotiations with the vendor to facilitate transfer to a new contract winner.
James A. St.Clair, CISM, PMP
Senior Manager
Global Public Sector
Grant Thornton LLP
T  703-637-3078
F  703-637-4455
C  703-727-6332
E  jim.stclair () gt com

The people in the independent firms of Grant Thornton International Ltd provide personalized attention and the highest 
quality service to public and private clients in more than 100 countries. Grant Thornton LLP is the U.S. member firm of 
Grant Thornton International Ltd, one of the six global audit, tax and advisory organizations. Grant Thornton 
International Ltd and its member firms are not a worldwide partnership, as each member firm is a separate and distinct 
legal entity.
In the U.S., visit Grant Thornton LLP at http://www.grantthornton.com/.

From: The EDUCAUSE Security Constituent Group Listserv on behalf of Sarazen, Daniel
Sent: Mon 11/24/2008 9:29 AM
Subject: Vendors, Data and Escrow (Oh my!)

Hi All,

I have a scenario and questions for you:


If you had a University department that outsourced its primary database management activity to a vendor with less than 
5 years of operating history and few than 20 employees, would you feel comfortable? Would you be OK with your data and 
the database being hosted on the vendor's servers? Would you still feel comfortable if the vendor outsourced the 
maintenance of that server to a 3rd party?


We do have language in our contract that requires the vendor, upon termination, to provide all finished and unfinished 
documents, data, studies, and reports prepared by the contractor. But there is nothing that requires that the code and 
data be placed into escrow. 


Do you have any thoughts, or initial concerns? My primary concern is that the vendor could go out of business before we 
get the database and data. Is that a reasonable concern? 





:: Daniel Sarazen, Information Technology Auditor
:: University Internal Audit
:: University of Massachusetts President's Office

:: 508-856-2443

:: 781-724-3377 Cell
:: 508-856-8824 Fax
:: Dsarazen () umassp edu

University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA 01545 : www.massachusetts.edu 


In accordance with applicable professional regulations, please understand that, unless expressly stated otherwise, any 
written advice contained in, forwarded with, or attached to this e-mail is not intended or written by Grant Thornton 
LLP to be used, and cannot be used, by any person for the purpose of avoiding any penalties that may be imposed under 
the Internal Revenue Code.
This e-mail is intended solely for the person or entity to which it is addressed and may contain confidential and/or 
privileged information. Any review, dissemination, copying, printing or other use of this e-mail by persons or entities 
other than the addressee is prohibited. If you have received this e-mail in error, please contact the sender 
immediately and delete the material from any computer.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]