NCC Group Escrow
A Brief Overview


Jonny Hyde
Escrow Account Manager
Telephone:    +44 (0) 161 209 5424
e-mail:       jonny.hyde@nccgroup.com

NCC Group Plc, Manchester Technology Centre, Oxford Road, Manchester M1 7EF www.nccgroup.com
Agenda

 About NCC Group

 About NCC Group Escrow

 Escrow – a simple explanation

 Benefits of Escrow

 Escrow – types of solutions

 Verification Services – a simple explanation

 Verification Services – types of solutions

 Risk Assessment Guide & Escrow Policy Document
About NCC Group

 The world’s leading independent IT Assurance provider:

  -   Largest provider of escrow
  -   Largest team of Ethical Security Testers
  -   Multinational customer base with15,000 customers including 94 out of the FTSE 100


 The Group has two complementary division

  -   Group Escrow & Assurance Testing


 10 offices in the UK, North America, the Netherlands, Switzerland & Germany

 Formed June 1999, a secure, stable, well respected plc listed on the London
 Stock Exchange with a group revenue of £46m (2008:2009)

 Independence from hardware & software providers ensures that unbiased &
 impartial advice is always offered
About NCC Group Escrow

 30+ years experience of providing high quality escrow services

 Most comprehensive escrow services available protecting customers
 worldwide

 Strong relationships with over 5,000 software suppliers

 Over 2,000 multi-licensee agreements in place

 Over 200 escrow employees in 5 countries

  -   Expert in house legal & technical team
  -   Experienced, high quality, security cleared, in-house testing team with 15
      engineers


 Highest levels of quality assurance

  -   ISO 9001 accredited: formal quality assurance
  -   ISO/IEC 27001accredited: information security standard
Escrow – a simple explanation

 Most organisations are dependent on third party supplied software
 applications /business processes to run their day to day operations

 However, depending on third parties to always be around to
 support and maintain business critical software applications and
 services brings about a high element of risk

 Escrow is a simple and effective arrangement designed to
 minimise this risk and protect the interests of all parties involved

 The terms of the arrangement are defined in a straight forward
 legal agreement between supplier, licensee & escrow provider

 NCC Group as the escrow provider holds a copy of the assets on
 which an organisation depends but does not own

 NCC Group ensures source code & other business critical materials
 are protected & accessible

 ‘Trigger Events’ defined in the agreement where business critical
 material is released to licensee include; liquidation, ceasing to
 trade, failure to meet maintenance obligations & IPR assignment (if
 new owner provides no escrow protection)
Benefits of Escrow

 Licensee

   -   ‘Insurance policy’ against the unpredictable IT market
   -   Allows continuing maintenance of critical applications in event of release of code
   -   Provides protection during investment in IT development
   -   Essential part of business continuity and disaster recovery planning
   -   Provides leverage e.g. where supplier defaults on contractual obligations or IPR’s
       assigned to a new supplier


 Supplier/distributor

   -   Demonstrates commitment to clients & stability of company
   -   Illustrates that the relationship is viewed as long term
   -   Confirms active support of best practice & proactive stance to risk management
   -   Provides competitive edge - particularly for niche suppliers
   -   Helps protect IPR
   -   Helps protects distributors’ business
Escrow – types of solutions

 Software Escrow

   -   Protects software application source code – including web site applications
   -   Available where a software application has been specifically written or
       amended (single licensee) and for standard ‘off-the-shelf’ applications where
       same software used by several licensees (multi licensee)
   -   NCC Group maintains template escrow agreements to cover different
       licensing arrangements e.g. to include outsourcers or distributors


 Software-as-a-Service Escrow

   -   Enables organisation to balance risk & protect its investment in SaaS
   -   Ensures required executable application, infrastructure architecture, subscriber
       data and source code material can be accessed & released
   -   Staged release process


 Information Escrow

   -   Protects product design, manufacturing processes, marketing material &
       industrial formulae
   -   Often as business critical as software applications
Verification Services – a simple explanation

 Verification of source code is a key element of mitigating risk for critical
 business applications

 NCC Group verification service provides confirmation that material held
 is correct and complete

 Verification ensures the material held includes the information &
 components required to re-create systems from raw source code

 NCC Group’s verification & escrow services are designed to
 complement each other – assisting companies dependent on crucial
 assets

 Customers include end-users & suppliers

  -   End users – in the event that they need to take over maintenance of source
      code it can be re-constructed
  -   Software suppliers – use to reassure customers of their best practice
      commitment
Verification Services – types of solutions

  Full Verification

   -   Provides assurance that the deposited source code under an Escrow
       agreement is correct & complete and can be rebuilt
   -   NCC Group observes complete application build at supplier’s site
   -   Build is fully documented & a report is produced describing every step

  Build Assured Verification

   -   Recommended where source code maintenance is to be undertaken by
       third party of behalf of end user in event of a release
   -   Provides benefits of Full Verifications with additional assurance that build
       completed at independent secure location (NCC Group test laboratory)


  User Assured Verification

   -   Recommended when source code maintenance is transferred to end user
   -   All benefits of Full Verification, with additional assurance of build repeated at
       end user
   -   Collect source code, build at supplier’s site - fully documenting build, then
       using the documentation build & install at end user’s site
Risk Assessment Guide & Escrow Policy Document

  NCC Group’s Risk Assessment Guide has been developed to assist in
  identifying the applications that are at most risk and in planning your escrow
  requirements for each application

  You can find out what level of protection you need based on how business
  critical your applications are

  We advise that an Escrow Risk Assessment should take place:

