Security considerations for software procurement by the government

By: Yolynd Lobo, India Director, BSA

The Indian government has undertaken large scale digitization of citizen services for increased convenience, transparency, and last-mile connectivity. With this, the quantum of data and information residing with the government and its agencies has grown drastically. Protecting critical data that is generated over e-governance portals is crucial, especially given increasing risk of cyber threats.

In fact, Indian government establishments witnessed 126% increase in cyber threats and attacks in 2013 as compared to 2012. The Indian government’s procurement market, estimated to be more than $300 bn, already accounted for nearly 25-30% of the country’s Gross Domestic Product (GDP) in 2012, according to a study by Center for International Trade, Economics & Environment.

Of this a large percentage is spent on IT and software procurement. According to Gartner, the Indian Government IT spending stood at $5.95 bn in 2012.
However, software procurement by government agencies in India is not centrally governed, today. Central and state governments have evolved their own laws and regulations that treat the process of procurement differently.

The Indian Government must put in place a robust policy and legal framework that mandates incorporation of information security requirements in the procurement of software. Building awareness and sensitivity among government agencies and encouraging them to utilise existing resources such as e-Security Assurance Framework (eSAFE), model RFP and model Master Service Agreements (MSA) is also critical. Detailed security requirements in the RFI/RFP process must be included.
Additionally, procurement guidelines must be based on international standards and be consistent across the centre
and state levels.

For government agencies procuring software, it is
important to build relevant skills to fully understand
software supply chain issues, risks, solutions, standards,
guidelines and best practices, to strengthen security.
Government agencies should have skilled experts, to
properly evaluate software across its entire lifecycle from
a security standpoint.
The use of genuine software, procured from reliable sources is an essential first step towards strengthening cyber security. Properly licensed software use is essential for handling patch management while protecting against viruses. The use of unlicensed software not only makes data vulnerable to security
breaches but also poses grave risks and hinders

As the security threat landscape continues to evolve, investment in software asset management (SAM) by the government is imperative. SAM, an ISO standard looks at the entire infrastructure necessary for effective management, control and protection of software assets and matches software assets to licenses. Importantly, it also establishes the need for future upgrades and purchases.

It is crucial for the government and its agencies to adhere to globally recognized software asset management practices to avoid any leakage of citizens’ personal data due to malware in unlicensed software. The government should establish a formal,
written policy against the use of unlicensed software and
maintain a comprehensive log of all software deployed in their
agencies to have a full view of their software inventory.

Only an enterprise-level software asset management program that is aligned to ISObased SAM standards such as Verafirm can provide assurance on software compliance and help
manage software licenses better.

A robust SAM program helps define four key factors including
people, policies, processes, and infrastructure, essential
for maintaining proper controls in an outsourced project.
Implementation of SAM by the government, its agencies
and various line ministries and departments will facilitate
them in retaining strategic control over their software
assets. They will be able to manage all customized
software assets created for various projects. SAM will
also help them keep a track of all licenses procured by
third party vendors for any specific project. This will lead
to enhanced security.
We believe that this will lay the foundation for success
of the Indian government’s e-governance initiatives and
large scape adoption by citizens.