Volume 3, July 2012 Come join the discussion! Andrew Stekhoven will be responding to questions in the discussion area of the COBIT 5—Use It Effectively topic beginning 23 July 2012. Active Software Escrow’s Usefulness for Companies Embracing COBIT 5 By Andrew Stekhoven IT governance is integral to the success of overall enterprise governance because it integrates and institutionalises optimal ways of planning and organising, acquiring and implementing, delivering and supporting, and monitoring and evaluating the IT function and its performance. ® The latest edition of ISACA’s globally accepted framework, COBIT 5, provides an end-to-end business view of governance and management of enterprise IT (GEIT) that reflects the central role of information and technology in creating value for enterprises. The principles, practices, analytical tools and models found in COBIT 5 embody thought leadership and guidance from business, IT and governance experts around the world. ® As in previous editions of COBIT , COBIT 5 contains several references to software escrow. Software escrow (specifically, active software escrow) has been described by Gartner as a smart and effective way for software licensees—that is, all businesses and organisations utilising IT—to protect their mission-critical applications in an ever-changing environment. ‘[Software escrow] is an insurance policy to make sure you have access to that source code should that vendor no longer 1 maintain that software for your organization, so [it] gives you an alternative.’ This article defines active escrow, highlights its benefits for user organisations as well as software developers, and explains where and how active software escrow underpins COBIT 5 objectives using three examples. Defining Active Software Escrow IT systems and software products are never bug-free, complete or static in their development cycle. For there to be any form of maintenance and/or development of the software (that is, business continuity in respect to the vital business process or function that it supports), there has to be access to the source code of that mission-critical software. Active software escrow is a legally binding agreement signed between the user of the IT system, the supplier of the IT system and an independent escrow service provider to ensure that the software source code and technical documentation related to the services provided are not only kept safe, but are also professionally verified and updated on a routine basis. If certain conditions mentioned in the agreement come to pass, the escrow agent releases the source code and any other technology or documentation mentioned in the agreement to the user company. In an active software escrow agreement: • The supplier deposits its intellectual property with the escrow agent (the neutral and independent trusted third party) for the future, conditional benefit of the user company in the event of a trigger condition as defined in the escrow agreement • The escrow agent verifies and holds the deposited material in escrow • Under specific conditions as set out in the escrow agreement, the escrow agent is authorised to release the material to the user company, specifically for the purposes of the user company’s business continuity The Benefits of Active Software Escrow For many medium-sized and large user companies, the business case for active software escrow is excellent, considering: • • • The value of their business processes and revenue streams that are dependent upon the software platforms concerned The value of the investments they have made in, for example, the software product, the implementation project, training, support and maintenance The magnitude of reputational, consequential and other damage in the event of business disruption due to mission-critical IT system failure For the larger software or IT system developer, active software escrow: • Reinforces ownership rights in the source code, which typically are the most valuable asset, by providing the developer company with documentation when securing a patent claim, significant assistance in an infringement suit and robust proof to support an intellectual property copyright claim • Mitigates the permanent loss of critical source code and related technical documentation, as having the most valued asset in escrow with a neutral third party provides an alternative to disaster in the event of an emergency • Reduces dependency on key employees who may hoard instead of share information For the small and medium-sized enterprise (SME) or software developer, software escrow: • Could open new markets by providing potential customers with security (smaller information and communications technology [ICT] suppliers are often precluded from tendering for major projects despite their expertise and intellectual property because the contracting organisation believes it is less risky to deal with large, established firms) • Ensures business continuity should those with whom the intellectual property resides leave the company or are unable to fulfil their work obligations because of illness or death Active Software Escrow Can Support Effective Implementation of COBIT 5 Guidance Current protocols such as COBIT and King III recognise that IT has become an integral part of doing business today—it is fundamental to the support, sustainability and growth of organisations. Developing an understanding of COBIT 5 and how it can be leveraged to lead IT organisations and mitigate IT-related risk is an advantage that any chief information officer (CIO) can acquire. Doing so will establish credibility with external auditors, the audit committee, shareholders and executive management. And, knowing where to utilise active software escrow can assist the CIO in implementing COBIT 5 guidance effectively. The following are three instances where active software escrow underpins COBIT 5. Instance 1: APO10.04 Manage Supplier Risk APO10.04 Manage supplier risk in the COBIT 5 process reference guide states that the organisation must ‘identify, monitor and, where appropriate, manage risk relating to the supplier’s ability to deliver service efficiently, effectively, securely, reliably and continually.’ Partnering with a professional active software escrow service provider can assist the organisation in meeting these requirements. Based on industry best practice, it can: • Define the contract to provide for potential service risk by clearly defining service requirements • Consider alternative suppliers or standby agreements to mitigate possible supplier failure • Address the security and protection of intellectual property (IP) • Take into account any legal or regulatory requirements within the country in which the organisation and the supplier company are trading By ensuring that business-critical assets are held in escrow, the user company is protected in the event that a key supplier cannot meet its contractual obligations. Upon failure, materials can be released to the user organisation safely, minimising disruption, time and cost. Ultimately, escrow is a smart, simple way of managing risk and demonstrating holistic corporate governance. For example, Fedict, the Belgian Federal State Service for Information and Communication Technology, elected to utilise active software escrow to secure, in all circumstances, the use of the software it utilises to deliver e-government services. Fedict’s software applications, as well as those developed by Fedict for other federal government services, are ultimately essential applications, the use of which must be guaranteed in all circumstances. Escrow service is just one of the measures taken within a global framework to ensure continuity of these IT services. In terms of the Fedict agreement, the escrow agent acts as a neutral, independent third party that, in certain circumstances, Volume 3, July 2012 Page 2 would release the latest version of licensed software held in escrow to Fedict so that its continued use of the software is guaranteed. Currently, all software suppliers to the Belgian federal government are subject to this escrow arrangement—they cannot do business with Fedict unless a complete set of source code, with the relevant technical documentation, has been lodged in escrow nominating Fedict as the legally entitled escrow beneficiary. In this way, Fedict is able to guarantee the continuity of its technology dependent services to its stakeholders: the taxpaying public. Instance 2: DSS04.07 Manage Backup Arrangements DSS04.07 Manage backup arrangements in the COBIT 5 process reference guide requires that the organisation to ensure availability of business-critical information—that systems, applications, data and documentation maintained or processed by third parties are adequately backed up or otherwise secured. COBIT 5 states: ‘Consider escrow or deposit arrangements.’ Once again, active software escrow is a simple solution for companies seeking to comply with COBIT 5, as opposed to passive escrow or untested escrow deposits. The latter are often useless when called upon to deliver business continuity in the face of the supplier’s inability to continue supporting its technology. The passive approach to escrow or intellectual property custodianship involves passive custodians (such as banks, notaries and legal firms) physically holding a copy of the software, source code and documentation, but these custodians do not warrant that they are the correct or up-to-date versions. With active software escrow, the escrow agent verifies the property held at least once a year to warrant that the deposit contains what the supplier has committed to lodge. This provides proper reassurance that the material on deposit is up to date and usable. Research has highlighted that as many as nine out of 10 unverified source code deposits held in escrow are useless and, therefore, unable to provide for a business’s continuity should its software partner no longer be in a position to continue 2 supporting the systems it has provided. For example, one professional escrow agent offers three levels of technical verification and reporting depending on how mission-critical the client considers the business application to be: 1. Basic technical integrity test—Ensures that the deposited media are readable and contain those elements agreed upon in the escrow agreement 2. Detailed technical integrity test—Includes level 1 plus an analysis of the user environment to ensure that deposited media contain source code of the software used in the operational software environment 3. Full technical integrity test—Includes level 1 and 2 plus full compilation of software, including representative testing of compiled object code in a comparable hardware environment, to fully ensure that the media contain every element required within the operational environment The following example highlights why COBIT 5’s insistence on verification is so important. A few years ago, the Lorenzo patient record system at the heart of Britain’s £10 billion (US $25 billion) National Health Service IT upgrade was exposed as foilware. According to an article in The Australian, the Lorenzo system was initially scheduled for release in March 2004, but there had been a series of delays and no British hospital trust was using the new software being developed by iSoft in Europe. iSoft Australia was at the time supplying the same product for various state health projects, including Victoria’s Aus $323 million HealthSmart. There the latest delivery date was 2008, but a review found the date to be far too optimistic. David More, an independent consultant and e-health blogger, wrote, ‘New South Wales Health should not rely on its passive escrow arrangements with iSoft to protect the rollout of patient administration systems. There is no point holding obsolete 3 software code in escrow. All that does is provide a false sense of security.’ Instance 3: APO10.02 Select Suppliers APO10.02 Select suppliers in the COBIT 5 process reference guide requires the user company to select suppliers according to a fair and formal practice to ensure a viable best fit based on specified requirements. Requirements should be optimised with input from potential suppliers. In the specific case of software acquisition, the rights and obligations of all parties should be included and enforced in the contract terms. Volume 3, July 2012 Page 3 Active software escrow ensures the rights of all parties are enforced, as required by COBIT 5. In one example, a South African fund manager (‘Manco’) with more than R200 billion funds under management demonstrated the value of active software escrow when aligning its risk strategies to COBIT. Manco selected SoftwareX as its preferred IT system based on best features and total cost of ownership considerations. SoftwareX was also the IP of a small and financially challenged company, which was in negotiations to sell. Manco concluded its agreement and implemented SoftwareX. At the same time, its developer was acquired by the listed company with which it had been negotiating. Within nine months, the listed entity decided to discontinue providing support and maintenance of SoftwareX. Manco cried foul and insisted the listed entity was in breach of contract. The listed entity disagreed. Fortunately, Manco had insisted on an escrow agreement as part of the selection criteria process and exercised its right to maintain and support SoftwareX solely for purposes of business continuity. The escrow service provider was, therefore, required to release the source code and all supporting documents to Manco. As a result of the escrow agreement, Manco satisfied its operational risk management and good governance imperatives, achieved the return on investment it was looking for when it implemented SoftwareX, and was able to switch to a new system on its own terms and within its own time frame. Conclusion Active software escrow can meet many of the concerns about business continuity addressed in COBIT 5, including: • Disaster recovery—Permanent loss of critical information is not an option. Having the organisation’s most valued asset in escrow with a neutral third party provides the organisation with an alternative to disaster in the event of an emergency. The active escrow agent maintains a copy of the intellectual property stored off-site in a professional vaulting facility and available for restoration. • Reduced dependency on key employees—30-day escrow deposit cycles can ensure proper delivery according to functional specification and agreed-upon deliverables (including documentation) when independent technical verification is performed on each deposit as a matter of course. • Quality deposits—Verification services provide assurance to an organisation’s clients that all source-code deposits meet a superior technical standard. • Verification—On request, most escrow agents can provide extended verification services. Compilation is included in the analysis and testing of the deposit; it verifies that the deposit is readable, correct and complete in all respects. This testing warrants that the escrow deposit will be useable if released. Andrew Stekhoven Is managing director of Escrow Europe (Pty) Ltd. During the last 25 years, he has been engaged in a broad cross-section of executive roles within the ICT industry. Stekhoven has been a member of the Institute of Directors in South Africa (IoD) for 15 years. Since its inception in 2004, Stekhoven has established Escrow Europe as the leading active escrow company in South Africa and is closely involved in the promotion of ICT good governance practices and the convergence of international protocols, such as COBIT, with the local King recommendations for corporate governance. Escrow Europe has also been featured by Microsoft Inc. as one of only seven internationally recognised escrow service providers for their CfMD (Certified for Microsoft Dynamics) Partner Programme (the only one on the African continent) and is the only escrow service provider in Africa to be ISO 9001:2008 certified. Endnotes 1 Bona, Alexa and Younker, Edward, ‘Management Update: How to Protect Yourself If Your Software Vendor is Acquired,’ Gartner Inc. Research Products G00123815, September 8, 2004. And Disbrow, J. and Park, A., ‘Be Aware of Contract Issues When Negotiating Software Escrows,’ Gartner Inc. Research Note G00125669, February 7, 2005 as part of Iron Mountain white paper, Best Practices: Technology Escrow—Who’s Using It and Why?, http://www.ironmountain.com/resources/escrow/escrow.pdf 2 Escrow Europe, Review of Verification: 2003. For a copy of the full report, contact Escrow Europe on [email protected]. 3 More, David; Australian Health Information Technology, http://aushealthit.blogspot.com/2006/08/isoft-problem-for-more-than-nhs.html, http://www.theage.com.au/technology/enterprise/last-rites-for-health-it-system-20110220-1b14j.html Volume 3, July 2012 Page 4 COBIT Focus is published by ISACA. Opinions expressed in COBIT Focus represent the views of the authors. They may differ from policies and official statements of ISACA and its committees, and from opinions endorsed by authors, employers or the editors of COBIT Focus. COBIT Focus does not attest to the originality of authors’ content. © 2012 ISACA. All rights reserved. Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Please contact Julia Fullerton at [email protected]. Framework Committee Steven A. Babb, CGEIT, CRISC, UK, chair Charles Betz, USA David Cau, ITIL, MSP, Prince2, France Sushil Chatterji, CGEIT, Singapore Frank Cindrich, CGEIT, CIPP, CIPP/G, USA Jimmy Heschl, CISA, CISM, CGEIT, ITIL, Austria Anthony P. Noble, CISA, USA Andre Pitkowski, CGEIT, CRISC, OCTAVE, Brazil Paras Shah, CISA, CGEIT, CRISC, CA, Australia Editorial Content Comments regarding the editorial content may be directed to Jennifer Hajigeorgiou, senior editorial manager, at [email protected]. ©2012 ISACA. All rights reserved. Volume 3, July 2012 Page 5
© Copyright 2024