   -   At initial procurement of application
   -   After any major upgrade
   -   Every 12 months


  Following the Risk Assessment, our Escrow Policy Document will act as a
  useful tool for all business users, outlining how your escrow protection will be
  managed moving forward including responsibilities, contact details and key
  timelines

Ncc Group Escrow Overview 2010

  • 1.
    NCC Group Escrow ABrief Overview Jonny Hyde Escrow Account Manager Telephone: +44 (0) 161 209 5424 e-mail: jonny.hyde@nccgroup.com NCC Group Plc, Manchester Technology Centre, Oxford Road, Manchester M1 7EF www.nccgroup.com
  • 2.
    Agenda About NCCGroup About NCC Group Escrow Escrow – a simple explanation Benefits of Escrow Escrow – types of solutions Verification Services – a simple explanation Verification Services – types of solutions Risk Assessment Guide & Escrow Policy Document
  • 3.
    About NCC Group The world’s leading independent IT Assurance provider: - Largest provider of escrow - Largest team of Ethical Security Testers - Multinational customer base with15,000 customers including 94 out of the FTSE 100 The Group has two complementary division - Group Escrow & Assurance Testing 10 offices in the UK, North America, the Netherlands, Switzerland & Germany Formed June 1999, a secure, stable, well respected plc listed on the London Stock Exchange with a group revenue of £46m (2008:2009) Independence from hardware & software providers ensures that unbiased & impartial advice is always offered
  • 4.
    About NCC GroupEscrow 30+ years experience of providing high quality escrow services Most comprehensive escrow services available protecting customers worldwide Strong relationships with over 5,000 software suppliers Over 2,000 multi-licensee agreements in place Over 200 escrow employees in 5 countries - Expert in house legal & technical team - Experienced, high quality, security cleared, in-house testing team with 15 engineers Highest levels of quality assurance - ISO 9001 accredited: formal quality assurance - ISO/IEC 27001accredited: information security standard
  • 5.
    Escrow – asimple explanation Most organisations are dependent on third party supplied software applications /business processes to run their day to day operations However, depending on third parties to always be around to support and maintain business critical software applications and services brings about a high element of risk Escrow is a simple and effective arrangement designed to minimise this risk and protect the interests of all parties involved The terms of the arrangement are defined in a straight forward legal agreement between supplier, licensee & escrow provider NCC Group as the escrow provider holds a copy of the assets on which an organisation depends but does not own NCC Group ensures source code & other business critical materials are protected & accessible ‘Trigger Events’ defined in the agreement where business critical material is released to licensee include; liquidation, ceasing to trade, failure to meet maintenance obligations & IPR assignment (if new owner provides no escrow protection)
  • 6.
    Benefits of Escrow Licensee - ‘Insurance policy’ against the unpredictable IT market - Allows continuing maintenance of critical applications in event of release of code - Provides protection during investment in IT development - Essential part of business continuity and disaster recovery planning - Provides leverage e.g. where supplier defaults on contractual obligations or IPR’s assigned to a new supplier Supplier/distributor - Demonstrates commitment to clients & stability of company - Illustrates that the relationship is viewed as long term - Confirms active support of best practice & proactive stance to risk management - Provides competitive edge - particularly for niche suppliers - Helps protect IPR - Helps protects distributors’ business
  • 7.
    Escrow – typesof solutions Software Escrow - Protects software application source code – including web site applications - Available where a software application has been specifically written or amended (single licensee) and for standard ‘off-the-shelf’ applications where same software used by several licensees (multi licensee) - NCC Group maintains template escrow agreements to cover different licensing arrangements e.g. to include outsourcers or distributors Software-as-a-Service Escrow - Enables organisation to balance risk & protect its investment in SaaS - Ensures required executable application, infrastructure architecture, subscriber data and source code material can be accessed & released - Staged release process Information Escrow - Protects product design, manufacturing processes, marketing material & industrial formulae - Often as business critical as software applications
  • 8.
    Verification Services –a simple explanation Verification of source code is a key element of mitigating risk for critical business applications NCC Group verification service provides confirmation that material held is correct and complete Verification ensures the material held includes the information & components required to re-create systems from raw source code NCC Group’s verification & escrow services are designed to complement each other – assisting companies dependent on crucial assets Customers include end-users & suppliers - End users – in the event that they need to take over maintenance of source code it can be re-constructed - Software suppliers – use to reassure customers of their best practice commitment
  • 9.
    Verification Services –types of solutions Full Verification - Provides assurance that the deposited source code under an Escrow agreement is correct & complete and can be rebuilt - NCC Group observes complete application build at supplier’s site - Build is fully documented & a report is produced describing every step Build Assured Verification - Recommended where source code maintenance is to be undertaken by third party of behalf of end user in event of a release - Provides benefits of Full Verifications with additional assurance that build completed at independent secure location (NCC Group test laboratory) User Assured Verification - Recommended when source code maintenance is transferred to end user - All benefits of Full Verification, with additional assurance of build repeated at end user - Collect source code, build at supplier’s site - fully documenting build, then using the documentation build & install at end user’s site
  • 10.
    Risk Assessment Guide& Escrow Policy Document NCC Group’s Risk Assessment Guide has been developed to assist in identifying the applications that are at most risk and in planning your escrow requirements for each application You can find out what level of protection you need based on how business critical your applications are We advise that an Escrow Risk Assessment should take place: - At initial procurement of application - After any major upgrade - Every 12 months Following the Risk Assessment, our Escrow Policy Document will act as a useful tool for all business users, outlining how your escrow protection will be managed moving forward including responsibilities, contact details and key timelines