Offshore Intellectual Property Rights (IPR) Protection Strategy and Code Security
At Thought Apps, Intellectual Property and Source Code Protection is of utmost importance. In this paper, we document the strategies and best practices followed by Thought Apps concerning management of offshore data and code security risks on both sides of the relationship.
Legal:
At the national level the primary focus is on the laws about data security and protection. Specific consideration is given to our India offshore development facilities. In recent decades, two international institutions have led the drive toward global IPR harmonization: the World Intellectual Property Organization (WIPO), which is an agency of the United Nations, and the World Trade Organization (WTO). Indian laws – India maintains copyright, trademark, and patent laws that are congruent with Western business practices. India is a member of numerous WIPO treaties, such as the WIPO Convention and the Paris Convention (WIPO, 2003). It is also a member and signatory to the WTO TRIPS agreement. Its national legislation provides strong protection for patents, trademarks, industrial designs, copyright, and more. Domestic organizations such as the National Association of Software and Service Companies (NASSCOM) lobby constantly for greater IPR protection. Of particular importance to the offshore outsourcing industry is India’s Information Technology Act (Indian Ministry of Law, Justice, and Company Affairs, 2000). The Act criminalizes a number of computer offenses, such as source code tampering, hacking, and misuse of data.
Thought Apps conducts thorough due diligence before inking any contracts. Our contracts specify that we or our contractors do not retain any right to use the work product and that clients retain exclusive rights to the work product. We take the required care in writing their contracts such that both parties understand their obligations and can operate with a minimum of overhead. We apply precautions, such as the inclusion of termination clauses and measurable expectations. A separate non-disclosure and non-compete contract is signed with each individual authorized to work on the project.
Cultural:
Culture drives behavior. Cultural norms significantly influence decision making on an individual level within the firm. In the context of outsourcing relationships, local or national cultures are likely to dominate individual decision making. With limited cross-cultural interaction, individuals often see the “artifact or technical change, but not the underlying process assumptions” which may be clearly different. Since culture is by definition ingrained, it is difficult to see the gaps without the assistance of individuals versed with both cultures. Thought Apps introduces concepts that are useful to bridge these gaps. Thought Apps, USA works as an outsider or mediator, helps individuals working together to identify the gaps in their assumptions that may lead to misunderstandings. We help the organization on both sides to develop an infrastructure that supports development of this cultural understanding and setup of virtual software development teams.
Thought Apps provides insider input on team composition, members of the team, what motivates them, and how they develop trust in each other. Teamwork is encouraged through engagement in planning, the process and content of decision making, and the individual desire to take responsibility.
Code Security:
Thought Apps strives to achieve Code security through the following steps:
Code and Information Classification
Application Architecture plays a huge role in this classification. A message based architecture, ideally providing a clear separation of concerns between presentation, business and data layer works ideally.
Only certain pieces of code and information require strict protection, and once they are identified, we can ensure they are maximally secure while other information is allowed to flow more freely.
Organizational Design
Of course, not all sensitive data and code can be kept onshore. Thought Apps recommends to follow one of the two models that have evolved over the past decade. The first is a matrix structure where work is split over functional lines and the second is called a back to front model. In this model, “Core Functionality” is developed onshore and the remainder, more labor intensive, time consuming and repetitive work is sent offshore for development.
Physical Protection
Thought Apps has built a culture that places a high value on security. The company integrates security in its recruiting, including background checks on potential hires, and then reinforces it through ongoing training, including monthly security exams for all staff. Though Apps’ employees and contractors follow practices designed to prevent problems in the first place, such as:
- Restrict use of removable media i.e. Computers unable to insert USBs and/or third-party storage devices
- No personal computers or storage devices in ODCs
- Lockers for personal belongings outside of the ODCs
- Communication via authorized channels only including client’s provisioned email ids
- Deployment of firewall, risk-monitoring and content filtering mechanisms, at client’s requests.
Application Security
Thought Apps will disclose the origin of all software components used in the product including any open source or 3rd party licensed components.
We can also have a periodic application security audit conducted by an independent organization that specializes in application security, at Client’s expense, prior to delivery to the Client. At a minimum, the review can cover common software vulnerabilities. The review may include a combination of static analysis of the binary code, dynamic web application vulnerability scanning, and manual penetration testing. Overall application security ratings with aggregate number of flaws found by the independent organization can be reported to Thought Apps, the Client and the developer. All issues are then tracked and re-mediated. Developer tracks all security issues uncovered during the security review and the entire life cycle, whether it is a requirements, design, implementation, testing, deployment, or operational issue. The risk associated with each security issue is evaluated, documented, and reported to Thought Apps and Client as soon as possible after discovery.
We use all commercially reasonable efforts consistent with sound software development practices, taking into account the severity of the risk, to resolve all security issues as quickly as possible.
Ongoing Audits
In an effort to build trust and lower the level of perceived risk for potential clients, Though Apps audits itself and recommends periodic auditing by its clients of its procedures and policies to safeguard its client IPR.
We understand that it would take only one major breach to ruin things for entire Thought Apps business. Thought Apps places greatest value in ensuring its clients’ IPR and Source Code protection.