How to secure your software development projects?
You want to develop a new software for your business, but you aren't sure who you can trust? What if the data you show to the software developers leaks out to your competition? How can you really make sure your businesses competitive advantages remain a secret?
These are just a few questions people ask themselves when outsourcing an IT project.
We will give you a few guidelines below that will help you protect your data and work in a secure environment when you are outsourcing.
1. Non-Disclosure Agreement (NDA)
This is a basic type of pre-contract that protects the customers' Intellectual Property. You must sign an NDA each time you start working with a new partner. This pre-contract provides legal protection over the data you release to your vendor candidates in the selection process. NDAs are signed when two companies are about to do business together. The parties are restricted from releasing information regarding any business processes of the counterparty integral to the company's operations.
An NDA can be customized, but there are six elements that must be included: sections that detail the parties to the agreement, the definition of what constitutes confidential information, the exclusions from confidential information, the obligations of the receiving party and the time periods involved and miscellaneous provisions.
2. Non-Compete Agreement (NCA)
The NCA prevents your outsourcing vendor to reveal your ideas/innovations/data/statistics to the competitors. How does it do that? Well, it's simple! An NCA prevents your vendor to enter a partnership with a potential competitor of yours for an agreed period.
A Non-Compete Agreement is a contract between two parties, where one party agrees not to compete with the other for a certain amount of time. The Agreement lessens the possibility that knowledge gained by an employee or business partner will be used in the future to compete against them.
In most of the cases, the Non-Compete Agreement would prevent someone who signed it from competing directly, or from working for a competitor.
3. Your company must have a sound security policy
Before you go looking for an outsourcing partner, you must first make sure that your organization is in order. Written policies are a necessary foundation for systems security management, and they are vital for your cyber-strategy. A good security policy will be sound and rational and should include a data classification that can distinguish sensitive from common data. Your company's security policy should be finalized by the stakeholders, managers and employees of your organization. A good policy must state some clear standards and guidelines for everyone involved.
When it comes to protecting sensitive data employees are, very often, the weakest link. That is why it's imperative that your employees know the dangers and are warned of phishing attacks and viruses.
Here are the IT policies that should be covered:
- AUP (Acceptable Use Policy): acceptable usage policy is a set of rules applied by the owner, creator or administrator of a network, website, or service, that restrict the ways in which the network, website or system may be used and sets guidelines as to how it should be used.
- Security Awareness: This policy's goal is to motivate and inform all employees regarding their information security obligations. This can be implemented through a monthly security awareness newsletter that will be sent to all employees (covering the latest threats, including ransomware attacks and social engineering) or through a training held to all employees in person.
- DR/BCP (Disaster Recovery, Business Continuity plan): Business Continuity Planning is the processes that are carried out by a company to ensure that the essential business functions continue to operate during and after a disaster.
- Incident Response: Having a tested incident response plan can make the difference between a swift recovery or a high-stress situation where every minute the incident remains unresolved results in more financial or reputational damage.
- Remote Access: This policy defines standards for connecting to your company network from any host, standards that are designed to minimize the risk of unauthorized use of your company resources.
- Vendor Access: The policy defines the access of your IT outsourcing vendor to view, copy and modify data.
You can run security policy popularization programs and training for your employees, where they can be explained about what kind of confidential information should never be shared over email, chat or social media.
Make sure that, after you write the internal security policy for your firm, all employees will sign it.
4. Protect your data first
Regulatory compliance and best practice standards are driving the need to monitor and audit the information residing within sensitive business applications and databases.
Before you start outsourcing IT projects, you should start implementing the use of database monitoring gateways and application layer firewalls. An application firewall is a form of firewall that controls input, output, and/or access from, to, or by an application or service. It operates by monitoring and potentially blocking the input, output, or system service calls that do not meet the configured policy of the firewall. You must choose a vendor who employs both functionalities. This way you can prevent privilege abuse and vulnerability exploitation.
5. Your vendor should use SSL Certificate only
SSL (Secure Sockets Layer) is a standard security protocol for establishing encrypted links between a web server and a browser in an online communication. The usage of SSL technology ensures that all data transmitted between the web server and browser remains encrypted.
An SSL certificate is necessary to create SSL connection. You would need to give all details about the identity of your website and your company when you choose to activate SSL on your web server.
6. Leak-proof traffic
You must discuss upfront with your outsourcing vendor and establish in your contract that he should monitor outbound Internet traffic and check emails for potential information leaks. These checks would ensure leak-proof traffic. If you are dealing with confidential data, you should make sure that all employees understand that the emails they send and receive at work are not private and that new employees have adequate warnings before they start using the network.
Determine what kind of confidential information should never be shared over email, chat or social media. Obviously, credit card information, computer passwords and social security numbers should never be communicated via non-secure methods.
7. Providing education about data handling
You must discuss with your vendor to see if his employees have been trained in security policies and know how to handle data for a customer. After that, you should have a training with your own employees to check if they know what to give away and what to keep for themselves. Train your employees to create strong passwords (non-dictionary words of at least 10 characters with upper and lowercase letters, special characters and numbers) and change them frequently.
Also, encourage your employees to never share their passwords via email or write them down in accessible places (like a post-it on the computer screen). Whenever your team will communicate with your vendor's team, they have to know exactly where are the borders of the project. Education is important. Especially when handling data.
8. The rule of least privilege
Before outsourcing, decide on a method to monitor material exceptions for your vendors and ensure the rule of least usage. In information security, computer science and other fields, the principle of least privilege requires that in an abstraction layer of a computing environment, every module (such as a process, a user, or a program, depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose.
The principle means giving a user account only to those privileges which are essential to perform its intended function. For example, a user account for the sole purpose of creating backups does not need to install software. That is why he should only have rights to run backup and backup-related applications. Any other privileges, such as installing new software, should be blocked for this user.
9. Think before you ink (The Contract)
All of the above should be stated in your contract before you sign. Based on the contract you sign with your vendor, the Intellectual Property over the Technology/Code they will use for your business, is being transferred to your company. This is extremely important! You should keep an eye out for that, as not all companies include it in their contracts!
The contract is the legal shield that protects your business from information leaks. But without trust, any contract becomes vulnerable, so the best way to protect your data remains finding a trustworthy vendor to partner with.
10. Choose the right vendor
The first important rule of business is trust. You must find a trustworthy vendor and you must discuss upfront all your doubts. If he is as serious about his business as you are about yours, he will understand your concerns.
When you are in the process of looking for the right outsourcing vendor for your IT projects you have to make sure that the one you choose makes security a rule in his organization. In the Computer Security field, there are a number of tracks a professional can take to demonstrate qualifications. For example, CompTIA's Security+ accreditation provides a respected, vendor-neutral foundation for industry staff (with at least two years of experience) seeking to demonstrate proficiency with security fundamentals.
Any vendor must be able to ensure that its personnel is properly educated regarding systems security, network infrastructure, access control, auditing, and organizational security principles. As part of this process, your company's CIO can ask for the service provider's SSAE16/SOC (formerly known as SAS 70) reports, in which an external auditor describes, evaluates, and issues an opinion on the service provider's security and data protection controls.
Rule No. 1: TRUST
The most important rule in the outsourcing business remains TRUST! Without trust, all your measures of protection mean nothing. You must trust your IT Software development vendor, your employees and your business.
If you are looking for a trustworthy partner to start a new project together, look no further! Kepler has trained all its employees on data-handling and security threats. The result? We didn't have one security breach in 23 years of experience.
Let's see how we can safely build the best solution for your business!