Page 1330 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1330

Focus your efforts on negotiating software escrow

                  agreements with those suppliers you fear may go out of business
                  because of their size. It’s not likely that you’ll be able to negotiate
                  such an agreement with a firm such as Microsoft, unless you are

                  responsible for an extremely large corporate account with serious
                  bargaining power. On the other hand, it’s equally unlikely that a
                  firm of Microsoft’s magnitude will go out of business, leaving end
                  users high and dry.



               If your organization depends on custom-developed software or
               software products produced by a small firm, you may want to consider
               developing this type of arrangement as part of your disaster recovery
               plan. Under a software escrow agreement, the developer provides

               copies of the application source code to an independent third-party
               organization. This third party then maintains updated backup copies
               of the source code in a secure fashion. The agreement between the end
               user and the developer specifies “trigger events,” such as the failure of
               the developer to meet terms of a service-level agreement (SLA) or the
               liquidation of the developer’s firm. When a trigger event takes place,
               the third party releases copies of the application source code to the

               end user. The end user can then analyze the source code to resolve
               application issues or implement software updates.


               External Communications

               During the disaster recovery process, it will be necessary to
               communicate with various entities outside your organization. You will

               need to contact vendors to provide supplies as they are needed to
               support the disaster recovery effort. Your clients will want to contact
               you for reassurance that you are still in operation. Public relations
               officials may need to contact the media or investment firms, and
               managers may need to speak to governmental authorities. For these
               reasons, it is essential that your disaster recovery plan include

               appropriate channels of communication to the outside world in a
               quantity sufficient to meet your operational needs. Usually, it is not a
               sound business or recovery practice to use the chief executive officer
   1325   1326   1327   1328   1329   1330   1331   1332   1333   1334   1335