Best Practices in Software Development Outsourcing and Information Security
Check out these best practices for outsourcing and information security.
Join the DZone community and get the full member experience.Join For Free
Business objectives drive globalization, IT outsourcing, transforming operational models, and organizational structures. However, with the growing number of data security breaches reported by Internet giants like Facebook, information security becomes a major concern for business owners and top managers seeking to establish distributed teams or reap the benefits of offshoring.
To enable efficient and reliable collaboration among businesses and outsourcing vendors, the Computools team has identified the primary information security concerns for both parties and defined the best practices and contractual provisions.
Outsourcing Risk Assessment for Business Owners
According to Gibson Dunn, the number of annual cybersecurity incidents worldwide has increased from 3.4 to 42.8 million in the span of six years (2009 to 2014). The government and military are not the only industries that suffer security issues and cyber attacks. Financial, healthcare, education, and other sectors all suffer significant losses due to personal information leakage. While human error and system glitches are a threat, outsiders are the most common cause of information security breaches.
Ponemon Institute’s report on the cost of data breach security demonstrates that in 2017 the average cost per stolen record decreased from $158 to $141 in 2016, and the average total cost of the data breach for the businesses participating in the study went down from $4.00 to $3.62 million. The global average of the number of stolen records increased by 1.8 percent to 24,089 records per company, though the size of breaches ranged from 2,000 to 100,000 records. The United States, India, and the Middle East have suffered the largest information security breaches, and the US businesses pay the highest price for losing customer’s data.
This security cost component includes both direct and indirect costs. The former consists of breach detection, notification, and mitigation expenses, whereas the latter involve the increased customer turnover, growing customer acquisition costs, and reputation losses.
Client Security Concerns
In their study of information security concerns in IT outsourcing, G. Dhillon et al. identified three primary concerns for business owners and top managers:
Appropriate security controls application from the outsourcing vendor. Cross-border cooperation is complicated due to legislative differences. The US and EU-based businesses lack trust in a vendor’s ability to apply security controls and ensure adherence to strict regulations. Contractual violations further damage the trust between businesses and outsourcing vendors.
Security standards and policies compliance. To ensure information security, businesses can’t afford to waste time and resources on the vendor’s framework and policies analysis. Companies require outsourcing partners to comply with their standards or offer better alternatives. The proper documentation on client-approved security protocols can establish the necessary understanding and trust.
Abuse-free proprietary information handling. A loss of proprietary information by the outsourcing vendor may cause the loss of capability for business, especially in over-regulated industries, like healthcare or finance. Clients are reluctant to entrust their proprietary information to the vendors, as security breaches may have a significant financial and reputational impact.
Vendor Security Concerns
Congruence of the information security concerns between the businesses and IT outsourcing vendors is crucial to transparent communication, efficient development, and bilateral trust. However, according to research, vendors’ primary security concerns differ from those of their clients. Among the critical factors affecting information security, IT companies emphasize:
In-house information security experience and competence. Vendors consider software engineers’ information security expertise a crucial factor and a competitive advantage. However, most companies fail to understand that clients consider competence a basic requirement and expect to attain high-quality services par for the course. This incongruence leads to dissatisfaction, misunderstanding, and loss of trust between the client and the vendor.
Clear and comprehensive outsourcing approach. A piecemeal outsourcing approach and indecisiveness are the primary causes of tension for software outsourcing companies. They expect the clients to have a predictable set of security requirements, while business owners lack comprehensiveness in their outsourcing efforts, causing tension and affecting development speed and quality.
Tacit knowledge protection from dissipation. Outsourcing companies are willing to adopt the client’s business processes and security protocols, but not at the cost of in-house knowledge dissipation. Business owners expect vendors to possess sustainable knowledge management structure that ensures data confidentiality. Resources and competencies sharing promotion among the client’s and vendor’s specialists can allow both partners to gain benefits from the cooperation.
Best Practices to Ensure Business Data Security
With a clear understanding of the incongruence between the business owner’s and the vendor’s security concerns and expectations comes the need to ensure contractual safety of the client’s confidential data. Experts recommend these provisions to be included in every outsourcing contract to establish security expectations and uphold data integrity.
Regulations Awareness and Compliance
A lack of regulations awareness by the business owner and the software outsourcing company can result in compliance risks. Businesses are accountable for not complying with national or industry regulations, resulting in fines and reputational and financial losses. To prevent compliance risks, Computools experts recommend supplying outsourcing contracts with comprehensive legal information, including:
the company’s countries of origin and operations;
the list of national regulations the project must comply with;
the industry-specific regulations the project must comply with.
