change  control 3rd party apps

Posted on 2014-10-10
Last Modified: 2014-10-28
How does (or perhaps should) change control work for applications your users use which arent owned/hosted by yourselves. Say for example a key application which is a web based app hosted on someone elses infrastructure. When they announce they are due to move to a new release and upgrade their system - how should that tie in with your internal change control systems? As the end of the day your end users could still be affected.

I know one element of change control is user acceptance testing - which again I find hard to see how and when you get the opportunity to do so when the system is external.
Question by:pma111
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 63

Accepted Solution

btan earned 250 total points
ID: 40374473
that is is especially relevant when your organisation  e-Services and online digital asset are dependent on their functionaity. E.g the use of their service for searching, calling their exposed API, using their content mgmt web service, etc. it is less impactful if it is mainly change of apps that is solely used as general public (but not the case if it is heavily customised for your organisation e.g. a specially whatsapps features created and embedded in that special version..).

Looks like the prior notice need to be concurred way up front in legal terms and contractually binding for back to back support trial prior to release in production. The SLA and helpdesk must be able to handle in specific to such FAQ in each changes including for emergency patch due to exposed security vulnerability in their apps or services (known to them private to them initially). they need to notify with rationale to end user on severity and impact where applicable - best have it black and white as obligation. Of course this will also depends on the tier of level signed and procured in the agreement.

For example, Google Apps has such incorporation for material changes to inform user early - see the "Modifications"  and "Change of Control" @

in related note for third party software usage, such prior use will already have you agreed to their "EULA" that accepted the proper use and actually you may not have say beforehand (e.g. use at own risk). Like the recent heartbleed and shellshock case,  we are all end user and left to "fate" of supplier whom used such libraries or related platform to give the consumer the remediation piece...esp relevant to open source community where it is understood the public already has the right to use the program (e.g. under the GPL), and this right cannot be withdrawn.

It is tough to full control except to establish back to back support and prior notification to cater for the changes required. Commerical binding will still be good to maintain as leaving it open and free are assumption that will (definitely) be binding and break in time of emergency or dispute. We want to avoid (or minimize) that . Here is another article for sharing - note we also need supplier (whoever giving the 3rd party services) to ensure integrity of the service (and not backdoor0ed)
A good practice is to make sure that such components are declared well in advance before you sign an agreement to source software, specifically if there are inherited restrictions or obligations pushed on to you and your customers. Make sure that the sourced software doesn´t come with an undetected Hydra-head embedded in the license. If there is Open Source with obligations to disclose code to end-users this will affect you or your customer, or your customer’s customer.

You will then be able to anticipate what distribution rights must be catered for in the contract, and to prepare for a change in the process if you cannot win these rights in the license.
LVL 80

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 250 total points
ID: 40375207
When they announce they are due to move to a new release and upgrade their system - how should that tie in with your internal change control systems? As the end of the day your end users could still be affected.

you pretty much have to start from scratch every time they do a change.. and live with it.. you may have to work around things..  but you have absolutely no control except with your wallet.  Perhaps you could negotiate getting beta acceptance for your testing prior to the change over.
LVL 63

Expert Comment

ID: 40375217
i will also add in the case for any changes, there is always the agreement whereby if there is direct contact the provider or the main supplier whom you signed off with, they must still in no circumstances, in breach or not able o fulfill the service level of proper testing and releases - you own internal user testing is transparent to them and they would be more of answering to you so you have to manage it. If the service need to go proper test lab, they have to do so as the contract is based on "cleared" product on signing and changes may indirect be non compliant..

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
downlod failures 6 75
Setting up a trunk port on a Cisco switch? 20 66
Advice on using wifi connection in Hotel with our iPhone 18 82
GPS For Commercial Vehicles 10 34
This guide will walk you through the essential considerations and tech stack for building scalable websites. Know how to grow your business the smart way!
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
This video demonstrates how to use each tool, their shortcuts, where and when to use them, and how to use the keyboard to improve workflow.
An overview on how to enroll an hourly employee into the employee database and how to give them access into the clock in terminal.

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question