ISO 27001:2022 A 8.30 Outsourced development

Uncategorized 9 Minutes

Outsourcing and offshoring are common in software development and testing, but pose two information security risks. First, the sourcing partners obtain sensitive data they should not have. Second, their software development and testing processes might not address the information security needs properly. It requires the supervision of outsourced development and testing. The work can be outsourced but the responsibility stays with the organization. In general, ISO 27001 requires suppliers also to be managed with regard to information security. Any supplier management can enforce this. The controls are not specific to software development and testing, though the checks might differ slightly.It requires organisations to supervise and monitor all outsourcing activities and to ensure that the outsourced development process satisfies information security requirements. The organization must supervise and monitor the activity of outsourced system development. Where system and software development is outsourced either wholly or partly to external parties the security requirements must be specified in a contract or attached agreement. This is where it is important to have correct nondisclosure and confidentiality. It is also important to supervise and monitor development to gain assurance that organizational standards and requirements for security within systems are achieved. Depending on how embedded outsource partners are within the organization, especially if staff is located on organizational premises, it is important to include their staff in security awareness training and awareness programmed and communications. It is critical to ensure that the internal security practices of the outsource partner, e.g. staff vetting, at least meet assurance requirements relevant to the risk levels related to the developments they will be working on. The auditor will be looking to see that where outsourcing is used, there is evidence of due diligence before, during, and after the engagement of the outsource partner has been conducted and includes consideration for information security provisions.

Control

The organization should direct, monitor and review the activities related to outsourced system development.

Purpose

To ensure information security measures required by the organization are implemented in outsourced system development.

ISO 27002 Implementation Guidance

Where system development is outsourced, the organization should communicate and agree requirements and expectations, and continually monitor and review whether the delivery of outsourced work meets these expectations. The following points should be considered across the organization’s entire external supply chain:
a) licensing agreements, code ownership and intellectual property rights related to the outsourced content;
b) contractual requirements for secure design, coding and testing practices
c) provision of the threat model to consider by external developers;
d) acceptance testing for the quality and accuracy of the deliverables ;
e) provision of evidence that minimum acceptable levels of security and privacy capabilities are established (e.g. assurance reports);
f) provision of evidence that sufficient testing has been applied to guard against the presence of malicious content (both intentional and unintentional) upon delivery;
g) provision of evidence that sufficient testing has been applied to guard against the presence of known vulnerabilities;
h) escrow agreements for the software source code (e.g. if the supplier goes out of business);
i) contractual right to audit development processes and controls;
j) security requirements for the development environment;
k) taking consideration of applicable legislation (e.g. on protection of personal data).

The organisations should continuously monitor and verify that the delivery of outsourced development work satisfies the information security requirements imposed on the external service provider.

  1. Entering into agreements, including licensing agreements, that addresses ownership over code and intellectual property rights.
  2. Imposing appropriate contractual requirements for secure design and coding.
  3. Establishing a threat model to be adopted by third-party developers.
  4. Carrying out an acceptance testing procedure to ensure the quality and accuracy of delivered work.
  5. Evidence that minimally-required privacy and security capabilities are achieved. This may be achieved via assurance reports.
  6. Keeping evidence of how sufficient testing has been performed to protect the delivered IT system or software against malicious content.
  7. Keeping evidence of how sufficient testing has been applied to protect against identified vulnerabilities.
  8. Putting in place escrow agreements that cover the software source code. For example, it may address what will happen if the external supplier goes out of business.
  9. The agreement with the supplier should entail the right of the organisation to perform audits on development processes and controls.
  10. Establishing and implementing security requirements for the development environment.
  11. Organisations should also consider applicable laws, statutes, and regulations.

While outsourcing the Organization should conduct suitable due diligence processes in selecting an appropriate service provider and in monitoring its ongoing performance. It is important to entities exercise due care, skill, and diligence in the selection of service providers. The organization should be satisfied that the service provider has the ability and capacity to undertake the provision of the outsourced task effectively at all times. The organization should also establish appropriate processes and procedures for monitoring the performance of the service provider on an ongoing basis to ensure that it retains the ability and capacity to continue to provide the outsourced task. In determining the appropriate level of monitoring, it should consider the criticality of the outsourced task to the ongoing business and to its regulatory obligations. The organization should enter into a legally binding written contract with each service provider, the nature and detail of which should be appropriate to the criticality of the outsourced task to the business.A legally binding written contract between the organization and a service provider is the critical element underpinning the relationship between the organization and the service provider. Contractual provisions can reduce the risks of non-performance or aid the resolution of disagreements about the scope, nature, and quality of the service to be provided. A written contract will assist the monitoring of the outsourced tasks by the organization and/or by regulators. The level of detail of the written contract should reflect the level of monitoring, assessment, inspection and auditing required, as well as the risks, size and complexity of the outsourced services involved. Where different regulatory requirements may apply for the organization and the service provider due to the cross-border nature of the service, the service provider should recognize and accommodate the requirements of each jurisdiction in which it operates, as appropriate, and ensure it acts in a manner that is consistent with the organization’s regulatory obligations. The organization should include written provisions relating to the termination of outsourced tasks in its contract with service providers and ensure that it maintains appropriate exit strategies.

