Come join the discussion! Andrew Stekhoven will be responding to... topic beginning 23 July 2012. discussion area of

Volume 3, July 2012
Come join the discussion! Andrew Stekhoven will be responding to questions in the discussion area of
the COBIT 5—Use It Effectively topic beginning 23 July 2012.
Active Software Escrow’s Usefulness for Companies Embracing
By Andrew Stekhoven
IT governance is integral to the success of overall enterprise governance because it integrates and institutionalises optimal
ways of planning and organising, acquiring and implementing, delivering and supporting, and monitoring and evaluating the IT
function and its performance.
The latest edition of ISACA’s globally accepted framework, COBIT 5, provides an end-to-end business view of governance
and management of enterprise IT (GEIT) that reflects the central role of information and technology in creating value for
enterprises. The principles, practices, analytical tools and models found in COBIT 5 embody thought leadership and guidance
from business, IT and governance experts around the world.
As in previous editions of COBIT , COBIT 5 contains several references to software escrow. Software escrow (specifically,
active software escrow) has been described by Gartner as a smart and effective way for software licensees—that is, all
businesses and organisations utilising IT—to protect their mission-critical applications in an ever-changing environment.
‘[Software escrow] is an insurance policy to make sure you have access to that source code should that vendor no longer
maintain that software for your organization, so [it] gives you an alternative.’
This article defines active escrow, highlights its benefits for user organisations as well as software developers, and explains
where and how active software escrow underpins COBIT 5 objectives using three examples.
Defining Active Software Escrow
IT systems and software products are never bug-free, complete or static in their development cycle. For there to be any form
of maintenance and/or development of the software (that is, business continuity in respect to the vital business process or
function that it supports), there has to be access to the source code of that mission-critical software.
Active software escrow is a legally binding agreement signed between the user of the IT system, the supplier of the IT system
and an independent escrow service provider to ensure that the software source code and technical documentation related to
the services provided are not only kept safe, but are also professionally verified and updated on a routine basis. If certain
conditions mentioned in the agreement come to pass, the escrow agent releases the source code and any other technology or
documentation mentioned in the agreement to the user company.
In an active software escrow agreement:
• The supplier deposits its intellectual property with the escrow agent (the neutral and independent trusted third party) for
the future, conditional benefit of the user company in the event of a trigger condition as defined in the escrow agreement
• The escrow agent verifies and holds the deposited material in escrow
• Under specific conditions as set out in the escrow agreement, the escrow agent is authorised to release the material to
the user company, specifically for the purposes of the user company’s business continuity
The Benefits of Active Software Escrow
For many medium-sized and large user companies, the business case for active software escrow is excellent, considering:
The value of their business processes and revenue streams that are dependent upon the software platforms concerned
The value of the investments they have made in, for example, the software product, the implementation project, training,
support and maintenance
The magnitude of reputational, consequential and other damage in the event of business disruption due to mission-critical
IT system failure
For the larger software or IT system developer, active software escrow:
• Reinforces ownership rights in the source code, which typically are the most valuable asset, by providing the developer
company with documentation when securing a patent claim, significant assistance in an infringement suit and robust proof
to support an intellectual property copyright claim
• Mitigates the permanent loss of critical source code and related technical documentation, as having the most valued asset
in escrow with a neutral third party provides an alternative to disaster in the event of an emergency
• Reduces dependency on key employees who may hoard instead of share information
For the small and medium-sized enterprise (SME) or software developer, software escrow:
• Could open new markets by providing potential customers with security (smaller information and communications
technology [ICT] suppliers are often precluded from tendering for major projects despite their expertise and intellectual
property because the contracting organisation believes it is less risky to deal with large, established firms)
• Ensures business continuity should those with whom the intellectual property resides leave the company or are unable to
fulfil their work obligations because of illness or death
Active Software Escrow Can Support Effective Implementation of COBIT 5 Guidance
Current protocols such as COBIT and King III recognise that IT has become an integral part of doing business today—it is
fundamental to the support, sustainability and growth of organisations.
Developing an understanding of COBIT 5 and how it can be leveraged to lead IT organisations and mitigate IT-related risk is
an advantage that any chief information officer (CIO) can acquire. Doing so will establish credibility with external auditors, the
audit committee, shareholders and executive management. And, knowing where to utilise active software escrow can assist
the CIO in implementing COBIT 5 guidance effectively.
The following are three instances where active software escrow underpins COBIT 5.
Instance 1: APO10.04 Manage Supplier Risk
APO10.04 Manage supplier risk in the COBIT 5 process reference guide states that the organisation must ‘identify, monitor
and, where appropriate, manage risk relating to the supplier’s ability to deliver service efficiently, effectively, securely, reliably
and continually.’
