INTELLECTUAL PROPERTY MANAGEMENT ENTERPRISE … · 2018-09-16 · developer’s software or...

ENTERPRISE ESCROW BEST PRACTICES REPORT

IN

TELL

ECTU

AL

PR

OPER

TY

M

AN

AG

EM

EN

T

What is Mission Critical to You?

Before you acquire mission-critical technology from a third-party

software vendor, take a few minutes to review the costs and risks.

What will happen to your company if your technology is unavailable?

Learn strategies on how you can manage your risk with a technology

escrow program.

In this report, you will learn:

—How to implement specific escrow strategies to meet your company’s individual needs.

—How the experts at Iron Mountain will work with you to simplify the escrow process and make you better prepared.

—How a best practice escrow program can reduce risks and costs to your company by ensuring your technology is available to you when you need it.

2 / Enterprise Escrow Best Practices Report

800-962-0652 / ironmountain.com / 3

Mission-critical technology is everywhere; you depend

on it every day. Failing to protect this technology puts

your business at risk.

There’s a good chance that a disruption of the third-

party software or technology your company uses could

have a catastrophic impact on your business. If your

vendor went out of business or otherwise stopped

supporting your technology, your company could suffer

considerable losses in revenue and/or productivity. With

the additional complexities of Software-as-a-Service

(SaaS), you face additional challenges since your data is

also at risk.

Iron Mountain Technology Escrow Services enable a risk

mitigation option when you negotiate a license for

software or other mission-critical technology. When a

software escrow contract is established, the proprietary

development information for that software is placed

within a secure escrow account held by Iron Mountain. If

the developer defaults on their obligations to the user at

any point in the future, the escrow materials may be

released to the user, enabling them to recreate or

maintain their mission-critical technology.

When you acquire software or other technology, escrow

and verification services should be an integral part of

the licensing discussion from the start. Once an escrow

agreement is established, it should be integrated into

your risk management plan and reviewed on a regular

basis. By safeguarding your technology assets, you are

protecting your investment.

4 STEPS TO MANAGE RISK AND IMPROVE ROI WITH THIRD-PARTY TECHNOLOGY ACQUISITIONS

Iron Mountain’s Technology Escrow Services give you the

ability to continue to use your technology even if your

vendor is no longer able or willing to provide support or

access. A technology escrow agreement also gives you

leverage in discussions with your vendor if there are

support issues.

Mission-critical applications need to be considered in your risk profile.

HERE ARE FOUR STEPS TO GUIDE YOU THROUGH THE PROCESS:

1. Evaluate Your Licensing Risks to Determine

Your Organization’s Specific Requirements

2. Reduce Risks with Verification Testing

3. Plan for Software-as-a-Service Contingencies

4. Establish a Program that Reflects Best

Practices and Ties into Risk Management Goals


WHAT’S YOUR RISK? Many factors contribute to your risk. Operational

dependencies on the product, investment of time into

this solution, an assessment of the technology

developer, and cost should all be determined when

calculating your risk factor.

1. EVALUATE YOUR LICENSING RISKS TO DETERMINE YOUR ORGANIZATION’S SPECIFIC REQUIREMENTS

Consider all the costs and risks of licensing the vendor’s

technology to determine the risk to your company in the

event the developer is no longer able or willing to

support the product.

You need to determine your operational risk if the

technology is unavailable. As your risk increases, your

need for escrow protection and verification also increases.

— How much do your operations depend on your technology?

— How much time is invested in your current technology solutions?

— What would happen to your technology if something happened to your vendor?

— What would your costs be to replace your current technology?

How do you stack up?

IDENTIFY YOUR RISKS WHEN USING ON-PREMISES (LICENSED) SOFTWARE

Costs✓ Initial investment

✓ License fee

✓ Installation

✓ Customization

✓ Reprogramming

✓ Hardware

What level of escrow protection is needed

based on the Risks of Licensed

Software?

Operational Dependencies✓ Number of users

✓ Customer impact

✓ Lost productivity

✓ Lost revenue

✓ Public Safety

Investment of Time✓ Availability of substitute products

✓ Time to recode

✓ Time to identify new product

✓ Time to negotiate new license

Vendor Assessment✓ Vendor stability

✓ Management track record

✓ Subcontractor partnerships

✓ Breadth of product lines

✓ Commitment of staff


WILL YOUR TECHNOLOGY WORK WHEN IT IS NEEDED? Over 76 percent of all deposits sent in to Iron Mountain

for analysis were determined to be incomplete. As a

result, these deposits required additional input from the

developer in order to be compiled. A thorough verification

of the escrow materials provides assurance that, in the

event of a deposit release, you would be able to more

quickly and effectively read, recreate, and maintain the

developer’s software or technology in-house.

These extra precautions maximize the payoff from

investments in escrow deposits — and protect the total

2. REDUCE RISKS WITH VERIFICATION TESTING

investment in software assets. For escrow accounts to

have maximum value, it takes more than simply

depositing a set of source code files. That’s why, on

average, over 50 percent of all qualified escrow

agreements are now verified.

