A new booklet, available in PDF format from The South African Institute of Directors (IoD) or via email from firstname.lastname@example.org
, highlights everything chief information officers need to know about IT governance and active software escrow.
Compiled by Escrow Europe with input from Michalsons Attorneys and senior lecturer in Private Law at the University of Pretoria, B. Prozesky-Kuschke, the booklet is intended for CIOs, their boards of directors and senior management of organisations who are:
* Subject to, or embrace the provisions of, the King II report on corporate governance.
* Obliged to be compliant with Sarbanes Oxley legislation (Section 404).
Its aim is to assist them to identify what constitutes professional, or active, software escrow as well as why active software escrow is a very necessary business tool for all organisations that are dependent on information technology.
The booklet also provides hints on how to fast-track active software escrow and guidelines about the costs associated with it.
Possibly most important is the section providing four compelling reasons why active software escrow is a business necessity in South Africa.
Reason 1: Active software escrow facilitates compliance with corporate governance imperatives.
The objectives of active software escrow are rooted in promoting ICT good governance, and take cognisance of the fact that suppliers and their licensed end-user can be proactive in complying with current protocols and quality standards such as (King II, Basel lI, ISO9001, South African National Standard ISO/IEC17799, COSO, COBIT, ITIL, Sarbanes Oxley etc).
For instance, ISO 9001 guidelines provide us with useful definitions:
'An escrow agent is an independent trusted third party that takes custody of a software source code deposit', and,
'Escrow is an ancient legal term referring to a deed which only becomes effective upon the occurrence of a future event. This term has been applied to the deposit of source code by the software owner with an independent third party, known as the 'escrow agent',' and,
'Source code escrow agreements must be set up for each software product that an organisation uses. The following exceptions may be considered:
1. Software has no business-critical functions.
2. A software licence fee less than 3000 Euro.
3. Less than three regular users.
4. Shrink-wrapped commodity, off-the-shelf alternative products.'
'Source code escrow is a disaster recovery and business continuity method that supports the procurement process and secures long term investment in information and communication technology.'
ISO 9001 (ISO 9001, Quality Systems - Model for Quality Assurance in Design/Development, Production, Installation and Servicing) covers product design and development, it is the standard applied to software and has emerged as the undisputed international benchmark for quality management.
South African National Standard ISO /IEC17799 (edition 1) 'Information Technology – Code of Practice for Information Security Management' defines a comprehensive process of information security management that enables better information security management and specifically includes business continuity management.
ISO 12207 describes five primary processes (with the subcategories of activities and tasks) – acquisition, supply, development, maintenance, and operation required to produce large, complex software systems.
ISO 15504 provides a framework for the assessment of processes. This framework can be used by organisations involved in planning, managing, monitoring, controlling and improving the acquisition, supply, development, operation, evolution and support of products and services.
All these standards reference professional escrow as an important component.
Effectively, the fact that a core business system is dependent on licensed software that the business does not own means that the business has been obliged to outsource this core function. Outsourcing of core or mission critical functions implies far greater operational risk and the business continuity considerations associated with this therefore become a major issue. Corporate governance guidelines, protocols and imperatives (King II, Basel lI, Sarbanes Oxley etc) now also emphasise the end-user need for professional software escrow and insist that company executives ensure that:
* Procedures and practices are in place to protect the company’s assets and reputation.
* The company complies with all laws, regulations and best business practice.
* Technology and systems in the company are adequate to run the company properly.
* ICT and software risks are identified and addressed.
For instance, Section 404 of the Sarbanes-Oxley (SOX) Act instructs executive management to evaluate and report on the effectiveness of their internal controls which include the application software and information technology processes that sustain a company’s day-to-day operations.
Enterprises are at risk of non-compliance in terms of protecting the application software that comprise their strategic assets. Smart business practices, such as placing the software source code for mission-critical applications into a technology escrow account, have now become a key component of regulatory compliance.
Reason 2: South African law currently does not provide for the protection of, and access to, software source code in the event of software supplier insolvency.
The Roman Dutch Law concept of ‘deposit’ (depostium) is part of South African law whereby a person delivers something to a third party for the purpose of safe custody and the latter either gratuitously or for reward undertakes to take care of the thing until certain circumstances agreed between the two principal parties occur. According to B Prozesky-Kuschke BLC LLB, senior lecturer in Private Law at the University of Pretoria in her article 'DEPOSITUM AND ESCROW: The Current Application Regarding Computer Source Code in South African Law':
“The classic principles regarding depositum need to be adapted to suit the needs of the parties involved in an arrangement for the protection and access to source codes. As no case law or proper legislation is currently available to show the way, the best solution remains to regulate the relationships and provide for specific eventualities by concluding proper, watertight agreements in this regard.”
South African Courts have not yet dealt with the use of software beyond insolvency on the part of the software supplier. While an escrow agreement will not solve all the problems associated with the insolvency, it will allow the user an opportunity it would not otherwise have for continuing to make use of the software, that is the user would be able to continue to use the software based on the terms and conditions of the prevailing license agreement and, most importantly, be able to maintain and support the software for the purposes of business continuity in the absence of the software supplier.
Reason 3: Active software escrow bridges the source code-object code divide.
When it comes to object code-source code, the issue is this: What would the impact be on your business if you spent R5-million to license some software that is integral to your business’s day-to-day, mission-critical operations but the company you paid closes shop leaving you with R5-million worth of 'orphaned' software? Would you then be interested in the difference between object code and source code?
Simply put, when your company licenses software, it more often than not gets a licence to use the machine-readable ‘object code’ but not access to the ‘source code’, which programmers read and work in.
If the software supplier is unable to support your software for any reason, the only way you can fix any problems or make any enhancements you need is if you have guaranteed access to the source code via your active software escrow arrangement.
Reason 4: Untested or passive escrow deposits are often useless when called upon to deliver what they promise – business continuity in the face of the software supplier’s inability to continue supporting its technology.
The ‘passive’ approach to escrow or intellectual property custodianship involves simply ‘holding’ the material; active escrow involves both holding the material and verifying it to be usable in terms of the escrow agreement between the software supplier and the end-user.
Professional escrow agents offer several levels of technical verification and reporting depending on how mission critical the client considers the business application to be. A review of the need for verification completed by a leading international escrow agent, recently reported that nine out of every 10 unverified deposits, that is, passive source code deposits, would have been useless.
The reason why nearly all these deposits failed to meet the verification criteria immediately is not because the lacking components are non-existent or that every software supplier makes a mess of the deposits, but because today’s software environments are complex and software suppliers are often too busy to spend the time that is really required for creating a quality deposit. In fact the main reason is that they simply forget and/or overlook the deposit of small but important components.
However, bearing in mind that these deposits were historically held in passive escrow, the findings are very frightening – they suggest that businesses making use of passive software escrow would have, at best, experienced severe difficulty in using the material released in keeping with the terms of the agreement should anything happen to force it into play. At worst, the deposit would be entirely useless. Without proper technical verification how would you know?
In all in, this essential guide shows that today’s CIOs need to carefully consider the points made above as, despite their diligence in insisting that escrow agreements are in place for all of their mission critical systems, the actual escrow deposits may be of little or no value.