|
Booklet:
Development
and Acquisition Section: Acquisition Subsection: Escrowed Documentation |
|||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||
Software
programs are written using non-proprietary, open source code; proprietary
(licensed) open source code; or proprietary, closed source code.
Non-proprietary, open source programs, sometimes referred to as free software,
are written in publicly available code and can usually be used, copied,
modified, etc., without restriction. Proprietary, open source programs
are also written in publicly available code but are copyrighted and distributed
through various licensing agreements. Management should carefully consider
all licensing agreements to ensure their use, modification, or redistribution
of the programs conforms to the agreements.
Proprietary, closed source programs are normally copyrighted trade secrets
of the company that wrote or owns the programs. Most vendors do not release
closed source code to the organizations that buy or lease the products
in order to protect the integrity and copyrights of the software. An alternative
to receiving the source information is to install programs in object code
and establish a source code escrow agreement. In such an agreement, organizations
can only access the source code under specific conditions, such as discontinued
product support or financial insolvency of the vendor.
Typically,
an independent third party retains the documentation in escrow; however
it is each organization’s responsibility to periodically (at least
annually) ensure the third party holds a current version of the source
information. Often, escrow agents provide services for reviewing and confirming
source code version numbers and dates. Some agents also perform automated
code reviews to ensure the integrity of the escrowed code.
In
addition to ensuring access to current documentation, organizations should
consider protecting their escrow rights by contractually requiring software
vendors to inform the organization if the software vendor pledges the
software as loan collateral.
Provisions management should consider incorporating into escrow agreements
include:
|
|
Definitions
of minimum programming and system documentation;
|
|
|
Definitions of software maintenance procedures; |
|
|
Conditions that must be present before an organization can access the source information; |
|
|
Assurances that the escrow agent will hold current, up-to-date versions of the source programs and documentation (escrowed information must be updated whenever program changes are made); |
|
|
Arrangements for auditing/testing the escrowed code; |
|
|
Descriptions of the source information media (for example, magnetic tape, disc, or hard copy) and assurances that the media is operable and compatible with an organization’s existing technology systems; |
|
|
Assurances that source programs will generate executable code. |
