INTELLECTUAL PROPERTY MANAGEMENT ENTERPRISE ESCROW BEST PRACTICES REPORT
What is Mission Critical to You? Before you acquire mission-critical technology from a third-party software vendor, take a few minutes to review the costs and risks. What will happen to your company if your technology is unavailable? Learn strategies on how you can manage your risk with a technology escrow program. In this report, you will learn: How to implement specific escrow strategies to meet your company s individual needs. How the experts at Iron Mountain will work with you to simplify the escrow process and make you better prepared. How a best practice escrow program can reduce risks and costs to your company by ensuring your technology is available to you when you need it. 2 / Enterprise Escrow Best Practices Report
4 STEPS TO MANAGE RISK AND IMPROVE ROI WITH THIRD-PARTY TECHNOLOGY ACQUISITIONS Mission-critical technology is everywhere; you depend on it every day. Failing to protect this technology puts your business at risk. There s a good chance that a disruption of the thirdparty software or technology your company uses could have a catastrophic impact on your business. If your vendor went out of business or otherwise stopped supporting your technology, your company could suffer considerable losses in revenue and/or productivity. With the additional complexities of Software-as-a-Service (SaaS), you face additional challenges since your data is also at risk. Iron Mountain Technology Escrow Services enable a risk mitigation option when you negotiate a license for software or other mission-critical technology. When a software escrow contract is established, the proprietary development information for that software is placed within a secure escrow account held by Iron Mountain. If the developer defaults on their obligations to the user at any point in the future, the escrow materials may be released to the user, enabling them to recreate or maintain their mission-critical technology. When you acquire software or other technology, escrow and verification services should be an integral part of the licensing discussion from the start. Once an escrow agreement is established, it should be integrated into your risk management plan and reviewed on a regular basis. By safeguarding your technology assets, you are protecting your investment. Iron Mountain s Technology Escrow Services give you the ability to continue to use your technology even if your vendor is no longer able or willing to provide support or access. A technology escrow agreement also gives you leverage in discussions with your vendor if there are support issues. HERE ARE FOUR STEPS TO GUIDE YOU THROUGH THE PROCESS: 1. Evaluate Your Licensing Risks to Determine Your Organization s Specific Requirements 2. Reduce Risks with Verification Testing 3. Plan for Software-as-a-Service Contingencies 4. Establish a Program that Reflects Best Practices and Ties into Risk Management Goals Mission-critical applications need to be considered in your risk profile. 800-962-0652 / ironmountain.com / 3
1. EVALUATE YOUR LICENSING RISKS TO DETERMINE YOUR ORGANIZATION S SPECIFIC REQUIREMENTS WHAT S YOUR RISK? Many factors contribute to your risk. Operational dependencies on the product, investment of time into this solution, an assessment of the technology developer, and cost should all be determined when calculating your risk factor. Consider all the costs and risks of licensing the vendor s technology to determine the risk to your company in the event the developer is no longer able or willing to support the product. You need to determine your operational risk if the technology is unavailable. As your risk increases, your need for escrow protection and verification also increases. IDENTIFY YOUR RISKS WHEN USING ON-PREMISES (LICENSED) SOFTWARE Operational Dependencies Number of users Customer impact Lost productivity Lost revenue Public Safety Costs Initial investment License fee Installation Customization Reprogramming Hardware What level of escrow protection is needed based on the Risks of Licensed Software? Investment of Time Availability of substitute products Time to recode Time to identify new product Time to negotiate new license Vendor Assessment Vendor stability Management track record Subcontractor partnerships Breadth of product lines Commitment of staff How much do your operations depend on your technology? How much time is invested in your current technology solutions? What would happen to your technology if something happened to your vendor? What would your costs be to replace your current technology? How do you stack up? 4 / Enterprise Escrow Best Practices Report
2. REDUCE RISKS WITH VERIFICATION TESTING WILL YOUR TECHNOLOGY WORK WHEN IT IS NEEDED? Over 76 percent of all deposits sent in to Iron Mountain for analysis were determined to be incomplete. As a result, these deposits required additional input from the developer in order to be compiled. A thorough verification of the escrow materials provides assurance that, in the event of a deposit release, you would be able to more quickly and effectively read, recreate, and maintain the developer s software or technology in-house. These extra precautions maximize the payoff from investments in escrow deposits and protect the total investment in software assets. For escrow accounts to have maximum value, it takes more than simply depositing a set of source code files. That s why, on average, over 50 percent of all qualified escrow agreements are now verified. There are different levels of verification services from initial to comprehensive and each offers increasing levels of assurance that the technology can be recreated and used if predetermined events and conditions do occur. Iron Mountain s Escrow Verification levels include: IRON MOUNTAIN S VERIFICATION SERVICE LEVELS Level 4 Full Usability Test Level 3 Binary Comparison Test Does the software work properly? Verify and confirm that the built application works properly when installed Level 2 Compile Test Do the files match? Verify that the compiled files on deposit compare identically to the technology licensed Level 1 Inventory & Analysis Test Do the deposited materials compile? Verify the ability to compile the deposit materials and build executable code Can the environment be recreated? Verify that information required to recreate the depositor s development environment has been stored in escrow 800-962-0652 / ironmountain.com / 5
