Desktop version

Home arrow Computer Science

  • Increase font
  • Decrease font

<<   CONTENTS   >>

Critical Considerations for Protecting IP in a Software Development Environment


Key Issues

□ Definitions

□ Risk of contracting

Vendor Due Diligence

□ Put vendors on notice

□ Security standards

  • - Gramm—Leach-Bliley
  • - HIPAA Security Rule/HITECH Act
  • - FFIEC Guidance
  • - States
  • - Federal Trade Commission

□ Diligence should cover:

  • - Criminal convictions
  • - Litigation
  • — Regulatory and enforcement
  • - Breaches of security
  • - Breaches of health information
  • - Adverse audits
  • - Use of parties outside the United States

□ Standardized questionnaire

  • - Corporate responsibility
  • - Insurance coverage
  • - Financial condition
  • - Personnel practices
  • - Information security policies
  • - Physical security
  • - Logical security
  • - Disaster recovery

□ Business continuity

Treatment of Data

□ Maintain data as confidential

□ Liability for unauthorized disclosures

□ No data removed by vendor

Administrative Security

□ Written privacy policy

□ NDAs for personnel with access

□ Trade secrets

□ Written security plan

□ Encryption

□ Procedures for removable media

□ Permission settings and restrictions

□ Separate networks with respect to access

□ Permanent logs of any access

□ No unauthorized access to client data

□ No installation or removal of programs

□ Require reasonable security

□ Vendors abide by regulatory framework

□ Document access by vendors

Technical Security

□ Enable use of firewalls

□ Ensure secure Internet access

□ Consider disconnecting computers

□ Encryption

□ Procedures for data in transit

□ Separate testing from production

Personnel Security

□ All aware of security requirements

□ Client can request removal of personnel

□ Prescreening

□ Control over access

□ Review of materials taken outside


□ Identified in writing

□ Client right to approve/reject

□ Vendor accepts liability

□ Mirror PSA

Scan for Tit rears

□ Prohibit install

□ Accessible by link

□ Methods to determine visitor assent

  • - Required online registration
  • - Required acceptance
  • - Prominent notice
  • - Basic notice

□ Changes to legal notices

□ Applicable law and venue

□ Arbitration clause

Data Security and Privacy

□ Privacy policy?

□ Accessible from home page

□ Links to terms and conditions

□ Employees follow policy

□ Third-party online privacy certification

□ Agreement with hosting provider

□ Firewall


□ Intellectual property infringement

□ Invasion of privacy

□ Defamation

□ Personally identifiable information

□ Protected health information

□ Personal financial information

□ Misuse of information by site

□ Misuse of information by employee

Additional Concerns

□ Record of modifications to T&C

□ Copyright notice on site


Businesses must be rigorous in entering into vendor relationships in which sensitive information will be placed at risk. Security requires a unified approach, including but not limited to security policies, employee education, use of security technology, performing security audits, and addressing security in contracts with business partners and other vendors. Information security can be divided into three categories— administrative, technical, and physical. In this chapter, we evaluate tools that businesses can immediately put to use to substantially reduce the information security threats posed by their vendors and business partners, to ensure proper diligence is conducted and documented, and to provide remedies in the event of compromised security.

Key Issues and Guiding Principles

■ Definitions. Hie definition of data should include all information to which the vendor may have access, including the company’s customer information, the company’s proprietary and confidential information, and any other nonpublic information provided by the client to the vendor, including its intellectual property and business information. In many instances, a company’s proprietary and confidential information is the most important asset of the company.

■ Assess the risk of contracting. Does the risk of involving another party outweigh the benefits of services provided by that third party? If not, an agreement should be in place any time the third party will have access to data.

Vendor Due Diligence

■ Companies should put all vendors on notice that their security policies and procedures will in part determine whether any particular vendor shall be selected to have access to data.

■ A company must also consider all applicable security standards, including:

  • - Gramm—Leach-Bliley Act (a federal law directed at the protection of nonpublic, personally identifiable financial information)
  • - HIPAA Security Rule/HITECH Act (discussed in Chapter 16)
  • - Federal Financial Institutions Examinations Council (the FFIEC) Outsourcing Technology Services Guidance
  • - States (e.g., California, Massachusetts, Nevada)
  • - Federal Trade Commission

■ Diligence should cover the following topics:

  • - Criminal convictions
  • - Litigation
  • - Regulatory enforcement actions
  • - Breaches of security or health information
  • - Adverse audits
  • - Use of affiliates, subsidiaries, contractors, and vendors outside the United States

■ Use a standardized questionnaire with the vendor covering the following topics, rather than relying on an ad hoc process to evaluate the integrity of vendor security:

  • - Corporate responsibility. Are there any criminal convictions, recent material litigation, or instances in which the vendor has had a substantial compromise of security, privacy violations, adverse audit results?
  • - Insurance coverage. What types of coverage does the vendor have? What are the coverage limits and other terms? Is the coverage based on claims made or occurrences? In particular, does the vendor have cyber liability coverage?
  • - Financial condition. Is the vendor a private or public company? Review copies of the most recent financial statements.
  • - Personnel practices.
  • - Information security policies.
  • - Physical security.
  • - Logical security.
  • - Disaster recovery and business continuity. What are the vendor’s business continuity plans and disaster recovery plans? When was its last test? When was its last audit? Were there adverse findings in the audit? Have deficiencies been corrected?
<<   CONTENTS   >>

Related topics