Educause Security Discussion mailing list archives
Re: Vendors, Data and Escrow (Oh my!)
From: Gregory N Pendergast/AC/VCU <gnpendergast () VCU EDU>
Date: Mon, 24 Nov 2008 09:54:05 -0500
Daniel, I don't have much experience with such issues. But personally, I would be concerned about any occasion where your data leaves your own network (yes, there are likely many such instances). I don't know how much authority you have in the matter, but I would personally look to rearrange the scenario so that the data is hosted on your own servers, which you maintain. I would look to provide the vendor access to those servers for the purposes of developing the database/application/etc. If that's not feasible, I'd make sure there's language in there detailing what security responsibilities the vendor has regarding your data, as well as any language you want to add regarding escrowing your data to ensure that you can get it back in the event of a company failure, etc. As I said, I don't have much experience with this area, but I would certainly be uncomfortable with the scenario you've described. Another thing I would be concerned about is whether the contract makes it clear that UMass owns the data, the database and any other deliverables the company has been contracted to provide. Having said all of that, your email gives me the impression that the contract is already in place. If that's the case, you probably still have significant leverage, because of your size, to force a renegotiation. A company that small is probably not going to want to risk losing your business. HTH Gregory Pendergast Information Security Analyst Virginia Commonwealth University 804.828.3110 "Sarazen, Daniel" <dsarazen () UMASSP EDU> Sent by: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> 11/24/2008 09:30 AM Please respond to The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> To SECURITY () LISTSERV EDUCAUSE EDU cc Subject [SECURITY] Vendors, Data and Escrow (Oh my!) Hi All, I have a scenario and questions for you: If you had a University department that outsourced its primary database management activity to a vendor with less than 5 years of operating history and few than 20 employees, would you feel comfortable? Would you be OK with your data and the database being hosted on the vendor’s servers? Would you still feel comfortable if the vendor outsourced the maintenance of that server to a 3rd party? We do have language in our contract that requires the vendor, upon termination, to provide all finished and unfinished documents, data, studies, and reports prepared by the contractor. But there is nothing that requires that the code and data be placed into escrow. Do you have any thoughts, or initial concerns? My primary concern is that the vendor could go out of business before we get the database and data. Is that a reasonable concern? Thanks, :: Daniel Sarazen, Information Technology Auditor :: University Internal Audit :: University of Massachusetts President's Office :: 508-856-2443 :: 781-724-3377 Cell :: 508-856-8824 Fax :: Dsarazen () umassp edu University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA 01545 : www.massachusetts.edu
Current thread:
- Vendors, Data and Escrow (Oh my!) Sarazen, Daniel (Nov 24)
- <Possible follow-ups>
- Re: Vendors, Data and Escrow (Oh my!) St Clair, Jim (Nov 24)
- Re: Vendors, Data and Escrow (Oh my!) Gregory N Pendergast/AC/VCU (Nov 24)
- Re: Vendors, Data and Escrow (Oh my!) Sarazen, Daniel (Nov 24)
- Re: Vendors, Data and Escrow (Oh my!) Basgen, Brian (Nov 24)