Commissioning Development to Externals: Addressing Infosec Risks Upfront

Abstract

Bringing externals in the critical business processes and having them assume some or all of the responsibilities associated with the critical business functions comes with information security risks whose impact, if materialized, could be disastrous for business and therefore warrants a meticulous and holistic approach for managing those risks. Compounded with the engagement of externals in the development process, risks facing a development project require robust risk management by the outsourcing organization. The organization should be able influence the security behavior of those externals and induce them to comply with certain secure development principles and practices. Delving deep into those risks brought about by suppliers, this study aims at offering a methodology in addressing the risks associated with commissioning some or all components of a would-be-developed product to externals and shows how those risks can be mitigated by controlling the security behavior of suppliers through well-tailored contractual provisions.