Unless you test the escrow deposit, there is no assurance that your escrow account contains complete, correct and usable materials. Iron Mountain can recommend the most appropriate levels of verification for your specific situation to strengthen the value of your escrow agreement. Are you protected? If something happens to your software vendor, will you be able to get your application back up and running? Is it worthwhile to implement escrow without verification? How do you stack up? 6 / Enterprise Escrow Best Practices Report
3. PLAN FOR SOFTWARE-AS-A-SERVICE CONTINGENCIES WHAT S YOUR SaaS RISK? Software-as-a-Service (SaaS) applications are rapidly being integrated into many of today s business operations, but contingency options for SaaS applications may be missing from your current business continuity plans. Many times, the SaaS subscriber assumes that the cloud provider has covered the contingencies, but often that is not the case. It s hard to proactively adopt new technologies, such as SaaS, when you acknowledge that your supplier may not be around long enough for you to realize the return on your investment. You need to consider the risks before you enter into such an arrangement, especially for cloud-based services. Another point to remember is that with SaaS deployments, you are accessing both your application and data via the cloud. Physically, you do not possess the provider s software or your data. Therefore, you need to make sure that if something goes wrong, you can still access the application and your data at least until you retrieve your data or migrate to another solution. IDENTIFY YOUR RISKS WHEN USING SaaS OR CLOUD-BASED (SUBSCRIPTION) SOFTWARE Operational Dependencies Number of users Customer facing impact/brand Lost productivity and Revenue Business Continuity / Disaster Recovery Planning (BC/DRP) Suitable interim alternatives Costs Security assessments Monthly subscription Retraining and ongoing training Integration with Legacy Apps Customization What level of escrow and data protection are needed based on the Risks of SaaS? Investment of Time Corporate Tolerance - Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) Availability of substitute SaaS products Time to identify new product Time to transition and negotiate Vendor Assessment Vendor stability Single vs. multi tenancy Subcontractor partnerships, i.e. hosting parties Acquisition risk/change in control 800-962-0652 / ironmountain.com / 7
As part of the contingency planning process, you should always communicate your concerns internally and externally. SaaS providers should proactively address those risks by conceiving, crafting and testing the contingency plan. Iron Mountain SaaSProtect Services deliver a suite of SaaS-focused contingency solutions that are tailored to meet specific levels of risk catered to your unique business risks. SaaSProtect Services offers the flexibility to customize protection against disasters or other unplanned outages as well as typical software escrow release events, such as bankruptcy or change in control. Did you know that 79% of SaaS providers do not guarantee application continuity, causing subscribers to have difficulty entrusting critical business processes to the cloud? SaaS PROTECT SERVICES SUITE GRADUATED SERVICES SaaSProtect High Availability SaaSProtect Continuity Services Full Subscriber Recovery & Provider Disaster Recovery Escrow Services Source Code Source Code Escrow Access to source code/maintenance materials only SaaSProtect Backup SaaS App & Data Backup Automated, continuous vaulting of app/data Access to data backup Subscriber Recovery After a Provider Failure Automated, continuous replication of app/data Automated recovery of app/data (standby recovery environment) Access to app and data Failover capability Automated, continuous replication of app/data Automated recovery of app/data (real-time, mirrored recovery environment) Access to app and data Seamless failover/failback Disaster recovery services FASTER RECOVERY TIME What types of recovery services do you have in place for your SaaS applications and data? How will you restore your SaaS application in case of an outage or provider failure? Will you be able to resume operations quickly if something happens to your SaaS provider? How do you stack up? 8 / Enterprise Escrow Best Practices Report
