What can you do to minimize / mitigate risks of IP loss with your outsourcing partner? Here are some tips to consider:
- Learn, understand and keep yourself up to day on Information security topics
- Do not outsource your crown jewels. If it’s at all possible do not send any high value IP work offshore.
- Hold the offshore vendor, its employees and subcontractors to the same or higher standards of Data and IP security as your own team.
Vendor search / RFP process
- Include IP handling inquiries in your RFP process and in on-site visits
- Consider legal maturity and IP laws from geopolitical view
- Check for signs of casual treatment. For example while at the site visit ask developers what they are working on / etc. Your IP would be at best treated in the way it’s treated for current clients.
Contract / negotiation process
- Make sure to include IP elements in the contract, have it reviewed by legal team specializing in IP. My preferred approach is to have vendor “work for hire” and keep the ownership all IP including IP produced during engagement.
- Make sure that required clauses are enforceable and can be seen through downstream (employees, subcontractors, etc.). You can ask for specific language in chain of trust agreements and NDA documents.
- Put excessive penalty clauses associated with IP loss in the contract. I also recommend including “right to inspect” and other control elements directly into the contract.
- Decide on a level of additional security elements you need at a physical / infrastructure level, for example network separation, biometric locks, etc. Keep in mind that it usually comes with a notable price tag.
- Align payments with deliverables and milestones. Put some time for verifying deliverable before your pay for them.
- Define and communicate to vendor policies and SOPs on data and IP handling, e.g. level of encryption, separation of duties, firewall policies, etc.
- Consider investing into education and helping your vendor maintain IP and data secure.
- Consider an infrastructure approach under which none of the sensitive elements reside on a vendor side. For example developers could perform all work on your network using terminal services over VPN.
- Make sure that all information and artifacts produced by your vendor are physically copied to your location.
- Test integrity of the information delivered by the vendor. For source code my preferred method is using continues integration (CI) integrated with unit / smoke testing running of local repositories.
- Control / inspect / audit the guards you agreed to put in place.
- Consider independent audits by a 3rd party.
- Plan / define termination procedures when establishing the contract
- Use appropriate InfoSec processes and procedures to close accounts, revoke privileges, destroy media, etc.
- And make sure that you part on good terms