This page contains a Flash digital edition of a book.
technology


Dangers of no software escrow arrangements


Given the financial difficulties facing many technology companies around the world, it is becoming increasingly important to consider mechanisms that provide protection for software users in the event a software licensor becomes insolvent, or is unable or unwilling to support its software, writes Dr Sam De Silva, partner and head of the IT and outsourcing group at Manches LLP


One such mechanism is requiring the source code for key software to be held in escrow.


Generally if a customer has a licence to use software, it may not be given the source code for the software. Source code is the human-readable programming statements for software that must be compiled before the software can be run on a computer.


Access to the source code is required for a customer to modify, maintain or enhance (or, in other words, support) any software. Most software licences allow the customer to use the object code (the source code compiled into machine readable code) of the software, but not the source code.


Since the code reveals exactly how the software works (being the essence of the software’s value), it is in the licensor’s best interests to keep it confidential. Restricting access to the code also protects the licensor’s ability to control who may support and maintain the software (for a fee, obviously).


The issue, and the reason for escrow, is that there are circumstances when a customer needs to have access to the source code. For example, if the licensor goes into liquidation, the customer will need to have access to the code so that it can take care of matters that would otherwise have been dealt with by the


licensor, such as fixing bugs, and making improvements.


A software escrow arrangement is where the licensor of a software product agrees to place the source code and certain materials relating to that software product with an independent third party (the “escrow agent”). The agent agrees to hold the source code and materials for the benefit of the licensor and will only release the code and materials to a licensee of that software product upon the occurrence of a release event.


Escrow agents provide a service therefore which enables the licensee to have comfort that, when an appropriate release event occurs, the source code and materials will be released to them without having to seek this release from the licensor (who may be unwilling or unable to agree to such release at that time). However, in most cases the escrow agreement will provide the licensor with an opportunity to dispute the release where the licensor believes a valid release event has not in fact occurred.


With an escrow agreement, the licensor’s concerns are addressed because, with a trusted agent, its valuable information/materials are safe. From a customer perspective, its concerns are also addressed in that it should be comfortable that it will have the information/materials released to it in appropriate circumstances.


The need for a software escrow agreement will need to be assessed on a case by case basis, but will be particularly important if a customer is acquiring high-value or business- critical software which will be maintained by the licensor for a reasonably long period. Without an appropriate escrow arrangement in place, a customer may face major operational (and subsequent financial) issues if the licensor becomes unable or unwilling to support its software.


Details: Dr Sam De Silva 01865-813735 sam.desilva@manches.com


risk management 23


Establish information security credentials with ISO 27001


Is the security of your information important to your organisation as well as to your suppliers and stakeholders? If yes, then you should be benchmarking your approach to information security management against the International Standard ISO 27001, writes Lisa Dargan, business development director at Ultima Risk Management (URM).


ISO 27001 represents a collection of internationally recognised best practice processes to ensure the proper handling and safeguarding of information. Certification to the Standard can be achieved courtesy of an independent assessment by an accredited certification body (CB), such as British Standards Institution (BSI). In the past five years, the number of organisations certified to ISO 27001 has quadrupled, clearly demonstrating the importance of this Standard.


Benefits


ISO 27001 assists organisations in safeguarding the confidentiality, integrity and availability of written, spoken and computer information. Certifying to the Standard provides organisations with a competitive advantage as it is increasingly being expected or mandated within tendered contracts, as well as instilling confidence and assurance with trading partners. A key requirement of ISO 27001 is the need to conduct an information risk assessment. This process is invaluable in identifying, prioritising and managing risks to key information and systems assets that may potentially


be overlooked. By adopting this Standard, organisations are taking a proactive step to minimising the possibility of an information security breach and the resultant negative impact on its reputation and brand.


Certification process


Like many of the leading international standards, ISO 27001 follows the ‘Plan-Do-Check-Act’ continuous improvement model. The cornerstone to ISO 27001 is the ‘plan’ phase where you are initially expected to identify what you are trying to protect – the in-scope information assets and then conduct an assessment of the risks to these assets. This involves determining the likely impact and probability of key threats materialising. Having assessed the risks, organisations can then develop and prioritise its treatment of risks (‘do’ phase). Once this is completed, the next phases (‘check’ and ‘act’) focus on activities such as auditing and management review to ensure that selected information security controls are being implemented effectively and continually improved via the information security management system (ISMS). Once the ISMS is sufficiently mature, it can then be assessed for registration by a CB.


Like to Learn More?


URM is the UK’s leading ISO 27001 consultancy and training organisation with particular niche skills and tools in the area of risk management. The company regularly holds free seminars for organisations looking to understand more about the certification process.


Details:


info@ultimariskmanagement.com 0118-9027450


THE BUSINESS MAGAZINE – THAMES VALLEY – JULY/AUGUST 2013


www.businessmag.co.uk


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56