4. ESTABLISH A PROGRAM THAT REFLECTS BEST PRACTICES & TIES INTO RISK MANAGEMENT GOALS FOLLOW THESE BEST PRACTICE GUIDELINES Establish an escrow program that ties into your corporate risk management goals. The best way to do this is to follow these best practice guidelines. Set Your Terms Establish a master escrow agreement and be willing to cover the costs Start Early Introduce escrow requirements at the beginning of the licensing or subscription process Stay on Top of It Audit your escrow agreements annually to ensure they are up-to-date and adhere to best practices SET YOUR TERMS First, establish a master escrow agreement. If your company licenses software from more than one developer, vendor or supplier, you can simplify the process with the use of a master escrow agreement. A master agreement between your company and Iron Mountain will include the terms and conditions you specify and will govern the administration of escrow deposit accounts with multiple developers. If you plan to pay for the escrow rather than depend on your developer to cover the cost you will be able to drive the terms and conditions of the escrow agreement. A master agreement lets you set the terms and enroll new developers with ease while driving consistency and reducing cost. START EARLY You should introduce and determine the need for escrow early during the vendor selection process. By building escrow into your request for information (RFI) and request for proposal (RFP) processes, you can drive the escrow agreement, get the best terms, and ensure consistent use of your escrow terms. Here are some tips to help make this happen: Provide a copy of your executed Master Escrow Agreement to your potential software vendor along with your License Agreement and set expectations with the software vendor regarding items to be deposited and test level required Request that the software vendor provide the required information to Iron Mountain to obtain a quote for the specified level of verification testing required by your risk assessment Always strive to sign the escrow agreement at the same time as the license agreement Establish internal guidelines for deviating from your Master Escrow Agreement terms and consult with Iron Mountain to review your options and determine the best approach If your software is a SaaS application, you need to be ready to recover, restore and resume that application with continuity services Key terms of any software escrow agreement include: Deposit contents, update process and frequency Verification rights know what you have Release conditions Release mechanism, objection period, contrary instructions, etc. Rights to use following release Payment of fees and dispute resolution 800-962-0652 / ironmountain.com / 9
STAY ON TOP OF IT Escrow should be an integral part of your risk management plan, and you should review that plan annually to ensure the terms are appropriate and deposits are current. There s no sense in paying for escrow on technology that is no longer used, so regular check-ups are a good idea. As part of a sound Technology Asset Management program, you should audit your escrow accounts each year. Iron Mountain will review your current accounts with you, and let you know how your escrow plan compares to other companies in your industry. For instance, we ll review deposit frequency, confirm contact information on your accounts, and advise you of which accounts may not be adhering to your established best practices. Iron Mountain s escrow and verification services deliver real peace of mind for our IT and management teams, and provide assurances for the continuity of our business operations. IT Project Manager Enterprise customer An up-to-date, functional escrow plan will deliver a return on your investment, because you know your technology assets will be protected and available to you in the future. Our goal is to ensure that your escrow agreement offers you the best protection possible. Have you established a master escrow agreement? How many escrow agreements have used the master agreement vs. another form of agreement since the master was established? Is escrow part of your RFI and RFP processes? Do you feel that your escrow agreements reflect the best possible terms? Do you review your escrow agreements annually? Are your escrow deposits current? How do you stack up? 10 / Enterprise Escrow Best Practices Report
ARE YOU READY TO START IMPLEMENTING ESCROW BEST PRACTICES? Did you know that Iron Mountain created the technology escrow industry in 1982 to help companies protect software source code and other intellectual property? Today, more than 90 percent of Fortune 500 companies turn to Iron Mountain for software escrow protection. Our escrow best practices can help you ensure that your company s critical information is protected, your risk and your costs are reduced, and your investments in technology are preserved. ABOUT IRON MOUNTAIN Every day, companies big and small, in virtually every industry, trust Iron Mountain to store, protect and manage their information. We help businesses just like yours take advantage of cost savings, improved efficiency and reduced risks. With an Iron Mountain software escrow agreement in place, you ll gain peace of mind and protect your company s mission-critical technology. Your Iron Mountain account representative can assess your current escrow program, and make strategic recommendations to align it with our best practices. Talk to Iron Mountain at 800-962-0652 Learn more at www.ironmountain.com/escrow 800-962-0652 / ironmountain.com / 11
Enterprise Escrow Best Practices Report Please contact your Iron Mountain Intellectual Property Management Sales Representative to discuss the availability of a customized Enterprise Escrow Best Practices Report for your company. ABOUT IRON MOUNTAIN. Iron Mountain Incorporated (NYSE: IRM) provides information management services that help organizations lower the costs, risks and inefficiencies of managing their physical and digital data. Founded in 1951, Iron Mountain manages billions of information assets, including backup and archival data, electronic records, document imaging, business records, secure shredding, and more, for organizations around the world. Visit the company Website at www.ironmountain.com for more information. 2014 Iron Mountain Incorporated. All rights reserved. Iron Mountain and the design of the mountain are registered trademarks of Iron Mountain Incorporated in the U.S. and other countries. All other trademarks are the property of their respective owners. US-EXT-ES-BP-010814-001 800 899 IRON (4766) / ironmountain.com 12