How to Protect Intellectual Property While Offshore Outsourcing?

Similar documents
Managing the Challenges in Offshore Product Development

Selecting an Outsourcing Partner for Offshoring

Single Card Model for Hassle- Free Financial Management

Model of Innovation for Organizations in the IT Software Services Industry

Incorporating 360-Degree Feedback into the Performance Appraisal System

How Performance Testing Impacts Customer s Business?

FINAL May Guideline on Security Systems for Safeguarding Customer Information

ISO Controls and Objectives

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Simplifying the Scope of the PCI Audit

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs

SUPPLIER SECURITY STANDARD

The Protection Mission a constant endeavor

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1

Frequently Asked Questions. Frequently Asked Questions: Prioritizing Trust: Certificate Authority Security Best Practices

Does it state the management commitment and set out the organizational approach to managing information security?

ISO27001 Controls and Objectives

Dundalk Institute of Technology. Outsourcing/Third Party Access Policy. Version 1.1

Music Recording Studio Security Program Security Assessment Version 1.1

Third-Party Access and Management Policy

Top Ten Technology Risks Facing Colleges and Universities

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Two Approaches to PCI-DSS Compliance

How To Protect Decd Information From Harm

INFORMATION TECHNOLOGY SECURITY STANDARDS

Bring Your Own Device (BYOD) A point of view

Newcastle University Information Security Procedures Version 3

The Next Generation of Security Leaders

Customer-Facing Information Security Policy

GUIDANCE FOR MANAGING THIRD-PARTY RISK

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Gatekeeper PKI Framework. February Registration Authority Operations Manual Review Criteria

Supplier IT Security Guide

Stay ahead of insiderthreats with predictive,intelligent security

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

An Oracle White Paper June Security and the Oracle Database Cloud Service

Information Security Policy

Draft Information Technology Policy

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Information Security Program

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

Risk Management of Outsourced Technology Services. November 28, 2000

Preemptive security solutions for healthcare

TELEFÓNICA UK LTD. Introduction to Security Policy

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

Information security controls. Briefing for clients on Experian information security controls

Data Loss Prevention Program

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Designing & Implementing. Programs. MBA Bank Expo 2012 April 11, 2012

Hengtian Information Security White Paper

Data Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture

Over 18,400 branches. 21,843 ATMs. 261 million accounts. Enabling State Bank of India to create the world s largest homogenous banking network

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Service Schedule for CLOUD SERVICES

Analyzing HTTP/HTTPS Traffic Logs

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL

Enterprise Data Protection

Business Case Outsourcing Information Security: The Benefits of a Managed Security Service

Network & Information Security Policy

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

VENDOR MANAGEMENT. General Overview

Supporting FISMA and NIST SP with Secure Managed File Transfer

Cybersecurity and internal audit. August 15, 2014

Enterprise Risk Management taking on new dimensions

Achieving Compliance with the PCI Data Security Standard

Sample Third Party Management Policy. Establishment date, effective date, and revision procedure

IT OUTSOURCING SECURITY

VMware vcloud Air HIPAA Matrix

Microsoft s Compliance Framework for Online Services

Digital Enterprise Unit. White Paper. Securing Patient Information HIPAA and Mobile Healthcare Applications

R345, Information Technology Resource Security 1

BPM Perspectives Positioning and Fitment drivers

Best Practices in ICS Security for System Operators. A Wurldtech White Paper

Cybersecurity The role of Internal Audit

SECURING ENTERPRISE NETWORK 3 LAYER APPROACH FOR BYOD

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES

Managing data security and privacy risk of third-party vendors

Vulnerability Management Policy

Cloud Computing Contracts. October 11, 2012

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

Delphi Information 3 rd Party Security Requirements Summary. Classified: Public 5/17/2012. Page 1 of 11

Healthcare Compliance Solutions

Big Data, Big Risk, Big Rewards. Hussein Syed

ICT SERVICE LEVEL AGREEMENT MANAGEMENT POLICY (EXTERNAL SERVICE PROVIDERS/VENDORS)

Best practices and insight to protect your firm today against tomorrow s cybersecurity breach

