Government recommendations

CIO Bund and BSI

The more business-critical a process is, the more important it is to protect it from failure.

Escrow in Government Publications

IT-System Contract Conditions

German Federal Office for Information Security (BSI):

Basic IT Measures for Preventing Emergencies

Excerpt:

Checklist

  • Have you checked if a risk reduction can be achieved by using escrow services?
  • Are all the conditions regarding deposit, update and release as well as the rights and obligations of the stakeholders defined in detail in the escrow contract?
  • Are you sure the escrow contract is in accordance with the license agreement?
  • Does the escrow agency have the necessary qualifications?
  • When deposited in trust, is the material tested and verified to ensure it will be usable in the event of a future release to you?

The more business-critical a process is, the more important it is to protect it from failing. When a product is delivered or technical systems are put into place, usually the buyer does not receive all the components necessary for maintaining the product or system. In many cases, maintenance is performed by the supplier. Should the manufacturer or supplier go out of business, the buyer may not have the knowledge or components needed to keep the product in use. Consideration should be given as to whether the risk can be reduced by placing the missing components in escrow.

Escrow means depositing “in trust” (with an escrow agency) materials which are not included when you license a product, yet which are necessary to maintain and update that product. The materials could be software executables or source code, manuals, design specifications, configuration data, keys, passwords or other components.

English translation of an excerpt from “M 6.137 Treuhänderische Hinterlegung (Escrow)” Source: German Federal Office for Information Security (BSI), Basic IT Measures for Preventing Emergencies, 2014