Several years ago, I audited software implementation at an organization. The contract for purchase stated that the vendor should provide an escrow arrangement for the source code of the software application. When I asked the coordinator about a possible escrow arrangement, they replied that the vendor had provided the source code on removable media. When I tried to access the media, each source code file contained a coded program, but since there was no documentation, it was impossible to understand for what function the code was used. I asked the auditee for the system documentation, which had not been included in the media. The auditee called the vendor representative and asked him about the system documentation, to which he replied, “It contains confidential information about the system and it is our intellectual property right (IPR) not to share it.” This prompted me to ask the vendor, “What would happen if you were not available for support in the future?”
Why would an organization need escrow arrangements for the source code of an application developed by a third party? Once the application has been deployed and business functions have been automated, there is a possibility that business requirements will change, prompting changes in functions and processes and, therefore, in the application. If the original developer (a third party) is not available because they have gone out of business, the organization could face challenges. To handle such a situation, organizations should ask for the source code of the application, so that an in-house team or other vendor can maintain and make changes to the application as needed. However, should a vendor have concerns about safeguarding IP, an escrow arrangement helps meet the requirements of both organizations.
The objective of source code escrow is to ensure continued availability of software support and maintenance. If the organization that developed the software is no longer in business and, thus, not available for support, an external organization may be able to assist and provide assurance to the organization that it can carry out any necessary changes. However, to achieve this, the source code and system documentation must be available.
It should be noted that software escrow has additional costs (separate from regular licensing and implementation) that should be carefully balanced with its potential benefits. Therefore, if required, source code escrow should be included in the request for proposal (RFP) at the time of procuring the software application and addressed afterward in any contract agreement. If it is not mentioned in the procurement documents, contract signing should be delayed until both parties agree on escrow arrangements.
The decision to pursue escrow arrangement is based on associated risk and can be made by the business process owner in consultation with the IT department, since IT serves as the custodian for data and applications. The associated risk should be identified, appropriately assessed and responded to based on the assessment. Software procured from a start-up enterprise carries higher risk than procuring software from an established software developer such as IBM, Microsoft, Oracle or SAP. If escrow arrangements are required, appropriate governance processes should be in place for approving the escrow arrangement. A significant challenge is updating the source code and documents held by escrow whenever there are changes made to the original software. Organizations should receive alerts from the escrow agency when any updates are made.
There are several additional considerations, including:
- Any software procured from a third party should come with a guarantee that the original developers will be able to support any necessary changes and maintenance. Organizations should ensure that such support is available throughout the life cycle of the procured software.
- Escrow for source code and system documentation may be considered part of the procurement process. The contract for purchase should clearly state the conditions for transferring the IPR related to software should the developer goes out of business.
- Escrow service providers should be carefully selected. After all, it is also a third party, and all processes related to third-party governance are applicable to the escrow agency, too.
- Enterprises must ensure that the software developer deposits updated source code and documents with escrow and request a confirmation for the same.
Organizations should consider these aspects before deciding if software escrow is required—or if it can be waived. If the enterprise has enough confidence in the level of support and maintenance for the software that is available from the third party, escrow arrangements may be waived. However, if escrow is required, the organization should ensure that it comprehensively covers system documentation and source code.
Sunil Bakshi, CISA, CRISC, CISM, CGEIT, ABCI, AMIIB, BS 25999 LI, CEH, CISSP, ISO 27001 LA, MCA, PMP
Is a consultant and trainer in IT governance and information security.