Software programs are written using non-proprietary, open source code; proprietary (licensed) open source code; or proprietary, closed source code.
Non-proprietary, open source programs, sometimes referred to as free software, are written in publicly available code and can usually be used, copied, modified, etc., without restriction. Proprietary, open source programs are also written in publicly available code but are copyrighted and distributed through various licensing agreements. Management should carefully consider all licensing agreements to ensure their use, modification, or redistribution of the programs conforms to the agreements.For additional information, organizations that use, or are considering using, open source software should consult with their legal staff and review open source definitions, licensing standards, certification criteria, and related information distributed by various organizations (for example, the Open Source Initiative at www.opensource.org. (Note: Reference to this organization is for illustrative purposes only and is not an endorsement of the organization.)
Proprietary, closed source programs are normally copyrighted trade secrets of the company that wrote or owns the programs. Most vendors do not release closed source code to the organizations that buy or lease the products in order to protect the integrity and copyrights of the software. An alternative to receiving the source information is to install programs in object code and establish a source code escrow agreement. In such an agreement, organizations can only access the source code under specific conditions, such as discontinued product support or financial insolvency of the vendor.
Typically, an independent third party retains the documentation in escrow; however it is each organization's responsibility to periodically (at least annually) ensure the third party holds a current version of the source information. Often, escrow agents provide services for reviewing and confirming source code version numbers and dates. Some agents also perform automated code reviews to ensure the integrity of the escrowed code.Management should consider the practical and legal implications of establishing escrow arrangements with foreign-based entities when determining the feasibility of foreign-based relationships.
In addition to ensuring access to current documentation, organizations should consider protecting their escrow rights by contractually requiring software vendors to inform the organization if the software vendor pledges the software as loan collateral.
Provisions management should consider incorporating into escrow agreements include:
- Definitions of minimum programming and system documentation;At minimum, the software documentation held by the escrow agent should include system narratives, system flow charts, program source listings, program narratives, file and record layouts, descriptions of individual fields within the records, and calculation routines. Portions of this documentation may be included with the user guides that are provided to the financial institution. These documents should also cover transaction codes and descriptions of input forms and output reports.
- Definitions of software maintenance procedures;
- Conditions that must be present before an organization can access the source information;
- Assurances that the escrow agent will hold current, up-to-date versions of the source programs and documentation (escrowed information must be updated whenever program changes are made);
- Arrangements for auditing/testing the escrowed code;
- Descriptions of the source information media (for example, magnetic tape, disc, or hard copy) and assurances that the media is operable and compatible with an organization's existing technology systems;
- Assurances that source programs will generate executable code.
Acquisition Project Guidance
Software Development Contracts and Licensing Agreements