Overview
Policy Statement
Due care must be taken to ensure that the policies of your organization are enforced and monitored where possible. Since access to most assets happens via the cloud provider's infrastructure, risks related to compliance is mitigated to an acceptable level by the Cloud Service Provider. your organization also brings significant effort to assure that all 3rd Party organizations that are working with us are compliant and do not compromise the integrity, security, and privacy of your organization's company, employees, customers, and even of other vendors.
Procedures
Procedures and mapped controls
Selection of Subcontractors or Software Vendors
Standard procurement procedures should be used in the selection and engagement of appropriate subcontractors or software vendors (OEMs included). Use of these procedures should ensure that the subcontractor or software vendor:
- Is capable of delivering the services to the required standard;
- Can meet the required delivery timescales;
- Represents the best value for the organization;
- Can meet the specified security requirements.
The use of subcontractors by your organization for any aspects of the development should be understood and an assessment of these subcontractors included before engagement.
Communication of Requirements
The contract with the subcontractor or software vendor should require compliance with this policy and include a clear statement of the requirements for secure design, coding, and testing of the software. The subcontractor or vendor should also be required to establish a secure development environment under your organization standards.
Requirements definition should be carried out by your organization so that a clear definition of the software to be created (including its security features) is agreed upon with the business and used as a contractual starting point. Whilst the subcontractor or software vendor may in some circumstances assist in the definition of requirements, the exercise should be led, managed, and ideally carried out by internal resources so that there is a clear separation between requirements and design/development.
A comprehensive picture of the anticipated threat model faced by the software should be provided to the subcontractor or software vendor so that a clear understanding is gained of the types of vulnerabilities that must be avoided if the software is to be secure.
Supervision and Monitoring
Measures should be put in place to ensure adequate supervision of the activities of the subcontractor or software vendor and regular monitoring of progress.
For a large project with significant time gaps between deliverables, your organization could introduce multiple points of verifications, and an agreed method of verifying interim progress should be in place so that early warning is given of delays.
Vendor Technology Risk Reviews and Acceptance
Review points should be established as part of the project planning process to verify progress and give the formal acceptance of the software deliverables created. These will involve appropriate testing activities and code reviews.
The subcontractor or software vendor should be required to provide evidence of the security testing activities carried out during the development, including tests for concealed malware, backdoors, and known vulnerabilities.
Where appropriate a security review of developed code may be engaged with a suitable 3rd Party with the relevant security expertise.
Conducting vendor risk assessments can be a long and tedious process. However, failing to do so could result in reputation damage, lost business, legal fees, and fines. If one of your vendors fails to comply with regulations (such as data privacy or safety standards), your company will face consequences, too.
Steps for identifying risks
- Know the types of vendor risk
- Determine risk criteria
- Assess each product and service
- Get help from experts
- Assess every vendor
- Separate vendors by risk level
- Make a risk management plan
- Stay up to date on regulations
- Conduct annual assessments
Audit of Development Methods
your organization should have the contractual right to undertake a second audit of the subcontractor or vendor. This may be used to review whether the development methods used comply with your organization policies and whether all information provided to the supplier is protected by appropriate security controls.
Intellectual Property
Any software that is developed under an agreed contract with a subcontractor or vendor must be understood to be your organization's intellectual property. Appropriate legal advice should be taken particularly if the outsourcer is based outside of your organization's home country.
Escrow
Arrangements should be made for your organization to be able to legally access the source code of any developments undertaken if the subcontractor or vendor ceases trading for any reason. This should be the case during development and if appropriate after the code has been delivered.
Query logic
These are the stored checks tied to this policy.
No stored query bodies are attached to this entry.