There are different levels of verification services — from

initial to comprehensive — and each offers increasing

levels of assurance that the technology can be recreated

and used if predetermined events and conditions do

occur. Iron Mountain’s Escrow Verification levels include:

IRON MOUNTAIN’S VERIFICATION SERVICE LEVELS

Level 1Inventory &

Analysis Test

Can the environment be recreated?Verify that information required to recreate the depositor’s development environment has been stored in escrow

Do the deposited materials compile?Verify the ability to compile the deposit materials and build executable code

Level 2Compile Test

Level 3Binary

Comparison Test

Do the files match?Verify that the compiled files on deposit compare identically to the technology licensed

Does the software work properly?Verify and confirm that the built application works properly when installed

Level 4Full Usability

Test


Unless you test the escrow deposit, there is no assurance that your escrow account contains complete, correct and

usable materials. Iron Mountain can recommend the most appropriate levels of verification for your specific situation

to strengthen the value of your escrow agreement.

— Are you protected?

— If something happens to your software vendor, will you be able to

get your application back up and running?

— Is it worthwhile to implement escrow without verification?



WHAT’S YOUR SaaS RISK? Software-as-a-Service (SaaS) applications are rapidly

being integrated into many of today’s business

operations, but contingency options for SaaS

applications may be missing from your current business

continuity plans. Many times, the SaaS subscriber

assumes that the cloud provider has covered the

contingencies, but often that is not the case.

It’s hard to proactively adopt new technologies, such

as SaaS, when you acknowledge that your supplier may

3. PLAN FOR SOFTWARE-AS-A-SERVICE CONTINGENCIES

not be around long enough for you to realize the return

on your investment. You need to consider the risks

before you enter into such an arrangement, especially

for cloud-based services. Another point to remember is

that with SaaS deployments, you are accessing both

your application and data via the cloud. Physically, you

do not possess the provider’s software or your data.

Therefore, you need to make sure that if something goes

wrong, you can still access the application — and your

data — at least until you retrieve your data or migrate to

another solution.

IDENTIFY YOUR RISKS WHEN USING SaaS OR CLOUD-BASED (SUBSCRIPTION) SOFTWARE

Costs✓ Security assessments

✓ Monthly subscription

✓ Retraining and ongoing training

✓ Integration with Legacy Apps

✓ Customization

What level of escrow and data protection are

needed based on the Risks of SaaS?

Operational Dependencies✓ Number of users

✓ Customer facing impact/brand

✓ Lost productivity and Revenue

✓ Business Continuity / Disaster Recovery Planning (BC/DRP)

✓ Suitable interim alternatives

Investment of Time✓ Corporate Tolerance - Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO)

✓ Availability of substitute SaaS products

✓ Time to identify new product

✓ Time to transition and negotiate

Vendor Assessment✓ Vendor stability

✓ Single vs. multi tenancy

✓ Subcontractor partnerships, i.e. hosting parties

✓ Acquisition risk/change in control


As part of the contingency planning process, you should

always communicate your concerns internally and

externally. SaaS providers should proactively address

those risks by conceiving, crafting and testing the

contingency plan.

Iron Mountain SaaSProtect Services deliver a suite of

SaaS-focused contingency solutions that are tailored to

meet specific levels of risk catered to your unique

business risks. SaaSProtect Services offers the flexibility

to customize protection against disasters or other

unplanned outages – as well as typical software escrow

release events, such as bankruptcy or change in control.

SaaS PROTECT SERVICES SUITE | GRADUATED SERVICES

Did you know that 79% of SaaS providers do not guarantee application continuity, causing subscribers to have difficulty entrusting critical business processes to the cloud?

— What types of recovery services do you have in place for your SaaS applications and data?

— How will you restore your SaaS application in case of an outage or provider failure?

— Will you be able to resume operations quickly if something happens to your SaaS provider?


Escrow ServicesSource Code

Source Code Escrow

✓ Access to source code/maintenance materials only

SaaSProtectBackup

SaaS App & Data Backup

✓ Automated, continuous vaulting of app/data

✓ Access to data backup

SaaSProtectContinuity Services

SaaSProtectHigh Availability

Subscriber Recovery After a Provider Failure

✓ Automated, continuous replication of app/data

✓ Automated recovery of app/data (standby recovery environment)

✓ Access to app and data

✓ Failover capability

Full Subscriber Recovery & Provider Disaster Recovery

✓ Automated, continuous replication of app/data

✓ Automated recovery of app/data (real-time, mirrored recovery environment) ✓ Access to app and data

✓ Seamless failover/failback

✓ Disaster recovery services

FASTER RECOVERY TIME


FOLLOW THESE BEST PRACTICE GUIDELINES Establish an escrow program that ties into your

corporate risk management goals. The best way to do

this is to follow these best practice guidelines.

— Set Your Terms — Establish a master escrow

agreement and be willing to cover the costs

— Start Early — Introduce escrow requirements at the

beginning of the licensing or subscription process

— Stay on Top of It — Audit your escrow agreements

annually to ensure they are up-to-date and adhere to

best practices

SET YOUR TERMS First, establish a master escrow agreement. If your

company licenses software from more than one

developer, vendor or supplier, you can simplify the

process with the use of a master escrow agreement. A

master agreement between your company and Iron

Mountain will include the terms and conditions you

specify and will govern the administration of escrow

deposit accounts with multiple developers. If you plan to

pay for the escrow — rather than depend on your

developer to cover the cost — you will be able to drive

the terms and conditions of the escrow agreement.

