Educause Security Discussion mailing list archives

Re: Vendors, Data and Escrow (Oh my!)

From: "Basgen, Brian" <bbasgen () PIMA EDU>
Date: Mon, 24 Nov 2008 12:42:00 -0700

Hi Daniel,

 Sounds like great material for a risk assessment. :) How valuable is the information in the database? How vulnerable 
is the vendor (financially, etc)?

 Without getting into details, we had an instance where valuable data was held by a small vendor. An inspection of the 
vendor's site revealed what we had expected: the vendor did not have facilities consummate with the value of our data. 
When we framed the facts in these concrete terms, the only real question was how quickly a new vendor could be 
selected. :)

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sarazen, 
Daniel
Sent: Monday, November 24, 2008 7:29 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Vendors, Data and Escrow (Oh my!)

Hi All,

I have a scenario and questions for you:

If you had a University department that outsourced its primary database management activity to a vendor with less than 
5 years of operating history and few than 20 employees, would you feel comfortable? Would you be OK with your data and 
the database being hosted on the vendor's servers? Would you still feel comfortable if the vendor outsourced the 
maintenance of that server to a 3rd party?

We do have language in our contract that requires the vendor, upon termination, to provide all finished and unfinished 
documents, data, studies, and reports prepared by the contractor. But there is nothing that requires that the code and 
data be placed into escrow.

Do you have any thoughts, or initial concerns? My primary concern is that the vendor could go out of business before we 
get the database and data. Is that a reasonable concern?

Thanks,

[cid:image001.gif@01C94E31.B4161580]

:: Daniel Sarazen, Information Technology Auditor
:: University Internal Audit
:: University of Massachusetts President's Office

:: 508-856-2443
:: 781-724-3377 Cell
:: 508-856-8824 Fax
:: Dsarazen () umassp edu<mailto:Dsarazen () umassp edu>

University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA 01545 : 
www.massachusetts.edu<http://www.massachusetts.edu/>

Current thread:

Vendors, Data and Escrow (Oh my!) Sarazen, Daniel (Nov 24)
- <Possible follow-ups>
- Re: Vendors, Data and Escrow (Oh my!) St Clair, Jim (Nov 24)
- Re: Vendors, Data and Escrow (Oh my!) Gregory N Pendergast/AC/VCU (Nov 24)
- Re: Vendors, Data and Escrow (Oh my!) Sarazen, Daniel (Nov 24)
- Re: Vendors, Data and Escrow (Oh my!) Basgen, Brian (Nov 24)