Step to take When Outsourcing Development

Do your due diligence
It is important to conduct due diligence on a vendor before entering into an agreement with the vendor. The scope of such due diligence should include the vendor’s reputation and any past breaches .You should also investigate the vendor’s internal risk measures, their ability to safeguard your IP and what its response would be to a data breach within their organization. If you are hiring a vendor overseas, you should also consider how your IP will be protected by the laws of that country and the legal remedies available to you for the breach of your IP rights.

Sign Non-Disclosure Agreement (NDA)
Before hiring a vendor, or after hiring a vendor but before sharing any confidential information, you should enter into a non-disclosure agreement (NDA) with the vendor. As the name implies, NDAs place an obligation on a party or parties not to disclose certain information, including software development or technical data, to third parties. The NDA should be wide enough to cover the scope of the vendor’s services, but also narrow enough to define confidential information and what amounts to a breach. The NDA should also bind the vendor’s employees or subcontractors who would be working on the task. The non-disclosure obligations in NDAs would typically outlive your business relationship with the vendor. This may be in perpetuity – if possible – or for a number of years after the completion of the project. Therefore, at the end of your project, you should reiterate the vendor’s obligations to not disclose confidential information.

Use the legal framework applicable
The legal framework and available measures to protect organization rights differ from country to country. For example, European Union countries are required to comply with the EU regulations. Meanwhile, companies in the U.S are required to comply with the Constitution and the regulations issued by the U.S. It is important to pay attention to the legal framework of the country within which the vendor operates and to know how your rights will be treated. Will your intellectual property rights be recognised by the laws of that country? Will you be able to enforce your rights in the event of breach within such a country? It is advisable to seek legal counsel before executing an outsourcing agreement.

Draft a comprehensive Master Service Agreement
A Master Service Agreement is an agreement that documents the terms of future contracts between the parties. Also known as a Framework Agreement, it states the terms of service delivery, work standards, payment terms, rights and liabilities, confidentiality, ownership of intellectual property rights to the final product, and data protection mechanisms. It is important to pay attention to ownership of the IP rights to the work product. Vendors would usually prefer to retain ownership to use the deliverables in future projects. The contract should clearly state the creators, authors, and owners of the work product. It should identify your firm as the owner of the work product and preserve your right to use, assign, and modify the work product. The Master Service Agreement should also include dispute resolution mechanisms, in case a party breaches the agreement. You should anticipate how you would enforce your intellectual property rights under the agreement and identify intellectual property offices you may contact where there is a violation of your IP rights. Preferably, you should state your jurisdiction as the applicable governing law and venue for resolution of the agreement, to ensure that disputes that arise from the agreement are resolved within your jurisdiction.

Inquire about the processes of a potential partner
Verify you are working with a firm that follows correct procedures. The correct practices are ultimately what will safeguard your work, rights and information. The questions below provide an excellent starting point.

  • What contracts do they have in place with their workers and consultants?
  • Is any of their work subcontracted? If so, how do they safeguard their intellectual property?
  • Are they utilizing appropriate project management tools?
  • Where do they keep their servers and source code? Is there a backup support mechanism in place if something occurs at a local office?
  • How does their team interact and exchange documents?
  • How do they ensure that data and documents are removed from the possession of departing or dismissed employees?
  • Allow employees to utilize personal tools and email, or do they require employees to use just company-authorized resources?
  • What is their laptop and internet access security policy?
  • Do they have procedures in place for remote employees?

Limit server and data access
Limiting server and data access is also another means of ensuring protection of your intellectual property when outsourcing to third parties. You should ensure that data is stored on your servers. At no point should your data reside in any place other than on your cloud. Allow the vendors to work remotely via your cloud services, where you can closely watch everything they do and have documented proof in the security or data breach. Access to your server, API and data should also be limited to only what is necessary to complete the outsourced task. If the task requires access to all or a core part of your intellectual property, then you may consider executing some of the task in-house or asking the in-house team to integrate the developer’s work product into the software.Transition protocols should also be discussed before the project commences. There have been cases of vendors’ refusal to transfer the source codes to their clients when disputes arise or the vendor is moving to another firm. To forestall such occurrences, all applications should be built on your firm’s servers right from the start of the project. Source code should also be stored within your firm’s account .

Key questions to ask outsourcing vendor

  • How do you protect the confidentiality of information?
    Before you get down to discuss your ideas, a trustworthy contractor will offer to sign a Non-Confidentiality Agreement (or Non-Disclosure Agreement). Take note of the agreement’s period, the precise categories of information that are covered and excluded from it, and if the parties subject to the agreement are properly stated and represented.
  • How will my data be protected?
    Determine if the software developer has the means and capacity to safeguard your intellectual property from unauthorized use, loss, or theft; at the very least, guarantee secure connections, two-factor authentication, a robust password policy and password updates policy, a well-f VPN tunnel, firewalls, and disc encryption. Do they safeguard home routers for remote work as well? What antivirus do they use, and how frequently do they check for system updates?
  • How will you ensure effective IP rights transfer?
    Enquire about how the software development firm treats your collaboration and the ownership of the software product that results. This will help you avoid being forced to deal with a company that wants to create its own products at your expense.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a Reply