WikiLeaks-like incidents prove cyber attacks and data breaches are endemic. In software development outsourcing, this may happen due to various reasons: NDA (non-disclosure agreement) violations, unauthorized data access, malware usage, or worse – the inclusion of malicious code (coding mistakes, poor coding practices, or (gasp!) mischievous intentions).
Data loss registered in the Netherlands illustrates the point well. As bbc.com stated in its post (dated January 18, 2017), over 20,000 people fell victim to a developer’s evil actions. He coded a backdoor into the applications developed for third-party enterprises and got access to user credentials. They were further used to make online payments and create gambling accounts.
This data breach story is not as resonant as that of Yahoo with 3 billion user accounts hacked, but it is another reason for you to pick technology development partners carefully and take IT security seriously.
The good news is the overall employee awareness of IT security is growing. The 2018 Clutch findings say more than 52% of companies have data security policies to avoid potential cyber threats. When in need of IT consulting and development, the company security compliance should be studied as thoroughly as its portfolio. Below, we have outlined some essential precautions you should take before inking a partnership contract.
Risk Assessment for the Sake of Better IT Security
This is a starting point. No matter the scope of software development you need to outsource, risk assessment is worth the effort and time. Here is why.
By conducting risk analysis, you get a handle on what data to keep safe and how to mitigate data breach risks. To do this right, we suggest sticking to this simple plan:
- Determine the data to be accessed by third-party technology developers
- Define where the data is stored and/or should be stored (internally, within third-party facilities, or both)
- Map out the ways for the data flows to be exchanged
The first point implies data classification from the business perspective and possible risks prediction if data breach occurs (reputational damage, business disruption, financial losses, loss of customers or investors, etc.). Another important thing to figure out is whether each sensitive data set is protected by law or not and ensure the country where your IT consulting provider resides has proper regulations in place.
Next, define where the sensitive data is located (structured repositories managed by IT providers, or unstructured repositories like cloud storages that cannot be handled by your technology partners), in your IT infrastructure or where it is meant to be. This helps you work out a data management plan for third-party staff and apply DLP (data loss prevention) tools when required.
The final step is to clearly describe all the channels and destination points for the data to go. If you grant access control to third-parties, make sure the data can be securely transmitted.
If software engineers can choose from third-party development or testing tools, they should go through a risk assessment procedure. The verification steps can be added to the OWASP top 10 (Open Web Application Security Project) and applied to the checks.
Similarly, you can make use of the CWE (Common Weakness Enumeration) standards to ensure the restrictions you impose on data flows make sense.
Performing Due Diligence to Prevent Data Leaks
Data leakage prevention starts small. Immediately after you complete data analysis and risk assessment, it is time to do the due diligence job. What is that about? It is a set of actions you take to verify the security capabilities of your technology development partner.
The due diligence scope largely depends on the amount of risks involved in the partnership. Although you trust your software provider, taking care of intellectual property and data safety is essential.
Here is what lawyers advise when conducting vendor due diligence for the first time:
- Check if the technology provider is a registered legal entity and get to know its corporate history.
- Make sure the development team has proper qualifications.
- Ask for references shared by the vendor’s existing clients.
- Review recent financial audit reports.
- Check your partner’s compliance with the regulations in your country, including data security policies, and learn how often compliance audits take place.
- Find out how unauthorized access is controlled, what way the vendor network connection is protected, and whether subcontractor services are used or not.
- Carry out an on-site investigation to understand how quality control is implemented, what the security policies state and how they are put into play.
- Find out what third-party providers can be involved into your project development.
- Examine the vendor insurance coverage and future business prospects.
- Eliminate hidden costs by clarifying rates, scope of work, etc.
- Set clear termination provisions: Specify for how long the vendor can keep any project-related data and its transmission methods.
When it comes to software development, security testing plays a huge role in eliminating future data leak risks. Therefore, all major security requirements must be discussed in advance and clearly described in the contract.
Assigning Risk in Contracts and Security Policies
At this stage, you sum up everything learned from the risk analysis and due diligence and document all major requirements, aligning them with your business and project goals.
This is what the SLA (Service Level Agreement) contains. In IT outsourcing, the SLA is often part of the main contract with a technology developer and outlines the contracted services to be delivered as well as highlights the expected outcomes and penalties for not meeting the obligations.
What is often omitted is SLA security metrics. They should be mentioned separately and cover the methods of security testing, appoint specialists to conduct security testing or security tools to be used, desired security score to be achieved (following scoring systems as CWE (Common Weakness Enumeration), or CVSS (Common Vulnerability Scoring System)), types of vulnerabilities to be tested (like the one described here, OWASP top 10), and assign clear responsibilities in the event of a data leak (the third-party actions, reports, data breach investigation, reimbursement, etc.).
Additionally, you may consider signing a cyber insurance policy. It usually covers all primary risks in case of a data breach and can involve the obligations of the third-parties, too. But, if you choose to partner with software development companies following the ISO/IEC 27001 information security standards, cyber insurance is an unnecessary measure.
Another document setting the rules for proper data circulation include the DPA (Data Processing Agreement). It establishes common guidelines for proper data exchange, storage and transmission. They can refer not only to your organization and technology partner, but also to all subcontractors or affiliates granted the permission to access personal data. This is when you need to verify the third-parties’ GDPR compliance additionally.
Final preparations entail prescribing simple, clear procedures for secure code development across all phases of the software development life cycle. It looks and sounds like a lot of work, but these efforts pay off in the end.
This summary section brings together the key highlights of the article for you to use as a checklist prior to hiring your technology provider.
- Carry out a comprehensive data risk assessment to identify vulnerabilities and assign security measures.
- Sort out the data shared with the third-party and define the data flows to be under the control of both your organization and the technology provider.
- Check the vendor’s security capabilities by performing due diligence.
- Document the requirements in service delivery contracts and address the scope of responsibilities taken by both parties.
- Reserve the right to perform regular security compliance audits to ensure the technology provider and its subcontractors stick to the safety policies.