Vendor Support | Security+ Study Guide

Software vendors and hardware vendors are necessary elements in the process of building systems and applications. The costs associated with buying preconfigured software, hardware, and services are usually less than building them yourself. Unfortunately, this makes you dependent on a vendor's ability to stay in business.

The following sections discuss service level agreements and code escrow. These agreements help you protect yourself in the event that a software vendor goes out of business or you have a dispute with a maintenance provider in your systems.

Service Level Agreements

A service level agreement (SLA) is an agreement between you or your company and a service provider, typically a technical support provider. It stipulates the performance that you can expect or demand from your vendor. SLAs outline the expectations that have been contracted by a vendor. SLAs are also called maintenance contracts, when referring to hardware or software.

If a vendor promises to provide you with a response time of four hours, this means that they will have someone involved and dedicated to resolving any difficulties you encounter. This could mean a service technician in the field or a remote diagnostic process occurring on your system. In either case, the customer will have specific remedies that it can demand from the vendor if the terms of an SLA are not met.

Most computer manufacturers offer a variety of SLA levels. Some can guarantee support in hours, others may require days. Different levels of coverage and different response times usually have different costs associated with them. A 4-hour service agreement will typically cost a great deal more than a 24-hour or a 48-hour agreement. An SLA should also stipulate how long the repair will take once the support process has been activated. Having a service technician onsite in four-hours will not do much good if it takes two weeks to get a defective part.

Periodically review your SLAs to verify that the performance criteria match your performance needs. This can help prevent frustration and unanticipated disruptions from crippling your organization. SLAs are also usually part of network availability and other agreements. Make sure that you understand the scope and terms of your SLAs. Two of the key measures in SLAs are MTBF and MTTR:

Mean Time Between Failure The Mean Time Between Failure (MTBF) is the measure of the anticipated incidence of failure of a system or component. This measurement determines the anticipated lifetime of a component. If the MTBF of a cooling system is one year, you can anticipate the system to last for a one-year period. This means you should be prepared to replace or rebuild this system once a year. If the system lasts longer than the MBTF, your organization has received a bonus. MTBF is helpful in evaluating the reliability and life expectancy of a system.

Mean Time To Repair The Mean Time To Repair (MTTR) is the measurement of how long it takes to repair a system or component once a failure occurs. In the case of a computer system, if the MTTR is 24 hours, this tells you that it will typically take 24 hours to repair it when it breaks.

Note

Be careful when evaluating MTTR, as the MTTR does not typically include the time it takes to acquire the component and have it shipped to your location.

Most SLAs will stipulate the definitions of these terms and how they apply to the SLA. Make sure you understand how these terms are used and what they mean to the vendor.

Real World Scenario: Should I Buy the Computer Store's SLA for My New Laptop?

You just purchased that new laptop that you have been eyeing at the computer store. The store you bought it from is a large national computer and software retailer. When you went to purchase the laptop, they worked very hard to sell you an extended warranty agreement for your laptop. Was this a good deal?

You want to evaluate the SLA offered by the computer store and compare it to the manufacturer's warranty and service options. Many retail computer stores do not the have the capability to repair laptops in house, and they send most of them to the manufacturer for all but the simplest service. On the other hand, most laptop manufacturers offer a variety of service options including 24-hour delivery of replacement systems. You want to verify the length of time that it will take to have the store repair your laptop before you purchase an SLA. In some situations, a store's repair program is more expensive and slower than a manufacturer's repair program.

Code Escrow

Code escrow refers to the storage and conditions of release of source code provided by a vendor. For example, a code escrow agreement would stipulate how source code would be made available to customers in the event of bankruptcy.

If you contract with a software developer to perform a customized programming effort, your contract may not give you the rights to access and view the source code this vendor created. If you want changes to occur in the functioning of the programs, you would be required to contract with the developer or integrator that installed it to perform those changes. This practice is very common in applications software projects, such as setting up accounting systems.

If the vendor ceases operations, you would not be able to obtain the source code to make further changes unless your agreement stipulates a code escrow clause. Unfortunately, this would effectively make your investment a dead-end street.

Make sure that your agreements provide you the source code for the projects that you have had done, or they provide you with a code escrow clause to acquire the software if the company goes out of business.