Outsourced Development Policy

The Outsourced Development Policy (P28) establishes a comprehensive framework for securely managing software or system development projects executed by external vendors, contractors, or agencies. Its primary purpose is to embed security controls and governance mechanisms throughout the entire development lifecycle, from planning and contract negotiation to delivery, monitoring, and post-engagement activities. By mandating a clearly defined set of security obligations, ranging from due diligence checks and risk assessments to enforced coding standards and contractual requirements, the policy aims to safeguard the confidentiality, integrity, and availability of all organization-developed software. The scope of the policy extends to any company initiative that involves third-party development, including web and mobile applications, embedded systems, APIs, internal and commercial platforms, and automation workflows. Notably, it also governs any external entity requiring access to the organization's source code, test environments, or CI/CD pipelines. The requirements apply regardless of where or how the vendor operates, ensuring geographical or contractual distinctions do not create security gaps. The policy's objectives are rooted in minimizing exposure to supply chain threats, legal non-compliance (such as with GDPR or DORA), intellectual property theft, and insecure coding practices that could introduce vulnerabilities or regulatory risk. To achieve this, it assigns explicit responsibilities to Executive Management, CISOs, Procurement and Legal, Project and Product Owners, Information Security, and external vendors. Central to this approach is the Third-Party Development Register, a single source of truth for all vendor engagements, due diligence findings, exception logs, and contract statuses. Governance requirements include vendor due diligence, security risk assessment, and a set of minimum contractual controls, such as adherence to secure coding frameworks, security testing, IP ownership specifications, NDA executions, and right-to-audit clauses. Source code is managed exclusively through enterprise-controlled platforms, with branch protection, peer review, and strict offboarding protocols preventing code leakage or unauthorized reuse. All third-party access is provisioned under time-bound, least-privilege governance, monitored via audit logs, and rapidly revoked upon engagement closure. Integration of vendor repositories into enterprise security tools for code analysis, CI/CD policy enforcement, and deviation management is required whenever feasible. Exception requests are handled through a formal risk treatment and approval process led by the CISO, including documentation of justification, risk mitigation, and remediation timelines. The Information Security Team conducts ongoing monitoring and compliance audits, with violations resulting in immediate access revocation, project suspension, legal action, or disciplinary measures as appropriate. This policy is reviewed at least annually or following changes in the regulatory landscape, incident response findings, or internal audit outputs. All changes are version controlled, communicated, and referenced in procedural documentation. Through these mechanisms and its close mapping to leading international standards and legal mandates, the Outsourced Development Policy ensures third-party software delivery remains secure and compliant, shielding the organization from the evolving risks of outsourced development.