Economy and administration are largely dependent on unlimited availability of information technology systems. For this reason, confidentiality, availability, and integrity of data and IT systems are crucial for all companies and institutions.
Under clause M 6.137, the Federal Office for Information Security has included escrow into its catalogue of measures for emergency planning.
„Trusted Storage (CA) In cases involving business-critical applications, it SHOULD be checked whether the applica-tions require protection against outages that could affect each application’s manufacturer. Here, those responsible SHOULD consider fiduciary storage at an escrow agency for any mater-ials not included with a given application (such as documented code, design plans, keys, or passwords). In such cases, the obligations of the escrow agency regarding storage and handover(when can the stored goods be handed out, and to whom?) SHOULD be specified by contract.“
Test questions for the measures:
- Has an escrow agreement been tested for minimizing safety risks?
- Does the escrow contract specify conditions concerning deposit, updating, and release as well rights and obligations for all contracting parties?
- Is the escrow contract consistent with the respective license agreement?
- Is the escrow agency sufficiently qualified?
- Will the usability of the material be checked in case a future disclosure in the course of a fiduciary deposit is necessary?
