Educause Security Discussion mailing list archives
Re: Vendors, Data and Escrow (Oh my!)
From: "Sarazen, Daniel" <dsarazen () UMASSP EDU>
Date: Mon, 24 Nov 2008 10:08:02 -0500
Hi James, and thanks for your response. The only clause in the contract regarding the transfer of data (From the vendor to the University) states: Obligations in Event of Termination: a. Upon termination, all finished or unfinished documents, data, studies, and reports prepared by the Contractor pursuant to this Contract, shall become property of the University. b. The University shall promptly pay the Contractor for all services performed to the effective data of termination, subject to offset of sums due the Contractor against sums owed by the Contractor to the University. As far of getting out of the contract, we have a provision allowing either party to terminate the contract with or without cause. Given the economic climate, however, it seems reasonable to assume the vendor may possible fail and not be able to provide the data/source code prior to closing their doors. The data, in and of it's self, is not sensitive or confidential, but a manual workaround in the event the database was lost would be expensive and ineffective. Finally, your last paragraph provides an additional concern regarding being able to assume operations even in the event that the data and code were available. Thanks Again, :: Daniel Sarazen, Information Technology Auditor :: University Internal Audit :: University of Massachusetts President's Office :: 508-856-2443 :: 781-724-3377 Cell :: 508-856-8824 Fax :: Dsarazen () umassp edu University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA 01545 : www.massachusetts.edu <http://www.massachusetts.edu/> ________________________________ From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of St Clair, Jim Sent: Monday, November 24, 2008 9:31 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Vendors, Data and Escrow (Oh my!) A very reasonable concern, Daniel. Can we assume all of these provisions are not built into the contract? In addition to Service Level Agreements, your contracts should have provisions for "disentanglement" (how to get out of it) and the data and code and information be escrowed to support it, as well as business continuity reasons. I have seen a large government contract get extended and over-funded because the agency literally did not have requirements established to maintain access to all of this subject information when the contract expired. The agency ended up in "mother may I?" negotiations with the vendor to facilitate transfer to a new contract winner. James A. St.Clair, CISM, PMP Senior Manager Global Public Sector Grant Thornton LLP T 703-637-3078 F 703-637-4455 C 703-727-6332 E jim.stclair () gt com The people in the independent firms of Grant Thornton International Ltd provide personalized attention and the highest quality service to public and private clients in more than 100 countries. Grant Thornton LLP is the U.S. member firm of Grant Thornton International Ltd, one of the six global audit, tax and advisory organizations. Grant Thornton International Ltd and its member firms are not a worldwide partnership, as each member firm is a separate and distinct legal entity. In the U.S., visit Grant Thornton LLP at www.GrantThornton.com <http://www.grantthornton.com/> . ________________________________ From: The EDUCAUSE Security Constituent Group Listserv on behalf of Sarazen, Daniel Sent: Mon 11/24/2008 9:29 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Vendors, Data and Escrow (Oh my!) Hi All, I have a scenario and questions for you: If you had a University department that outsourced its primary database management activity to a vendor with less than 5 years of operating history and few than 20 employees, would you feel comfortable? Would you be OK with your data and the database being hosted on the vendor's servers? Would you still feel comfortable if the vendor outsourced the maintenance of that server to a 3rd party? We do have language in our contract that requires the vendor, upon termination, to provide all finished and unfinished documents, data, studies, and reports prepared by the contractor. But there is nothing that requires that the code and data be placed into escrow. Do you have any thoughts, or initial concerns? My primary concern is that the vendor could go out of business before we get the database and data. Is that a reasonable concern? Thanks, <https://iemail.gtus.com/Exchange/Jim.StClair/Drafts/RE:%20Vendors,%20Da ta%20and%20Escrow%20(Oh%20my!).EML/1_multipart/image001.gif> :: Daniel Sarazen, Information Technology Auditor :: University Internal Audit :: University of Massachusetts President's Office :: 508-856-2443 :: 781-724-3377 Cell :: 508-856-8824 Fax :: Dsarazen () umassp edu University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA 01545 : www.massachusetts.edu <http://www.massachusetts.edu/> In accordance with applicable professional regulations, please understand that, unless expressly stated otherwise, any written advice contained in, forwarded with, or attached to this e-mail is not intended or written by Grant Thornton LLP to be used, and cannot be used, by any person for the purpose of avoiding any penalties that may be imposed under the Internal Revenue Code. ________________________________ This e-mail is intended solely for the person or entity to which it is addressed and may contain confidential and/or privileged information. Any review, dissemination, copying, printing or other use of this e-mail by persons or entities other than the addressee is prohibited. If you have received this e-mail in error, please contact the sender immediately and delete the material from any computer.
Current thread:
- Vendors, Data and Escrow (Oh my!) Sarazen, Daniel (Nov 24)
- <Possible follow-ups>
- Re: Vendors, Data and Escrow (Oh my!) St Clair, Jim (Nov 24)
- Re: Vendors, Data and Escrow (Oh my!) Gregory N Pendergast/AC/VCU (Nov 24)
- Re: Vendors, Data and Escrow (Oh my!) Sarazen, Daniel (Nov 24)
- Re: Vendors, Data and Escrow (Oh my!) Basgen, Brian (Nov 24)