Selecting a Safe Software Outsourcing Vendor

When selecting a software outsourcing vendor in China, foreign firms should perform due diligence on the vendor's internal IP protection policies and systems. Due diligence should address security on three levels: operational, cultural and legal.

Operational

• Is the vendor a pure service provider, or is it a product company? Pure service providers have no interest in the IP they develop for clients, while product companies may be tempted to use technology they gain to improve their own product or develop a new one which could become a competitor.




• Is the vendor a private firm, or partially owned by the government? The Chinese government is the main owner of most software companies in China and the primary technology catalyst in the country. Partnering with a vendor that is wholly or partially owned by the government may create an uncomfortable situation for the vendor if the government finds a foreign firm's technology or source code of interest.




• What physical security measures does the vendor employ? Due diligence should include a site visit to look for items including: CCTV cameras covering doorways, separate workspaces with security badge access levels for vendor employees, high security (biometric) locks on server rooms, secure phones, printers, faxes, separated LANs, disabled computers (unable to insert USB or other third party devices), firewalls, anti-intrusion detection, offsite backup, etc.



• What development processes does the vendor use? Do they have CMM certification and to what level? Do they have BS7799 or ISO 27001 procedures in place? Vendors with international certifications like CMM Level 5 and ISO typically have a modern view of IP protection and the processes in place to safeguard their clients' technology.

Cultural

• Review the vendor's staff training, especially new hire orientation. Does the vendor include IP protection in this training?
• Is the vendor aggressive about finding potential security leaks in its own organization? Does it use third party firms for penetration tests? The most progressive vendors offer bonuses to their own staff if they are able to breach in-house security.
• How does the vendor handle security issues with its staff? Does the vendor make all security non compliance public? Are financial penalties enforced? Review the vendor's employee handbook.
• Ask about prior breaches. Surprisingly, many companies forget to ask this. Have there been prior breaches? How was the breach handled? What were the consequences?

Legal

• Review the vendor's employment contracts, as well as IPR contracts that they sign internally.
• Ask the vendor for their standard Non-Disclosure Agreement (NDA), and ask if individual employees within the vendor's organization are able to sign NDAs with clients directly.
• Does the vendor do background checks on its new hires? Does it include a criminal background check? What else does the vendor look for? What are the consequences when discrepancies are found?
• Employee handbook: How does the vendor describe IP protection to its staff, and what are the legal actions that the vendor will take against staff if there is IP theft?
• What is the litigation history of the vendor? Have they ever been to court over IP issues?
• Who are the vendor's owners/partners? Perform due diligence on all major owners and partners.

China not only represents a low cost alternative for software development, but also offers extremely well skilled architects and developers that can assist multinational firms in building and deploying state of the art applications and systems. The Chinese government continues to invest in the software industry, especially outsourcing, and therefore expanding rules and regulations needed to protect IP. Mr. Eric Rongley, Chairman of the InfoComm Committee of the American Chamber of Commerce in Shanghai stated, "The Chinese government, especially in Shanghai, is working hard to improve the environment for IP rights, and it welcomes the support of the foreign business community."