Transcript Document
Topics
Changes
Risk Assessments
Cloud
Data Security / Data Protection
Licenses, Copies, Instances
Limits of Liability and Indemnification
Requests for Proposals
Good Practice
Trends
Resources
Changes
Increased use of agreements required to extend service
periods
Increased use of software as a service (no longer
buying a commodity)
Increasingly complex agreements
Increased litigation and risk exposures
Increased drive to limit liability
Audits
Risk Assessments
What is the software use
Is data collected, used, or transmitted
Define the data and the classification level
Identify any financial transactions (PCI)
Describe Installation and Support requirements
Define if software is self-hosted or web-hosted
Where is
my data?
Cloud
There is no ‘cloud’. Data is collected and stored
somewhere.
Where is the data center
How secure is the data and the center
If outside US, how risky is the data exposure
How will data be returned
Data Security and Protection
Data Security & Protection
Campus Chief Information Security Officer
Safeguards
Access, Transmission, Storage
Movement and co-location
Can the vendor aggregate, slice and dice, or compile
Can the vendor have co-location, failovers, etc.
How does system safeguard protected data: HIPAA,
PCI, FERPA, Personal Information
License / Copy / Instance
What does your license cover?
What is a ‘copy’, ‘instance’, or ‘impermissible copy’
Does your license transfer from hardware to hardware? Storage box
to storage box.
“unfettered right to ‘move, migrate, transfer’ license without it
being deemed an impermissible copy
Use, Access, and Benefit / Authorized Users
“install, execute, use, have access to, benefit from, copy, test,
display, and perform and make back up and archival copies.
Audit
Liability and Indemnification
Limits of Liability
“Vendor’s liability for damages to customer will not
exceed fees paid under this agreement for 36 months
preceding date of claim.”
Consider Adding: “Except as set forth in paragraphs (list
sections pertaining to copyright/intellectual property,
indemnification provision, and confidentiality / data
breach section).”
Indemnification
Indemnify, defend, and hold harmless
Copyright Infringement costs, data breach costs
Liability and Indemnification
EXAMPLE FROM VENDOR AGREEMENT
6.2. Disclaimer. EXCEPT AS EXPRESSLY STATED IN THIS AGREEMENT, THE
PROGRAM AND DOCUMENTATION ARE PROVIDED “AS IS” AND“WITH ALL
FAULTS,” AND VENDOR MAKES NO REPRESENTATIONS OR WARRANTIES, AND
DISCLAIMS ALL REPRESENTATIONS AND WARRANTIES, EXPRESS OR IMPLIED,
WRITTEN OR ORAL, ARISING FROM COURSE OF DEALING, COURSE OF
PERFORMANCE, USAGE OF TRADE, OR OTHERWISE, INCLUDING, WITHOUT
LIMITATION, THE IMPLIED WARRANTIES OF NON-INTERFERENCE, ACCURACY,
MERCHANTABILITY, SYSTEMS INTEGRATION, QUALITY, AND FITNESS FOR A
PARTICULAR PURPOSE.
Liability and Indemnification
EXAMPLE
Monetary Liability. THE AGGREGATE TOTAL LIABILITY OF VENDOR UNDER OR
IN CONNECTION WITH THE PROGRAM, THE DOCUMENTATION, OR THIS
AGREEMENT TO LICENSEE OR ANY OTHER PERSON OR PERSONS SHALL
UNDER NO CIRCUMSTANCES EXCEED THE AMOUNTS PAID BY LICENSEE
UNDER THIS AGREEMENT.
Request for Proposals (“RFP”)
The RFP is a team effort and requires collaboration
Conflict of Interest & Confidentiality
Develop RFP with the end in mind
The RFP Response should be an Exhibit to agreement
Detailed project plan and/or statement of work is
obtained prior to contract execution.
Maintenance and Support detailed including service
levels
Request for Proposals (“RFP”)
Consider additional items:
Service Level Provisions as part of RFP
Intellectual Property Rights for co-development
Contract Close out plans
State in RFP that the CSU General Provisions for IT will
be required
Security Questionnaire and Requirements as part of RFP
All functionality for license is contained in
implementation – no future release solutions
Downtime chart
Good Practice
Templates
Eliminate hyperlinks in your agreements
Ensure that no disabling devices are in the software
Collaborate with IT: meet, discuss, cross educate
Collaborate with other campuses
Interesting Trends
Migration to Tablets and Devices – BYOD and Apps
Social Media as daily communications
Big Data
Cloud Computing
Software as a Service, Platform as a Service, and
Infrastructure as a Service.
Resources
Accessible Technology Initiative
http://www.calstate.edu/accessibility/
ICSUAM Information Security Policy
http://www.calstate.edu/icsuam/sections/8000/
ISCUAM Contracts & Procurement
http://www.calstate.edu/icsuam/sections/5000/
ICSUAM ITR Policy
http://www.calstate.edu/icsuam/sections/5000/5500.0CSPIC
SUAMCSU.shtml
Conflict of Interest
http://www.calstate.edu/csp/crl/forms/CRL057.pdf