Home page logo
/

educause logo Educause Security Discussion mailing list archives

Re: Vendors, Data and Escrow (Oh my!)
From: "Sarazen, Daniel" <dsarazen () UMASSP EDU>
Date: Mon, 24 Nov 2008 10:08:02 -0500

Hi James, and thanks for your response.

 

The only clause in the contract regarding the transfer of data (From the
vendor to the University) states:

 

Obligations in Event of Termination:

 

a.      Upon termination, all finished or unfinished documents, data,
studies, and reports prepared by the Contractor pursuant to this
Contract, shall become property of the University.
b.      The University shall promptly pay the Contractor for all
services performed to the effective data of termination, subject to
offset of sums due the Contractor against sums owed by the Contractor to
the University.

 

As far of getting out of the contract, we have a provision allowing
either party to terminate the contract with or without cause. Given the
economic climate, however, it seems reasonable to assume the vendor may
possible fail and not be able to provide the data/source code prior to
closing their doors. The data, in and of it's self, is not sensitive or
confidential, but a manual workaround in the event the database was lost
would be expensive and ineffective. 

 

Finally, your last paragraph provides an additional concern regarding
being able to assume operations even in the event that the data and code
were available.

 

Thanks Again,

 

 

:: Daniel Sarazen, Information Technology Auditor
:: University Internal Audit
:: University of Massachusetts President's Office

:: 508-856-2443

:: 781-724-3377 Cell
:: 508-856-8824 Fax
:: Dsarazen () umassp edu


University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA
01545 : www.massachusetts.edu <http://www.massachusetts.edu/> 

 

________________________________

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of St Clair, Jim
Sent: Monday, November 24, 2008 9:31 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Vendors, Data and Escrow (Oh my!)

 

A very reasonable concern, Daniel. Can we assume all of these provisions
are not built into the contract?

 

In addition to Service Level Agreements, your contracts should have
provisions for "disentanglement" (how to get out of it) and the data and
code and information be escrowed to support it, as well as business
continuity reasons.

 

I have seen a large government contract get extended and over-funded
because the agency literally did not have requirements established to
maintain access to all of this subject information when the contract
expired. The agency ended up in "mother may I?" negotiations with the
vendor to facilitate transfer to a new contract winner.

 

 
 
James A. St.Clair, CISM, PMP
Senior Manager
Global Public Sector
Grant Thornton LLP
T 703-637-3078
F  703-637-4455
C  703-727-6332
E  jim.stclair () gt com

 


 

The people in the independent firms of Grant Thornton International Ltd
provide personalized attention and the highest quality service to public
and private clients in more than 100 countries. Grant Thornton LLP is
the U.S. member firm of Grant Thornton International Ltd, one of the six
global audit, tax and advisory organizations. Grant Thornton
International Ltd and its member firms are not a worldwide partnership,
as each member firm is a separate and distinct legal entity.

In the U.S., visit Grant Thornton LLP at www.GrantThornton.com
<http://www.grantthornton.com/> .

________________________________

 

From: The EDUCAUSE Security Constituent Group Listserv on behalf of
Sarazen, Daniel
Sent: Mon 11/24/2008 9:29 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Vendors, Data and Escrow (Oh my!)

Hi All,


I have a scenario and questions for you:

 

If you had a University department that outsourced its primary database
management activity to a vendor with less than 5 years of operating
history and few than 20 employees, would you feel comfortable? Would you
be OK with your data and the database being hosted on the vendor's
servers? Would you still feel comfortable if the vendor outsourced the
maintenance of that server to a 3rd party?

 

We do have language in our contract that requires the vendor, upon
termination, to provide all finished and unfinished documents, data,
studies, and reports prepared by the contractor. But there is nothing
that requires that the code and data be placed into escrow. 

 

Do you have any thoughts, or initial concerns? My primary concern is
that the vendor could go out of business before we get the database and
data. Is that a reasonable concern? 

 

Thanks,

 

 
<https://iemail.gtus.com/Exchange/Jim.StClair/Drafts/RE:%20Vendors,%20Da
ta%20and%20Escrow%20(Oh%20my!).EML/1_multipart/image001.gif> 

:: Daniel Sarazen, Information Technology Auditor
:: University Internal Audit
:: University of Massachusetts President's Office

:: 508-856-2443

:: 781-724-3377 Cell
:: 508-856-8824 Fax
:: Dsarazen () umassp edu


University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA
01545 : www.massachusetts.edu <http://www.massachusetts.edu/> 

 


In accordance with applicable professional regulations, please
understand that, unless expressly stated otherwise, any written advice
contained in, forwarded with, or attached to this e-mail is not intended
or written by Grant Thornton LLP to be used, and cannot be used, by any
person for the purpose of avoiding any penalties that may be imposed
under the Internal Revenue Code. 

________________________________

This e-mail is intended solely for the person or entity to which it is
addressed and may contain confidential and/or privileged information.
Any review, dissemination, copying, printing or other use of this e-mail
by persons or entities other than the addressee is prohibited. If you
have received this e-mail in error, please contact the sender
immediately and delete the material from any computer.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]