For instance, companies operating in the US should be ready to provide access to corporate databases to American authorities under the PATRIOT Act, regardless of their country of origin. Financial institutions are required to supply the Financial Industry Regulatory Authority with an electronic “Suspicious Activity Report”.
ISO/IEC 27000 Requirement Fulfilment
Information security management system (ISMS) is a comprehensive approach to protecting sensitive information within the company and working with an outsourcing vendor. The ISO/IEC 27000 family of standards includes requirements on personnel, processes, and IT systems necessary for information security risk management. Their fulfillment by the outsourcing vendor is a critical contractual provision.
The ISO 27000 family includes over a dozen standards. ISO/IEC 27000 has been recently updated (February 2018) to include the terms and definitions, as well as an overview of the ISMS. ISO/IEC 27001 specifies the requirements for developing, implementing, sustaining and improving an ISMS and is applicable to small to large businesses regardless of their type and industry.
Security Metrics Establishment
Information security metrics can prevent outsourcing relationship failure if established and agreed upon at the onset of the project. Internal vendor metrics include:
Organizational parameters that assess security management procedures;
Operational metrics that evaluate operational security;
Technical characteristics that identify the quality of hardware and software.
Password length, update interval, and compliance with standards are just examples of security metrics. However, their monitoring and enforcement by the outsourcing company are often in question, as the client does not possess access to the internal logs that can be altered to meet the vendor’s needs.
To ensure information security, Computools experts recommend establishing external metrics that reflect how the client’s business is affected by the security breaches. Outcome-driven metrics are preferable to process-centric ones. Efficient external metrics may include:
The number of undesirable events within a set period (absolute value or percentage);
The amount of time between the undesirable event’s occurrence and its detection.
The permissible interval between the undesirable event’s detection and its neutralization.
The list of flaws the client deems unacceptable should also be enclosed to the outsourcing contract. It can be based on the OWASP 10 most critical web application security risks and should be addressed during every security check.
Vendor and Client Security Audit
Preliminary information security audit for the client and the outsourcing vendor enables the identification of critical weaknesses and potential problems. Secure outsourcing is established through a combination of strategic context and organizational capability. The former implies regulation compliance and security policy alignment, while the latter combines knowledge management, operational audit, and organizational competence. These factors along with the pre-established metrics comprise the audit parameters to be evaluated regularly in the course of the project’s development.
Data Protection and Leaks Prevention Methods
A non-disclosure agreement (NDA) is designed to protect the client’s business idea, source code, trade secrets, and right transfer. The NDA includes information on the protected data, the agreement duration, the governing law, and breach-of-contract consequences. The type of agreement violation and the amount of damage inflicted upon the client define the penalty. Contract termination, fines, and jail time are the common short-term penalties, while reputational damage and the loss of future client prospects are the unavoidable long-term consequences most outsourcing vendors try to avoid.
In addition to NDA, Non-Compete Agreement (NCA) also provides the means to prevent the vendor from working with the client’s competitors or developing similar products. However, the non-compete clause efficiency depends on the jurisdiction and can be negated by local regulations.
Data Watermarking and Fingerprinting
To promote careful and sensitive data management by the outsourcing vendors, clients resort to digital watermarking and fingerprinting. These techniques applied to relational databases containing customer data do not prevent data leakage but help establish the source of the leak and address it. Recent developments allow for quick database permutation-based or insertion-based fingerprinting and watermarking without introducing errors or corrupting the data. Combined with active security breach prevention methods, these passive techniques increase outsourcing security.
Sensitive Data Encryption
Data encryption is the most efficient information security technique; however, its application is limited to the cases when the outsourcing company does not require access to the information to be able to use it. In such cases, critical information (SSNs, credit card numbers, etc.) can be encrypted using public key cryptography. The outsourcing vendor does not receive access to the information but can transfer it to third parties for decryption and processing.
Building Trust in IT Outsourcing
According to Austad and Lossius, trust between a client and an IT outsourcing vendor can be created intentionally through the realization of trust building mechanisms that develop bilateral dynamics necessary for a fruitful partnership. However, this model of trust building in IT outsourcing is not applicable to internal processes of either the client or the vendor. Only those mechanisms that are applied between the partners promote one or several trust building dynamics, through which mutual trust evolves.
The best information security practices discussed above form the basis of trust in IT outsourcing. However, efficient communication, personal interactions, and expectation management are also important facets of an outsourcing relationship that should be nurtured and developed with care.
Published at DZone with permission of Oleg Svet. See the original article here.
Opinions expressed by DZone contributors are their own.