Payment Card Industry Data Security Standard

Cloud Security Trust Cisco to Protect Your Data

SAP Product and Cloud Security Strategy

Intelligent Vendor Risk Management

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

Your Compliance Classification Level and What it Means

NNIT Cybersecurity. A new threat landscape requires a new approach

IBX Business Network Platform Information Security Controls Document Classification [Public]

Transcription:

WHITE PAPER [Type text] How to Protect Intellectual Property While Offshore Outsourcing? In an era of increasing data theft, it is important for organizations to ensure that the Intellectual Property related to their offshore outsourced projects stay safe. Here is a roadmap that can help you address this concern. Avirag Jain 1 P a g e

CONTENTS Introduction.. 2 Essential steps to protect IP.. 3 Guidelines for protecting IP while offshore outsourcing.. 3 Conclusion.... 6 INTRODUCTION Protecting Intellectual Property (IP) is essential for organizations willing to sustain their competitive edge. The need to protect IP becomes even more critical in offshore outsourcing since it involves sharing a wide array of intellectual assets. The Data Breach Investigations Report (2013) by Verizon reveals that attackers are interested in all kinds of IP, including customer lists, designs, product roadmaps and code. Several other global research findings also confirm that IPrelated attacks are increasing in frequency and sophistication with every passing day. Therefore, the fast evolving IP theft landscape calls organizations to be prepared with stringent IP protection measures. Offshore outsourcing calls for a comprehensive IP protection framework. This exercise begins with selecting an offshore outsourcing partner, based on its IP protection capabilities. Outsourcing organizations will need to assess the quality assurance and security management standards of the partner (e.g. ISO/BS or CMM certifications). They will also need to examine the legal framework of the potential partner s country. The other aspects of IP protection that offshore outsourcing organizations will need to evaluate are related to the contractual terms. However, even while you employ a wellthought strategy, there is no magic bullet to ensure complete protection against IP theft. The best you can do is to adhere to a proven set of guidelines that will help you mitigate IPrelated risks. This white paper describes these guidelines that encompass legal, physical, logical, procedural and managerial aspects of IP protection. 2 P a g e

ESSENTIAL STEPS TO PROTECT IP Once you finalize your offshore outsourcing partners, ensure that they adhere to the following crucial aspects of IP security: Identify the IP Inventory that is to be Outsourced Step 1 Nominate Persons at both ends - Customer and Vendor - Responsible for IP Security Step 2 Fix the IP Location Step 3 Put Legal Framework, Checks and Controls Step 4 Do Regular Checks and Audit Step 5 Figure-1 GUIDELINES FOR PROTECTING IP WHILE OFFSHORE OUTSOURCING The broad set of guidelines that your organization will have to follow while offshore outsourcing is listed out in Figure-2. CONTRACTUAL & CONFIDENTIALITY AGREEMENTS HIRING & TRAINING OF EMPLOYEES ACCESS CONTROLS STORAGE PROTECTION SYSTEM CONTROLS SECURITY AUDIT Figure-2 3 P a g e

DETERMINE CONTRACTUAL & CONFIDENTIALITY AGREEMENTS Following are the aspects related to contractual and confidentiality agreements that you will need to ascertain: A Formal Contract: A formal contract must exist between you, the customer, and the vendor to protect both parties. A Confidentiality Agreement: A binding confidentiality agreement should be signed between you and the vendor, either as a part of the contract itself or as a separate Non-Disclosure Agreement (NDA). Clauses to Retain IP Ownership Rights: The contract must have a clause to empower you to retain all ownership rights over their IP assets. Clauses to Secure Confidential Information: The contract must hold a clause for securing confidential information. An Information Classification Policy: According to Information Classification policy, all information must be controlled and classified. Indemnification Provisions Addressing IP Breaches: In order to address IP breaches, the contract must include provisions of indemnification. This can protect your organization from the potential risks of IP breaches. Sufficient Insurance Coverage: The vendor should ensure adequate insurance coverage to protect itself against all claims and liabilities arising from its performance under the Agreement. Information Security Obligations and Control Details: The contract must include references to Information Security obligations and controls, such as, Information Security policies, procedures, standards & guidelines. Formal Contract Clause to Secure Confidential Information Sufficient Insurance Coverage Confidentiality Agreement / Non- Disclosure Agreement Information Classification Policy Information Security Obligations and Control Details Clause to Retain IP Ownership Rights Indemnification Provisions 4 P a g e Figure-3

