IT Examiner School eBook

Internal Use Only

Software Contract Agreements • Management should establish clear expectations in the contract. • Insist on right to audit. • Agree on notification requirements for security incidents or changes in any subcontracting relationships. • Exit provisions, data ownership, data conversion all need to be considered in the contract. • Regulatory requirements clause. • For mission-critical software, clauses that limit vendor liability are a dangerous practice. • Before management signs the contracts, it should submit them for legal counsel review.

Internal Use Only

Software Escrow Agreements • Proprietary programs including those written in publicly available code are copyrighted and distributed through various licensing agreements. • Typically, an independent third party retains the source code as an escrow agent. • Organizations with escrow agreements should ensure correct version and that documentation is included. This should be specified in the contract and verified periodically. • Organizations that have escrow agreements should consider protecting their escrow rights by contractually. • Access to source code is allowed under very limited specific conditions , which must be specified in the agreement; for example:

• Discontinued product support • Financial insolvency of vendor