O'Reilly logo

A Guide to IT Contracting by Michael R. Overly, Matthew A. Karlyn

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

213
19
Critical Considerations for
Protecting IP in a Software
Development Environment
CHECKLIST
Key Issues
Denitions
Risk of contracting
Vendor Due Diligence
Put vendors on notice
Security standards
S Gramm-Leach-Bliley
S HIPAA Security Rule/HITECH Act
S FFIEC Guidance
S States
S Federal Trade Commission
Diligence should cover:
S Criminal convictions
S Litigation
S Regulatory and enforcement
S Breaches of security
S Breaches of health information
S Adverse audits
S Use of parties outside US
Standardized questionnaire
S Corporate responsibility
S Insurance coverage
214  •  A Guide to IT Contracting: Checklists, Tools, and Techniques
S Financial condition
S Personnel practices
S Information security policies
S Physical security
S Logical security
S Disaster recovery
Business continuity
Treatment of Data
Maintain data as condential
Liability for unauthorized disclosures
No data removed by vendor
Administrative Security
Written privacy policy
NDAs for personnel with access
Trade secrets
Written security plan
Encryption
Procedures for removable media
Permission settings and restrictions
Separate networks with respect to access
Permanent logs of any access
No unauthorized access to client data
No installation or removal of programs
Require reasonable security
Vendors abide by regulatory framework
Document access by vendors
Technical Security
Enable use of rewalls
Ensure secure Internet access
Consider disconnecting computers
Encryption
Procedures for data in transit
Separate testing from production
Personnel Security
All aware of security requirements
Client can request removal of personnel
Pre-screening
Considerations for Protecting IP in a Soware Development • 215
Control over access
Review of materials taken outside
Subcontractors
Identied in writing
Client right to approve/reject
Vendor accepts liability
Mirror PSA
Scan for reats
Prohibit install
Accessible by link
Methods to determine visitor assent
S Required online registration
S Required acceptance
S Prominent notice
S Basic notice
Changes to legal notices
Applicable law and venue
Arbitration clause
Data Security and Privacy
Privacy policy?
Accessible from home page
Links to terms and conditions
Employees follow policy
ird-party online privacy certication
Agreement with hosting provider
Firewall
Insurance
Intellectual property infringement
Invasion of privacy
Defamation
Personally identiable information
Protected health information
Personal nancial information
Misuse of information by site
Misuse of information by employee
Additional Concerns
Record of modications to T&C
Copyright notice on site
216  •  A Guide to IT Contracting: Checklists, Tools, and Techniques
OVERVIEW
Businesses must be rigorous in entering into vendor relationships in
which sensitive information will be placed at risk. Security requires a uni-
ed approach, including but not limited to security policies, employee
education, use of security technology, performing security audits, and
addressing security in contracts with business partners and other vendors.
Information security can be divided into three categories—administra-
tive, technical, and physical. In this chapter we evaluate tools that busi-
nesses can immediately put to use to substantially reduce the information
security threats posed by their vendors and business partners, to ensure
proper diligence is conducted and documented, and to provide remedies
in the event of compromised security.
KEY ISSUES AND GUIDING PRINCIPLES
• Denitions. e denition of data should include all information
to which the vendor may have access, including the company’s cus-
tomer information, the company’s proprietary and condential
information, and any other non-public information provided by the
client to the vendor, including its intellectual property and business
information. In many instances, a company’s proprietary and con-
dential information is the most important asset of the company.
• Assess the risk of contracting. Does the risk of involving another
party outweigh the benets of services provided by that third party?
If not, an agreement should be in place any time the third party will
have access to data.
Vendor Due Diligence
• Companies should put all vendors on notice that their security poli-
cies and procedures will in part determine whether any particular
vendor shall be selected to have access to data.
• A company must also consider all applicable security standards,
including:
• Gramm-Leach-Bliley Act (a federal law directed at the protection
of non-public, personally identiable nancial information)

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required