Re: Vendors, Data and Escrow (Oh my!)

[Gregory N Pendergast/AC/VCU <gnpendergast () VCU EDU>]

Daniel,

I don't have much experience with such issues. But personally, I would be 
concerned about any occasion where your data leaves your own network (yes, 
there are likely many such instances).  I don't know how much authority 
you have in the matter, but I would personally look to rearrange the 
scenario so that the data is hosted on your own servers, which you 
maintain. I would look to provide the vendor access to those servers for 
the purposes of developing the database/application/etc. 

If that's not feasible, I'd make sure there's language in there detailing 
what security responsibilities the vendor has regarding your data, as well 
as any language you want to add regarding escrowing your data to ensure 
that you can get it back in the event of a company failure, etc. As I 
said, I don't have much experience with this area, but I would certainly 
be uncomfortable with the scenario you've described.

Another thing I would be concerned about is whether the contract makes it 
clear that UMass owns the data, the database and any other deliverables 
the company has been contracted to provide. 

Having said all of that, your email gives me the impression that the 
contract is already in place. If that's the case, you probably still have 
significant leverage, because of your size, to force a renegotiation. A 
company that small is probably not going to want to risk losing your 
business.

HTH

Gregory Pendergast
Information Security Analyst
Virginia Commonwealth University
804.828.3110





"Sarazen, Daniel" <dsarazen () UMASSP EDU> 
Sent by: The EDUCAUSE Security Constituent Group Listserv 
<SECURITY () LISTSERV EDUCAUSE EDU>
11/24/2008 09:30 AM
Please respond to
The EDUCAUSE Security Constituent Group Listserv 
<SECURITY () LISTSERV EDUCAUSE EDU>


To
SECURITY () LISTSERV EDUCAUSE EDU
cc

Subject
[SECURITY] Vendors, Data and Escrow (Oh my!)






Hi All,

I have a scenario and questions for you:
 
If you had a University department that outsourced its primary database 
management activity to a vendor with less than 5 years of operating 
history and few than 20 employees, would you feel comfortable? Would you 
be OK with your data and the database being hosted on the vendor’s 
servers? Would you still feel comfortable if the vendor outsourced the 
maintenance of that server to a 3rd party?
 
We do have language in our contract that requires the vendor, upon 
termination, to provide all finished and unfinished documents, data, 
studies, and reports prepared by the contractor. But there is nothing that 
requires that the code and data be placed into escrow. 
 
Do you have any thoughts, or initial concerns? My primary concern is that 
the vendor could go out of business before we get the database and data. 
Is that a reasonable concern? 
 
Thanks,
 


:: Daniel Sarazen, Information Technology Auditor
:: University Internal Audit
:: University of Massachusetts President's Office
:: 508-856-2443
:: 781-724-3377 Cell
:: 508-856-8824 Fax
:: Dsarazen () umassp edu

University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA 
01545 : www.massachusetts.edu