A master agreement lets you set the terms and enroll

new developers with ease while driving consistency and

reducing cost.

Key terms of any software escrow agreement include:

✓ Deposit contents, update process and frequency

✓ Verification rights — know what you have

✓ Release conditions

✓ Release mechanism, objection period, contrary

instructions, etc.

✓ Rights to use following release

✓ Payment of fees and dispute resolution

4. ESTABLISH A PROGRAM THAT REFLECTS BEST PRACTICES & TIES INTO RISK MANAGEMENT GOALS

START EARLY You should introduce and determine the need for escrow

early — during the vendor selection process. By building

escrow into your request for information (RFI) and

request for proposal (RFP) processes, you can drive the

escrow agreement, get the best terms, and ensure

consistent use of your escrow terms. Here are some tips

to help make this happen:

✓ Provide a copy of your executed Master Escrow

Agreement to your potential software vendor along

with your License Agreement and set expectations

with the software vendor regarding items to be

deposited and test level required

✓ Request that the software vendor provide the

required information to Iron Mountain to obtain a

quote for the specified level of verification testing

required by your risk assessment

✓ Always strive to sign the escrow agreement at the

same time as the license agreement

✓ Establish internal guidelines for deviating from

your Master Escrow Agreement terms — and

consult with Iron Mountain to review your options

and determine the best approach

✓ If your software is a SaaS application, you need to

be ready to recover, restore and resume that

application with continuity services


STAY ON TOP OF IT Escrow should be an integral part of your risk

management plan, and you should review that plan

annually to ensure the terms are appropriate and

deposits are current. There’s no sense in paying for

escrow on technology that is no longer used, so regular

check-ups are a good idea.

As part of a sound Technology Asset Management

program, you should audit your escrow accounts

each year. Iron Mountain will review your current

accounts with you, and let you know how your escrow

plan compares to other companies in your industry.

For instance, we’ll review deposit frequency, confirm

contact information on your accounts, and advise you of

which accounts may not be adhering to your established

best practices.

An up-to-date, functional escrow plan will deliver a

return on your investment, because you know your

technology assets will be protected and available to you

in the future.

Our goal is to ensure that your escrow agreement offers

you the best protection possible.

“Iron Mountain’s escrow and verification services deliver real peace of mind for our IT and management teams, and provide assurances for the continuity of our business operations.”

— IT Project Manager Enterprise customer

— Have you established a master escrow agreement?

— How many escrow agreements have used the master agreement vs. another form of agreement since

the master was established?

— Is escrow part of your RFI and RFP processes?

— Do you feel that your escrow agreements reflect the best possible terms?

— Do you review your escrow agreements annually?

— Are your escrow deposits current?



Did you know that Iron Mountain created the technology

escrow industry in 1982 to help companies protect

software source code and other intellectual property?

Today, more than 90 percent of Fortune 500 companies

turn to Iron Mountain for software escrow protection.

Our escrow best practices can help you ensure that your

company’s critical information is protected, your risk and

your costs are reduced, and your investments in

technology are preserved.

Your Iron Mountain account representative can assess

your current escrow program, and make strategic

recommendations to align it with our best practices.

ARE YOU READY TO START IMPLEMENTING ESCROW BEST PRACTICES?

ABOUT IRON MOUNTAIN Every day, companies big and small, in virtually every

industry, trust Iron Mountain to store, protect and

manage their information. We help businesses just like

yours take advantage of cost savings, improved

efficiency and reduced risks. With an Iron Mountain

software escrow agreement in place, you’ll gain peace of

mind and protect your company’s mission-critical

technology.

— Talk to Iron Mountain at 800-962-0652

— Learn more at www.ironmountain.com/escrow

US-EXT-ES-BP-010814-001

ABOUT IRON MOUNTAIN. Iron Mountain Incorporated (NYSE: IRM) provides information management services that help organizations lower the costs, risks and inefficiencies of managing their physical and digital data. Founded in 1951, Iron Mountain manages billions of information assets, including backup and archival data, electronic records, document imaging, business records, secure shredding, and more, for organizations around the world. Visit the company Website at www.ironmountain.com for more information.

© 2014 Iron Mountain Incorporated. All rights reserved. Iron Mountain and the design of the mountain are registered trademarks of Iron Mountain Incorporated in the U.S. and other countries. All other trademarks are the property of their respective owners.

800 899 IRON (4766) / ironmountain.com 12

Enterprise Escrow Best Practices Report

Please contact your Iron Mountain Intellectual Property Management Sales Representative to discuss the

availability of a customized Enterprise Escrow Best Practices Report for your company.

INTELLECTUAL PROPERTY MANAGEMENT ENTERPRISE … · 2018-09-16 · developer’s software or...

Documents

Transcript of INTELLECTUAL PROPERTY MANAGEMENT ENTERPRISE … · 2018-09-16 · developer’s software or...