Roles and responsibilities
A lack of clarity in our responsibilities and those of others can have huge consequences for a project, so this must be clarified beforehand. It is especially important if companies other than us and the client are involved, as tasks and roles tend to fall through the cracks because everyone thinks "someone else" will handle it.
Bouvet conducts development projects in many different ways, where we take more or less responsibility for project management, planning, development, quality assurance, and not least the operation and management of the solution. We also involve our own, the client's, and third-party equipment both during development and management of the solution.
Regardless of how the project is executed, it is important that we are aware of how responsibilities are divided. This should be regulated in the agreement with the client, so we must ensure that we:
- Have control over our roles and responsibilities
- Have contact points with all involved parties
- Can follow up on deviations quickly so as to avoid misunderstandings or problems later in the project cycle
Operation and Management - Bouvet
If we are responsible for the operation and management of the solution in our infrastructure, our certification for ISO 27001 - Information Security will apply to it. This means that we have a greater overall responsibility for the security of the solution, and it is important that the delivery team is aware of this.
All resources managed by the delivery team must be handled in line with all other infrastructure in Bouvet, so the team must have routines for patching and maintenance or ensure that this is handled. Feel free to check with Internal IT & Security to see what they can deliver and thus manage on behalf of the team to simplify management.
Bouvet's Statement of Applicability/Declaration of Application (SOA) addresses various controls related to information security and how we should relate to them. The SOA can be found in the internal management system. If we take on responsibility for operation and management, your regional quality manager can assist with advice and guidance to ensure that all responsibilities are covered.
Operation and Management - Client or Third Party
If we are only responsible for the development of the solution, it is important that we have defined the interface between us and the organization that takes over and continues to operate the solution:
- How should handover occur
- How do we ensure that the necessary hardware and systems have been set up and configured correctly
- How do we ensure that all parties are aware of the requirements related to deployment, operational incidents, error corrections and similar
Document the roles and responsibilities and other relevant information in the source code system along with other documentation. This increases its visibility and and becomes the single source of up-to-date information for the whole team.
More information
- Bouvet: Statement of Applicability (internal link)