Outsourcing and Security
It is worth listing your key requirements and concerns and then any controls you consider essential. The requirements will vary based on the type of application, who is it using it, and where it is being used. The needs of a global system storing personal and medical details for patients in a regulated environment will be very different from an internal application used in one office to record monthly spend on lunches. You may decide you have few requirements and it is worth recording this rationale and decision in a document so you can refer back to it a later stage.
Here are a few things that should be considered, and then documented and any important items should be added to a contract and reviewed by your legal team. Above all it helps to not make assumptions and by being clear at the start of any new engagement it stops any potential issue later in the project.
Some things to consider include:
- Does the application require the user to sign in?
- What is the password policy?
- Who can reset passwords?
- Who can add users?
- Where are passwords stored?
- Are passwords hashed and salted?
- Does it support single sign on (SSO)?
- Who will test the product security?
- Will the system be penetration tested by an external specialist?
- Who will purchase and setup SSL certificates?
- Is there a document describing product security requirements?
- Who is responsible for specifying, testing, operating any firewalls, WAF, gateways?
- Does it have to meet any specific security standards?
- Any specific legal or regulatory standards e.g. GDPR, HIPAA, SOX
Consider any requirements regarding data on your various systems and in the product:
- Any regulatory or legal requirements? eg GDPR
- what type of data is stored by your application,
- where the database is physically located,
- who can access it?
- can they view it or add and edit it?
- are any changes recorded and audited?
- what types of environment are needed for the software to be developed?
- what type and volume of data will be loaded into development and test environments?
- who will authorise developer access to specific environments?
- will it be deployed as a single tenant or multi tenant solution?
Consider all the processes that will be used by the project and the product when it is in operation such as:
- Staff Recruitment
- Staff Training
- Supplier Contracts
- Software Deployment
- Software Maintenance
- Software Testing
- Issuing credentials to development staff
- Altering Firewall rules
- Does the company do work for a competitor?
- Who owns the source code that is developed?
- Is a copyright message added to every file clarifying ownership?
- Does the application show a copyright message somewhere?
- Is there a policy on use of 3rd party libraries?
- Is there a policy on using open source code?
- Is there a policy for destroying media (paper, disks) at the end of the project?
- Is there an information classification process?
- Does the contract explicitly detail who owns the rights to the code?
- Any rules on use of 3rd party services or staff by the supplier?
- Is a protocol needed to securely transfer specific data between client and supplier?
- Do staff have any training in information security?
- Are there any pre-employment screening any checks?
- Are staff issued with an acccess card
- Can staff work remotely?
- Do staff have adequate levels of equipment?
- Is there an information security manager?
- Can staff work on multiple projects at the same time?
- Can the supplier use temporary or contract staff?
- Do staff work in an open plan office or secure room?
Does the supplier need a specific level of infrastructure to meet your expectations?:
- Certified to ISO27001 information security
- Security guards at front door
- Access control cards
- No wifi or secure wifi or open wifi?
- Do computers have anti virus installed?
- Does the supplier have a disaster recovery plan?
- Does the supplier have controls in place to prevent ransomware attacks?
- Is equipment portable?
- Can staff take laptops home?
- Can staff use their own devices (BYOD policy)?
- Can guests visit the office?
- Can guests use the wifi?
- Can staff remotely access kit at the office
- Do staff need to be provided with a virtual desktop by the client?
Tools are an essential part of software development and key to a project, so determine:
- Can the supplier use any tool or a specific set?
- Any restrictions on features or functions within a tool?
- Are online tools allowed?
- Do tools have to be localled installed?
- Who pays for and issues licences for tools?
- Who manages the tools?
- Who adds users to a tool?
- Who supports the tools and in what time zone hours? to avoid issues between client and suppliers in different time zones.
- Do your tools have to connect or export to the suppliers tools?
- Does the supplier have to setup tools on a client owned environment e.g. CICD pipeline
- Can open source tools be used?
- Are supplier staff allowed to download and install tools on their computer?
Summary of Outsourcing and Security
Your project may have strict security needs or just minor items however it is worth collecting these and their rationale before starting. Any key items that are essential should be incorporated in your contract and made clear to the supplier with support from your legal team.
Suppliers are used to operating with various security requirements, so have open and frank discussions early in the process to ensure everyione is clear on expectations.