IT Examiner School eBook May 2025

Internal Use Only

Software Contract Agreements • Management should establish clear expectations in the contract such as SLAs. • Insist on right to audit or independent validation of security controls. • Use of subcontractors and the confidentiality and security of information. • Agree on notification requirements for security incidents or changes in any subcontracting relationships. • Exit provisions, data ownership, data conversion all need to be considered in the contract. • Regulatory requirements clause. • For mission-critical software, clauses that limit vendor liability are a dangerous practice. • Before management signs the contracts, it should submit them for legal counsel review.

Internal Use Only

Software Escrow Agreements

• Proprietary programs including those written in publicly available code are copyrighted and distributed through various licensing agreements. • Typically, an independent third party retains the source code as an escrow agent. • Organizations with escrow agreements should ensure correct version and that documentation is included. This should be specified in the contract and verified periodically. • Organizations that have escrow agreements should consider protecting their escrow rights by contractually. • Access to source code is allowed under very limited specific conditions , which must be specified in the agreement; for example:

• Discontinued product support • Financial insolvency of vendor