General discussion

  • Creator
  • #2250247

    Source code policy


    by chandraram ·

    Hello everybody

    I am now working for a company whose major work is in internationalizing software products developed by its clients. This necessitates that we work directly with and modify their source code. I am required to create a policy document that would spell out the security measures that my company can put in place to make sure that the clients’ code is kept confidential.

    Any body in similar situations now or in the past? Any suggestions on what I should include in this document?

    Thank you in advance

All Comments

  • Author
    • #3275617

      Confidential from whom

      by tony hopkinson ·

      In reply to Source code policy

      From those outside your organisation, would be the hopefully sound measures you have to protect your own stuff.

      What’s the plan for getting hold of their source?

      How are you going to store it while you are working on it?

      How are you going to send it back?

      Who is going to be working on it?

      Where are they going to work on it. Telecommuters or those with portables will increase the potential failure points for instance.

      Another thing I’d look at is attempting safeguarding my company from being blamed for a leak in the client’s company.

      • #3275528

        Securing from…

        by chandraram ·

        In reply to Confidential from whom

        We have restricted access to the client’s dedicated code-server whenever the client needs to drop-off the latest source to our team.

        After this, the code resides on our internal server and is only accessed by our developers from inside our office premises.

        What I am looking at is creating and implementing a source code security policy that will increase the confidence level of the client.

        And, thank you for that information about making sure that client leaks are not blamed on us.

        • #3275499

          Well hopefully you have a version control system

          by tony hopkinson ·

          In reply to Securing from…

          Put the source in that and restrict access. If each client is a project you can even limit the number of devlopers who can access it, though that might limit your operational freedom.
          Given your own network is secure and you have a secure link to the client.
          Concerns would be your own employees disclosing the code, which should be unlikely. Or an operational failure where you mixed your clients up and sent them someone else’s source.
          You can do a bit about the latter, mainly somesort of signoff procedure which highlights the potential danger, so hopefully that sort of carelessness is inflicted on you.

          IP confidentiality with you employees applies as much to you company’s own stuff as it does to your clients. Certainly any protection and confidence measures will be the same.

        • #3275472

          Yes, we do…

          by chandraram ·

          In reply to Well hopefully you have a version control system

          We have a fairly good version control system in place, where I can set user access rights for each folder.

          I will have to include the bit about the signoff procedure in my document.


        • #3274949

          Another thing to think about

          by jamesrl ·

          In reply to Yes, we do…


          I would suggest that those with access to the accounts which are allowed to do backups are also those who need to be “controlled” in order to keep the data confidential. In some cases people encrypt the backup files so that not every sys admin can access it (as long as there are at least 2).

          Do you put the software in escrow? Thats another group of people with access….


        • #3276371


          by chandraram ·

          In reply to Another thing to think about

          are the domain of the sys admin and we have just one. I do believe the backup is encrypted.

          Could you explain a bit about what you mean by putting the software in escrow?


Viewing 0 reply threads