A couple years ago I went through a technical due diligence (TDD) of several relatively small offshore vendors. The vendors were providing product development services for one of my clients, the vendors also supported operations of the SaaS for all of the products. The client had fully outsourced s/w product development and support to those vendors and retained practically no technology resources internally with exception of MIS / SaaS IT support.
The goal of the TDD process was to asses whether the vendors are efficient and can continue performing fairly complex projects involving working with sensitive information. There are a couple important distinctions here:
- The vendors were in large degree focused on the product development for my client and the rest of their business was relatively small.
- The vendors have been performing services for a number of years with very light oversight from the client’s side.
- The quality of work to date has been on a low side yet deemed sufficient for the money.
As you can imagine results of the TDD was vitally important for the vendors as well as for the client. I will cover some findings and specific areas that I would recommend to focus on in other post(s). At this point I would like to concentrate on general framework / outline of the TDD process I employed on this specific engagement.
TDD included three distinct components – Technical Capability Analysis, Resources Assessment, and lightweight Information Security audit. The budget for TDD process in terms of $$ and time allocation was exceptionally small, so I had to stay just a few notches below high-level TDD, I would be hard pressed to call it a midlevel TDD.
The questionnaire I developed for the process is presented below (I took out the parts which are completely proprietary or overly specific for to this engagement). The questionnaire was used as the outline of the TDD process. The vendors had to answer the questions prior to meeting me. That allowed us to concentrate only on the areas where I found mismatch, drill in on specific areas of concern, or do the answer verification. Some of the questions were fairly generic and I was prepared to see just brief pointers in the answer and discuss underlying details at the meeting.
For staff assessment of course the most important element was interviews.
InfoSec audit was exceptionally light with interviews and on-site survey being the major components.
To see the questionnaire just follow this link – Offshore TDD. I think whether you are about to run technical due diligence on your offshore vendor(s) or are about to be audited you will find it helpful.