Transcript Document

Topics










Changes
Risk Assessments
Cloud
Data Security / Data Protection
Licenses, Copies, Instances
Limits of Liability and Indemnification
Requests for Proposals
Good Practice
Trends
Resources
Changes
 Increased use of agreements required to extend service





periods
Increased use of software as a service (no longer
buying a commodity)
Increasingly complex agreements
Increased litigation and risk exposures
Increased drive to limit liability
Audits
Risk Assessments
 What is the software use
 Is data collected, used, or transmitted
 Define the data and the classification level
 Identify any financial transactions (PCI)
 Describe Installation and Support requirements
 Define if software is self-hosted or web-hosted
Where is
my data?
Cloud
 There is no ‘cloud’. Data is collected and stored




somewhere.
Where is the data center
How secure is the data and the center
If outside US, how risky is the data exposure
How will data be returned
Data Security and Protection
Data Security & Protection
 Campus Chief Information Security Officer
 Safeguards
 Access, Transmission, Storage
 Movement and co-location
 Can the vendor aggregate, slice and dice, or compile
 Can the vendor have co-location, failovers, etc.
 How does system safeguard protected data: HIPAA,
PCI, FERPA, Personal Information
License / Copy / Instance
 What does your license cover?
 What is a ‘copy’, ‘instance’, or ‘impermissible copy’
 Does your license transfer from hardware to hardware? Storage box
to storage box.
 “unfettered right to ‘move, migrate, transfer’ license without it
being deemed an impermissible copy
 Use, Access, and Benefit / Authorized Users
 “install, execute, use, have access to, benefit from, copy, test,
display, and perform and make back up and archival copies.
 Audit
Liability and Indemnification
 Limits of Liability
 “Vendor’s liability for damages to customer will not
exceed fees paid under this agreement for 36 months
preceding date of claim.”
 Consider Adding: “Except as set forth in paragraphs (list
sections pertaining to copyright/intellectual property,
indemnification provision, and confidentiality / data
breach section).”
 Indemnification
 Indemnify, defend, and hold harmless
 Copyright Infringement costs, data breach costs
Liability and Indemnification
EXAMPLE FROM VENDOR AGREEMENT
 6.2. Disclaimer. EXCEPT AS EXPRESSLY STATED IN THIS AGREEMENT, THE
PROGRAM AND DOCUMENTATION ARE PROVIDED “AS IS” AND“WITH ALL
FAULTS,” AND VENDOR MAKES NO REPRESENTATIONS OR WARRANTIES, AND
DISCLAIMS ALL REPRESENTATIONS AND WARRANTIES, EXPRESS OR IMPLIED,
WRITTEN OR ORAL, ARISING FROM COURSE OF DEALING, COURSE OF
PERFORMANCE, USAGE OF TRADE, OR OTHERWISE, INCLUDING, WITHOUT
LIMITATION, THE IMPLIED WARRANTIES OF NON-INTERFERENCE, ACCURACY,
MERCHANTABILITY, SYSTEMS INTEGRATION, QUALITY, AND FITNESS FOR A
PARTICULAR PURPOSE.
Liability and Indemnification
EXAMPLE
 Monetary Liability. THE AGGREGATE TOTAL LIABILITY OF VENDOR UNDER OR
IN CONNECTION WITH THE PROGRAM, THE DOCUMENTATION, OR THIS
AGREEMENT TO LICENSEE OR ANY OTHER PERSON OR PERSONS SHALL
UNDER NO CIRCUMSTANCES EXCEED THE AMOUNTS PAID BY LICENSEE
UNDER THIS AGREEMENT.
Request for Proposals (“RFP”)
 The RFP is a team effort and requires collaboration
 Conflict of Interest & Confidentiality
 Develop RFP with the end in mind
 The RFP Response should be an Exhibit to agreement
 Detailed project plan and/or statement of work is
obtained prior to contract execution.
 Maintenance and Support detailed including service
levels
Request for Proposals (“RFP”)
 Consider additional items:
 Service Level Provisions as part of RFP
 Intellectual Property Rights for co-development
 Contract Close out plans
 State in RFP that the CSU General Provisions for IT will
be required
 Security Questionnaire and Requirements as part of RFP
 All functionality for license is contained in
implementation – no future release solutions
Downtime chart
Good Practice
 Templates
 Eliminate hyperlinks in your agreements
 Ensure that no disabling devices are in the software
 Collaborate with IT: meet, discuss, cross educate
 Collaborate with other campuses
Interesting Trends
 Migration to Tablets and Devices – BYOD and Apps
 Social Media as daily communications
 Big Data
 Cloud Computing
 Software as a Service, Platform as a Service, and
Infrastructure as a Service.
Resources
 Accessible Technology Initiative
 http://www.calstate.edu/accessibility/
 ICSUAM Information Security Policy
 http://www.calstate.edu/icsuam/sections/8000/
 ISCUAM Contracts & Procurement
 http://www.calstate.edu/icsuam/sections/5000/
 ICSUAM ITR Policy
 http://www.calstate.edu/icsuam/sections/5000/5500.0CSPIC
SUAMCSU.shtml
 Conflict of Interest
 http://www.calstate.edu/csp/crl/forms/CRL057.pdf