Out-Law News 3 min. read
18 Apr 2013, 11:30 am
In its survey of more than 180 IT security managers, online security firm AlgoSec reported that 77% of respondents had said that "out-of-process changes" resulted in system outages, a data breach, an audit failure, or "more than one of these serious problems". Poor change management processes and error-prone processes were among the main challenges (8-page / 432KB PDF) cited by the respondents to "managing network security devices".
Businesses that outsource service provision to suppliers usually set out processes for enabling changes to the way services are delivered within the contractual arrangements between the parties. These processes may involve a requirement for contracting parties to approve and/or trial the use of suppliers' new systems or solutions before they are put into use.
IT and contracts law specialist Mhairi Mival of Pinsent Masons, the law firm behind Out-Law.com, said, that outsourcing contracts must allow for a balance whereby suppliers can act to make speedy changes to services that benefit contracting parties, such as in "emergencies", whilst also ensuring that the contracts can be relied upon to hold suppliers to account when problems arise as a result of changes deployed outside of the agreed protocols.
"Normally change control processes in outsourcing contracts require suppliers to put forward proposed changes they wish to make to their way of delivering services to the customer for approval, but with emergency arrangements also allowed for to enable suppliers to make changes when necessary, such as to patch a major security problem with systems or software," Mival said.
"If customers wish to have oversight of all supplier changes, even in emergencies, then they should be willing to bear responsibility for problems that arise as the result of the delay this will cause to the adoption of new solutions by suppliers," she said. "However, generally, if customers do not sign off on supplier changes the contracts should stipulate that those suppliers can still be liable for problems, or additional costs to customers, that arise from those out-of-process changes."
"Often the contracts will set minimum service levels suppliers will have to adhere to in delivering the services, as well as provisions on functionality and systems interoperability. If an out-of-process change results in a failure by the supplier to achieve the minimum levels of service, functionality or interoperability with the customer's systems then the customer should be entitled to recover any costs they incur from problems stemming from the out-of-process change. The costs could include having to retrain staff on using new systems, having to integrate internal systems with new systems suppliers are operating, or simply the lost business time caused by systems outages." the expert said.
Mival said, though, that there was a particular need for businesses to review their contracts with suppliers where they are given scope to make changes to services without their consent, besides in emergency situations. An example of this may be where suppliers offer "shared platform solutions" to more than one customer, she said.
"The best arrangement for buyers is generally to limit entirely the ability of suppliers to make any material changes to their technology, other than in emergencies, unless in accordance with the change control processes set out in the contract, but that may not always be practical," Mival said. "You will sometimes see in contracts a right that allows suppliers to modify software and services. That may be acceptable to buyers if the right does not extend to allowing for material changes to be made that affect functionality, performance or systems integration, for example."
"Those contracts should include protections in this regard, to ensure buyers can reclaim costs they incur that owe to issues stemming from the out-of-process changes implemented by suppliers," she said.
"There is an issue where it is not clear what changes suppliers are making without the contracting parties' consent. Even changes that appear seemingly innocuous, and do not impact on functionality, can have a serious impact on business operations. Buyers should not want to unnecessarily restrict suppliers from making changes to their services that could benefit them, but equally it is important that they are kept aware of the changes suppliers make," the expert said.
"This notification requirement should be stipulated under contract to enable contracting parties to test the new solutions and check that the change does not negatively impact them or force them to incur additional costs," Mival added.