Partnering with a professional active software escrow service provider can assist the organisation in meeting these
requirements. Based on industry best practice, it can:
• Define the contract to provide for potential service risk by clearly defining service requirements
• Consider alternative suppliers or standby agreements to mitigate possible supplier failure
• Address the security and protection of intellectual property (IP)
• Take into account any legal or regulatory requirements within the country in which the organisation and the supplier
company are trading
By ensuring that business-critical assets are held in escrow, the user company is protected in the event that a key supplier
cannot meet its contractual obligations. Upon failure, materials can be released to the user organisation safely, minimising
disruption, time and cost. Ultimately, escrow is a smart, simple way of managing risk and demonstrating holistic corporate
For example, Fedict, the Belgian Federal State Service for Information and Communication Technology, elected to utilise
active software escrow to secure, in all circumstances, the use of the software it utilises to deliver e-government services.
Fedict’s software applications, as well as those developed by Fedict for other federal government services, are ultimately
essential applications, the use of which must be guaranteed in all circumstances. Escrow service is just one of the measures
taken within a global framework to ensure continuity of these IT services.
In terms of the Fedict agreement, the escrow agent acts as a neutral, independent third party that, in certain circumstances,
Volume 3, July 2012
Page 2
would release the latest version of licensed software held in escrow to Fedict so that its continued use of the software is
Currently, all software suppliers to the Belgian federal government are subject to this escrow arrangement—they cannot do
business with Fedict unless a complete set of source code, with the relevant technical documentation, has been lodged in
escrow nominating Fedict as the legally entitled escrow beneficiary.
In this way, Fedict is able to guarantee the continuity of its technology dependent services to its stakeholders: the taxpaying
Instance 2: DSS04.07 Manage Backup Arrangements
DSS04.07 Manage backup arrangements in the COBIT 5 process reference guide requires that the organisation to ensure
availability of business-critical information—that systems, applications, data and documentation maintained or processed by
third parties are adequately backed up or otherwise secured. COBIT 5 states: ‘Consider escrow or deposit arrangements.’
Once again, active software escrow is a simple solution for companies seeking to comply with COBIT 5, as opposed to
passive escrow or untested escrow deposits. The latter are often useless when called upon to deliver business continuity in
the face of the supplier’s inability to continue supporting its technology.
The passive approach to escrow or intellectual property custodianship involves passive custodians (such as banks, notaries
and legal firms) physically holding a copy of the software, source code and documentation, but these custodians do not
warrant that they are the correct or up-to-date versions.
With active software escrow, the escrow agent verifies the property held at least once a year to warrant that the deposit
contains what the supplier has committed to lodge. This provides proper reassurance that the material on deposit is up to date
and usable.
Research has highlighted that as many as nine out of 10 unverified source code deposits held in escrow are useless and,
therefore, unable to provide for a business’s continuity should its software partner no longer be in a position to continue
supporting the systems it has provided.
For example, one professional escrow agent offers three levels of technical verification and reporting depending on how
mission-critical the client considers the business application to be:
1. Basic technical integrity test—Ensures that the deposited media are readable and contain those elements agreed upon
in the escrow agreement
2. Detailed technical integrity test—Includes level 1 plus an analysis of the user environment to ensure that deposited
media contain source code of the software used in the operational software environment
3. Full technical integrity test—Includes level 1 and 2 plus full compilation of software, including representative testing of
compiled object code in a comparable hardware environment, to fully ensure that the media contain every element
required within the operational environment
The following example highlights why COBIT 5’s insistence on verification is so important. A few years ago, the Lorenzo
patient record system at the heart of Britain’s £10 billion (US $25 billion) National Health Service IT upgrade was exposed as
foilware. According to an article in The Australian, the Lorenzo system was initially scheduled for release in March 2004, but
there had been a series of delays and no British hospital trust was using the new software being developed by iSoft in Europe.
iSoft Australia was at the time supplying the same product for various state health projects, including Victoria’s Aus $323
million HealthSmart. There the latest delivery date was 2008, but a review found the date to be far too optimistic.
David More, an independent consultant and e-health blogger, wrote, ‘New South Wales Health should not rely on its passive
escrow arrangements with iSoft to protect the rollout of patient administration systems. There is no point holding obsolete
software code in escrow. All that does is provide a false sense of security.’
Instance 3: APO10.02 Select Suppliers
APO10.02 Select suppliers in the COBIT 5 process reference guide requires the user company to select suppliers according
to a fair and formal practice to ensure a viable best fit based on specified requirements. Requirements should be optimised
with input from potential suppliers. In the specific case of software acquisition, the rights and obligations of all parties should
be included and enforced in the contract terms.
Volume 3, July 2012
Page 3
Active software escrow ensures the rights of all parties are enforced, as required by COBIT 5.
