Competencies

Thinking about outsourcing? Many outsourcing projects fail for a variety of reasons, and even when they succeed the total costs may be more than the costs saved. One of the biggest risks when outsourcing is protecting your intellectual property (“IP”). There are no silver bullets that will guarantee 100% protection. But if you choose to outsource, there are some guidelines you might wish to follow to reduce the risk that your IP will be compromised when outsourcing to an offshore vendor.

1.     Know what you are outsourcing

The first step is to inventory the IP you plan to outsource. IP can take many forms (copyrights, trademarks, trade secrets and patents); it can be structured into databases, embedded in software code or written on a whiteboard in a conference room or event, just likeyour business ideas.

Identify what your IP consists of; where it is located; who controls it; who uses it; who enhances it; who secures it; how it is protected and how vulnerable it is to attacks.

Examine your IP licensing agreements–those from you to others and from third-parties to you. Determine whether these agreements prohibit outsourcing the IP without the permission of your licensing partner or not.

outsourcing or in-house development?

2.     Choose the right partner

Criteria for selecting an outsourcer shall take into account the following:

  • Country assessment: You must assess the legal environment in the jurisdiction where your offshore vendor is located. Determine whetherthe courts in that jurisdiction will provide you with legal protection and a remedy if something goes wrong.
  • Company assessment: Evaluate the company’s reputation and history in thefollowing aspects:
    • Quality of services provided to their clients and partners;
    • Number and competence of staff and managers;
    • Financial stability of the company and commercial record;
    • Employee retention rate;
    • Quality assurance and security management standards currently followed by the company (e.g. certified compliance with CMMi, ISO 9000 and ISO/IEC 27001, Scrum certificates);
    • Technology partnerships and certificates of the company with leading technology companies (e.g. Are they aMicrosoft partner, Oracle partner or Salesforce certified engineers?).

choose the right outsourcing partner

3.     Have a legal framework in place

Before you start the relationship, aNondisclosure agreement (NDA) between the two companies has to be signed. When you move to thecontract phase, ensure your contract terms are covered:

  • License and ownership of the work product
  • Confidentiality and Nondisclosure: definition of confidential information, ownership and disclosure of confidential information
  • Restriction on disclosure and use of confidential information

Nondisclosure agreements and confidentiality contracts should be signed by all offshore employees assigned to your project. This ensures that employees will comply with agreed-upon standards of IP protection and privacy.

have a legal framework in place when outsourcing\

4.     Personnel security

Software outsourcing generally is all about people. Make sure that your contractors and consultants aresubjected to background checks. Work with your offshore vendor to ensure that any employee who works in your project is background checked too. Such screening shall take into consideration the level of trust and responsibility associated with the position and (where permitted by local laws):

  • Proof of the person’s identity (e.g. ID card, passport);
  • Proof of their academic qualifications (e.g. certificates);
  • Proof of their work experience (e.g. resume/CV and references);
  • Criminal record check;
  • Credit check.

Check with your offshore partner if suitable information security awareness, training and education are provided to all employees, clarifying their responsibilities relating to your company’s (if available) and vendor’s information security policies, standards, procedures and guidelines (e.g. privacy policy, acceptable use policy, procedure for reporting information security incidents etc.) and all relevant obligations defined in the contract.

personnel security when outsourcing

5.     Information security management system

You want to ensure that your offshore vendor has a suitable system in place to manage information security. An ISO globally recognizedinformation security certificate such as ISO 27001 would be the standard, but if they do not have it below are some tips to protect your intellectual property. If the vendor isnot certified yet, it is critical to recommend thatyour vendor implement the Information Security Management System (ISMS) that covers at least thefollowing aspects:

Data management

  • Information classification
  • Owners and users
  • Information inventory
  • Information retrieval and destruction
  • Logical access control
  • Physical access control to network and protected systems. Separation of each customer’s assets and VLAN from others
  • Workstation security
  • Ensure that the business continuity plan is comprehensively addressed by allthe key elements
  • Ensureavulnerability assessment is done regularly to identify security gaps and prepare action plans

Access control

  • Logical access control
  • Physical access control to network and protected systems. Separation of each customer’s assets and VLAN from others
  • Workstation security

Business continuity

  • Ensure that the business continuity plan is comprehensively addressed by allthe key elements
  • Ensureavulnerability assessment is done regularly to identify security gaps and prepare action plans