Vendors Performing Your System Installs?

A caution when relying on vendors to deliver projects with software installs.

Many projects require the expertise of vendors to install, configure and productionize their software and systems, however as the client and end-consumer you need to be aware of what exactly is making its way into your environments.

All too often following discovery we'll find unaccounted for vendor software, which typically after an onerous investigation is found to be remnants from the vendor-led project, anything from desktop clients to entire VM's, each of which can have dire compliance implications and cost.

But "hold-on - we didn't install it - the vendor did" is the common response, however a quick pointer to the relevant contracts will soon expose that this does not offer any defense - the customer is always responsible for compliance, even if it is the very vendors software in question.

At a more concerning level is when a vendor installs another vendors software - while this is not uncommon with the extent of partnerships and interoperability in the modern industry, it still needs to be clearly and formally covered, ideally contractually or by reference to the vendors right to distribute and use any IP they don't own. These artefacts need to be registered and retained in the event of an audit that questions your usage rights - in the worst case scenario  if the vendor has breached another parties IP rights you too could end up subject to an infringement claim, and that's no place you want to be.

So, while the vendor might be responsible for the project, you'll still be accountable for the end product.

That means ensuring your project team stays across all vendor activities - enforce your BAU practices and protocols for distributing and installing software - in all environments - for traceability and tracking purposes. The project shutdown then needs to include a close-out phase where what's been installed (anywhere) is reconciled to what you've acquired, and also what you're actually entitled to use (aka Read The Contract). Where there are gaps you'll need to either recalibrate, purchase, decommission, or have the vendor explain and resolve - all before the project can be declared finished and complete.

And never rely on the vendor's personal emails or assurances that 'all is well' - none of that will hold-up under audit (even if they are still there). When it comes to IP all bases need to be formally covered, and if that's proving to be a problem, well you might want to be even more wary.