In one example, a South African fund manager (‘Manco’) with more than R200 billion funds under management demonstrated
the value of active software escrow when aligning its risk strategies to COBIT. Manco selected SoftwareX as its preferred IT
system based on best features and total cost of ownership considerations. SoftwareX was also the IP of a small and
financially challenged company, which was in negotiations to sell.
Manco concluded its agreement and implemented SoftwareX. At the same time, its developer was acquired by the listed
company with which it had been negotiating. Within nine months, the listed entity decided to discontinue providing support and
maintenance of SoftwareX. Manco cried foul and insisted the listed entity was in breach of contract. The listed entity
Fortunately, Manco had insisted on an escrow agreement as part of the selection criteria process and exercised its right to
maintain and support SoftwareX solely for purposes of business continuity. The escrow service provider was, therefore,
required to release the source code and all supporting documents to Manco.
As a result of the escrow agreement, Manco satisfied its operational risk management and good governance imperatives,
achieved the return on investment it was looking for when it implemented SoftwareX, and was able to switch to a new system
on its own terms and within its own time frame.
Active software escrow can meet many of the concerns about business continuity addressed in COBIT 5, including:
• Disaster recovery—Permanent loss of critical information is not an option. Having the organisation’s most valued asset
in escrow with a neutral third party provides the organisation with an alternative to disaster in the event of an emergency.
The active escrow agent maintains a copy of the intellectual property stored off-site in a professional vaulting facility and
available for restoration.
• Reduced dependency on key employees—30-day escrow deposit cycles can ensure proper delivery according to
functional specification and agreed-upon deliverables (including documentation) when independent technical verification
is performed on each deposit as a matter of course.
• Quality deposits—Verification services provide assurance to an organisation’s clients that all source-code deposits meet
a superior technical standard.
• Verification—On request, most escrow agents can provide extended verification services. Compilation is included in the
analysis and testing of the deposit; it verifies that the deposit is readable, correct and complete in all respects. This testing
warrants that the escrow deposit will be useable if released.
Andrew Stekhoven
Is managing director of Escrow Europe (Pty) Ltd. During the last 25 years, he has been engaged in a broad cross-section of
executive roles within the ICT industry. Stekhoven has been a member of the Institute of Directors in South Africa (IoD) for 15
years. Since its inception in 2004, Stekhoven has established Escrow Europe as the leading active escrow company in South
Africa and is closely involved in the promotion of ICT good governance practices and the convergence of international
protocols, such as COBIT, with the local King recommendations for corporate governance. Escrow Europe has also been
featured by Microsoft Inc. as one of only seven internationally recognised escrow service providers for their CfMD (Certified
for Microsoft Dynamics) Partner Programme (the only one on the African continent) and is the only escrow service provider in
Africa to be ISO 9001:2008 certified.
Bona, Alexa and Younker, Edward, ‘Management Update: How to Protect Yourself If Your Software Vendor is Acquired,’ Gartner Inc. Research Products
G00123815, September 8, 2004. And Disbrow, J. and Park, A., ‘Be Aware of Contract Issues When Negotiating Software Escrows,’ Gartner Inc. Research
Note G00125669, February 7, 2005 as part of Iron Mountain white paper, Best Practices: Technology Escrow—Who’s Using It and Why?,
Escrow Europe, Review of Verification: 2003. For a copy of the full report, contact Escrow Europe on [email protected].
More, David; Australian Health Information Technology,,
Volume 3, July 2012
Page 4
COBIT Focus is published by ISACA. Opinions
expressed in COBIT Focus represent the views
of the authors. They may differ from policies and
official statements of ISACA and its committees,
and from opinions endorsed by authors,
employers or the editors of COBIT Focus.
COBIT Focus does not attest to the originality of
authors’ content.
© 2012 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated
articles for noncommercial classroom use without
fee. For other copying, reprint or republication,
permission must be obtained in writing from the
association. Please contact Julia Fullerton at
[email protected].
Framework Committee
Steven A. Babb, CGEIT, CRISC, UK, chair
Charles Betz, USA
David Cau, ITIL, MSP, Prince2, France
Sushil Chatterji, CGEIT, Singapore
Frank Cindrich, CGEIT, CIPP, CIPP/G, USA
Jimmy Heschl, CISA, CISM, CGEIT, ITIL, Austria
Anthony P. Noble, CISA, USA
Andre Pitkowski, CGEIT, CRISC, OCTAVE, Brazil
Paras Shah, CISA, CGEIT, CRISC, CA, Australia
Editorial Content
Comments regarding the editorial content may be directed to
Jennifer Hajigeorgiou, senior editorial manager, at
[email protected].
©2012 ISACA. All rights reserved.
Volume 3, July 2012
Page 5