Central and state governments have evolved their own laws and regulations which treat the process of software procurement differently and often do not address security requirements.
BSA | The Software Alliance along with Data Security Council of India (DSCI)releasedtheir lateststudy titled, “Security considerations in software procurement by government agencies in India”, undertaken in partnership with the. The studyunveiled today by Mr. Anurag Singh Thakur, Chairman, Parliamentary Committee on IT, takes a detailed look at theIndian government’s and its various agencies’ existing software procurement policies and outlines global best practices for software procurement. It aims to help streamline the central and state governments’ procurement processes and encourage the use of properly licensed software to minimize security threats.Currently, a comprehensive legal framework or mandatory policy guidelines for driving software procurementby government agencies is absent. Central and state governments have evolved their own laws and regulations which treat the process of software procurement differently and often do not address security requirements.
“As we continue to digitize government services for increased transparency and convenient citizen services, the quantum of data and information residing with the government and its agencies has grown drastically. Maintaining data confidentiality and security has,thus, gainedprecedence,”said Mr. Anurag Singh Thakur, Chairman, Parliamentary Committee on IT. “We welcome this report by BSA, which presents recommendations to help streamline the government agencies’ procurement processes with special emphasis on security.”’
“As an increasing number of government departments get connected, the complexity and scale of software deployed coupled withthe Government’s spends on IT, are also on the rise. The quality of software used in mission critical systems and its role in maintaining high-levels of security, is crucial,” said Yolynd Lobo, India Director, BSA. “We, at BSA, believe that the using genuine software, procured from reliable sources is an essential first step that the government must implement to minimize exposure to data breaches and security threats.”
The study underscores a strong need to add security as one of the evaluation criteria for assessing software and/or software provider during the procurement process. Other recommendations include :
The government should mandate incorporation of information security requirements in the procurement of software by government agencies including central and state agencies through an appropriate policy and legal framework.
Thegovernment must include detailed security requirements in the RFI / RFP process for procuring software.
Assess software security through its entire lifecyclefrom design anddevelopment to testing and maintenance against international standards
Eliminate counterfeit and unlicensed software from the software supply chains to reduce security vulnerabilities
Create a Centre of Excellence (CoE) through the public-private partnership model to provide procedural and technical guidance to the government agencies vis-à-vis addressing software security risks and meeting the legal or regulatory requirements
Increase awareness on the benefits of procuring legitimate software andusing secure software lifecycle management; software supply chain issues, risks, solutions, standards, guidelines and best practices.
“As government services move to electronic platforms, software has taken a central role. Evaluating software from a security standpoint during procurement is imperative. It is promising to see the government’s willingness to adopt security best practices to avoid data breaches. I hope the government will find our recommendations useful and mandate incorporation of security requirements in its procurement processes”, said R. Chandrashekhar, President, NASSCOM.
“In a worsening global threat landscape, it is heartening to see that the government departments and agencies understand information security requirements for addressing security risks. They are aware of the need to continuously adopt best security practices and technologies to keep pace with the new attack vectors that are rapidly emerging. I hope the government will find this report and our recommendations for the ‘software procurement lifecycle’ from the security point of view, useful”, said Dr. Kamlesh Bajaj, CEO, DSCI.
