Your outsourced IT project: A security checklist

How to be sure that your project is being developed using the latest
security best practices.

Outsourcing an important IT project can be stressful with today’s emphasis on security. If you’re not working with a software development partner that can provide best-in-class security as part of its services, you could be in for a wild ride.

Agency—or freelancer?

We always recommend working with tech agencies over freelancers, because many agencies hold security certifications that guarantee they’ve implemented all possible security processes and measures to keep their clients’ data safe. When selecting a vendor, make sure to choose one that won’t monopolize the management of your infrastructure security.

Here’s a checklist to help you evaluate potential partnerships from a security standpoint:

 

• What security certifications do they hold? Companies handling outsourced projects invest in security certifications that guarantee they operate according to the latest international data security standards. The ISO 9001:2015 and ISO 27001 are the most popular and by far most demanding software security certifications. Also, obtaining these certifications is quite expensive, so if your prospective partner has them, it’s a good sign they have a significant focus on security.
• Is there physical site security? Physical safety of data carriers while managing projects remotely is often underestimated. Check to make sure the vendor has both a surveillance system and a security guard on-premises. Many tech companies have installed biometric fingerprint door locks and card-pass systems. With those I place, employees within the same company can only enter spaces for which they have permission. Find out if the company you have shortlisted has a security system in place, and whether the premises and everything within them are insured.
• Are security concerns clearly outlined in contracts? Intellectual property rights contracts (IPRs) and non-disclosure agreements (NDAs) are the two pillars of remote IT project security. These can be two separate documents, or an IPR contract can also be a separate clause within the NDA. This document clarifies that the client is the sole owner of the intellectual property (usually code) produced by the by the vendor, and the vendor cannot claim any ownership over it and use any part of the code in any kind of way.
• Have their personnel completed security training? Make sure to request information concerning security workshops for the vendor’s employees. Seeing how they educate their team of developers about cybersecurity is crucial to keeping the IT project you’re outsourcing safe. Phishing and social engineering are the most common types of cyber-attacks, and even the most tech-savvy employees need a reminder now and then. Ask your potential tech partner about the measures they take to educate their employees about cyber threats.
• Will you have control over your infrastructure and its security? There are two common approaches in ensuring IT project security while managing projects remotely:
  • The extension of your in-house team. You work with a team of outstaffed developers that work directly for you, and you have full control over the development infrastructure and its security. This option is safer because it empowers you to give, deny, and stop access to your development infrastructure.
  • The outsourced service. You work with a project outsourcing vendor that houses your infrastructure and all development at their site. If you want to maintain full control over project security, you should consider working with an outstaffing company.

• Are the developers using secured devices? Most companies allow their developers to take their corporate computers home or even use their own at work. However, far fewer companies ask their programmers to sign a Bring Your Own Device (BYOD) policy that requires a programmer to only connect to secured networks and holds them personally responsible for any loss of data.
• Will data be stored on your servers? If you’re working with a project outsourcing vendor who does the development on their side, your data will be stored on the vendor’s servers. If you’re cooperating with an outstaffing company, the development is being done on your side. Consequently, all your data is stored on the servers you use to work with an outstaffing company that leases talent to you.
• Is there a process for managing data breaches? Even after your data has been breached, there’s still a chance of saving a part of it and securing your digital product. A vendor with a list of preventative methods aimed at ensuring client data security is great—but you should go one step further and ask about the actions your prospective vendor would take after a data breach occurs.
• Do they have a penetration test program? Penetration testing is a common practice among companies that offer software development outsourcing services to international companies. A penetration test is a kind of planned “test hack,” during which a company experiences an authorized simulated cyberattack on its computer system with the aim of identifying and fixing vulnerable gaps in its security. Make sure your developer does this and does it frequently!
• Are they making continuous security improvements? Security requirements and solutions evolve often. Make sure that your vendor if flexible about introducing new security policies and installing necessary software as it becomes available.
• Have developers been adequately vetted? Now that you know how your vendor organizes security processes, and what software they use, you should get more information about the individuals who will write the code for you. Many clients request a background check of all potential programmers, while others request recommendations from previous employers.