When outsourcing development and external systems, businesses should be careful to outline the obligations and requirements of those companies and the details of their systems.
Contractual obligations need to be defined, specifically regarding the security requirements that organizations need to have implemented and maintained when working with external entities. Once defined, these requirements should be used to manage outsourced software development engagements, the use of external systems, and the use of external services.
If these obligations are not agreed to, there is neither a guarantee that appropriate security controls will be maintained by all appropriate parties, nor accountability if they are not.
Outsourcing Software Development
Providers of external systems should be required to comply with applicable security requirements by maintaining controls that are comparable to your organization’s security and privacy requirements. Providers of external system services should be required to identify the functions, ports, protocols, and other services that are required to be implemented by your organization for the effective use of their services.
Organization level oversight, including user roles and responsibilities regarding external system services, should be defined and documented. Organization-defined processes, methods, and techniques should be used to monitor security and privacy control compliance by external service providers on an ongoing basis.
If software development is outsourced, the following here is a quick list of items that should be addressed, contractually:
- Licensing arrangements, code ownership, and intellectual property rights.
- Certification of the quality and accuracy of the work completed, and product delivered.
- Escrow arrangements in the event of the failure of the third-party developer.
- Rights of access for auditing the quality and accuracy of the work completed.
- Requirements for the quality and security functionality of the code developed.
- Testing before installation to detect any potential malicious code or technical security vulnerabilities.
For more information about these pitfalls, and 99 more, my book will help: 100 Security Program Pitfalls and Prescriptions to Avoid Them (available on Amazon here).
At ASCENT, we deliver the industry’s leading Software-as-a-Services (SaaS) platform for comprehensive security and compliance management. Enabling organizations of all sizes to automate and maintain a complete security and compliance program, ASCENT aligns processes with leading industry frameworks to increase efficiency, eliminate work duplication, ensure vendor compliance and provide deep visibility into compliance risk. Based on 50 years of compliance experience, ASCENT lowers compliance costs and risk while protecting companies from security exposure.