ENSURE PROPER HIRING & TRAINING OF EMPLOYEES You will need to ensure the following: Check the Background of Employees: Employees working on your behalf at the vendor-end should be subjected to background checks. 5 P a g e Provide Training and Education on Information Security: Employees working on the contract should be provided with training and education on information security. PLACE ACCESS CONTROLS Ensure robust access control architecture, to prevent unauthorized access to your information assets by the vendor. Physical Access Controls, including: Layered controls covering perimeter and internal barriers Suitable locks with key management procedures Access logging through the use of automated key cards, visitor registers, etc. Users defined user roles with appropriate logical access rights and controls Data encryption in accordance with customer s encryption policies Intruder alarms/alerts and response procedures Separation of the Customer s Assets from Other Systems: If your IT infrastructure is hosted at a third party data center, your assets should be physically and logically isolated from other systems. Separate VLAN s for the Project: Separate VLANs should be created for the project and proper inter VLAN securities should be enforced. Technical Access Controls, including: User s identification and authentication Authorization of access generally through assigning standards Defining Algorithms, key lengths, key management, escrow, etc. Accounting/audit logging of access checks, plus alarms/alerts for attempted access violations wherever applicable Information Assets Management & Restricted Internet Access: Proper management of information assets should be ensured. This can be accomplished by duly retrieving or destroying them. Restricting internet access is also advised. Vulnerability Assessment and Penetration Testing (VAPT): Internal and external VAPT should be carried out on a periodic basis to fill up security gaps, if any. Access Controls Documentation: Proper documentation of procedural components of access controls should be ensured within procedures, guidelines and related documents.

ENSURE STORAGE PROTECTION Effective data leakage prevention initiative begins with protecting data at its repository (IDC, 2011). Ensure that the place where your data is stored is well-protected. IMPLEMENT SYSTEMIC CONTROLS Ensure that your vendor has placed suitable system controls to protect critical information, such as IP and Personally Identifiable Information (PII), such as, name, address, phone numbers, etc. UNDERTAKE SECURITY AUDIT As a procedure you must audit your vendor s premises at regular intervals, to ensure that vendors are consistently complying with requisite security policies and your IP protection requirements. CONCLUSION Effective IP protection is of utmost significance for businesses. In offshore outsourcing arrangements, both the customer and the vendor need to strictly implement an appropriate set of security controls to reduce IP-related risks. This is possible when both parties collaborate to device a robust security framework and ensure that they stringently adhere to it. A comprehensive management of IP-related risks will ensure that your organization will be able to sustain its competiveness and derive optimal value from the offshoring arrangement. 6 P a g e

ABOUT THE AUTHOR: Avirag Jain has 25+ years of rich experience in the IT industry including managing large on-site, off-site and offshore projects. He currently heads the Offshore Development Center of R Systems International Ltd. as CTO and EVP. Avirag is a science graduate with PGD in Cyber Law. He also holds an MBA degree with specialization in Finance and International business., Email: avirag.jain@rsystems.com / jain.avirag@gmail.com ABOUT R SYSTEMS R Systems is a leading OPD and IT Services company, which caters to Fortune 1000, Government, and Mid-sized organizations, worldwide. The company is hailed as an industry leader with some of the world s highest quality standards, including SEI CMMI Level 5, PCMM Level 5, ISO 9001:2008, and ISO 27001:2005 certifications. With a rich legacy spread over two decades, we generate value that helps organizations transcend to higher levels of efficiency and growth. For more information, visit www.rsystems.com 2014 R Systems International Limited. All Rights Reserved. All content / information present here is the exclusive property of R Systems International Ltd. The content/information contained here is correct at the time of publishing. No material from here may be copied, modified, reproduced, republished, uploaded, transmitted, posted or distributed in any form without prior written permission from R Systems International Ltd. Unauthorized use of the content / information appearing here may violate copyright, trademark and other applicable laws, and could result in criminal or civil penalties. 7 P a g e Email: rsi.marketing@rsystems.com Phone (India): (+91) 120-4303500 Phone (US): (800) 355-5159

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information