Roles and responsibilities
Bouvet conducts development projects in many different ways, where we take more or less responsibility for project management, planning, development, quality assurance, and not least the operation and management of the solution. We also involve our own, the client’s, and third-party equipment both during development and management of the solution.
Regardless of how the project is executed, it is important that we are aware of how responsibilities are divided. This should be regulated in the agreement with the client, so we must ensure that we:
- Have control over our roles and responsibilities
- Have contact points with all involved parties
- Can follow up on deviations quickly so as to avoid misunderstandings or problems later in the project cycle
The role delivery manager is responsible for security in the delivery, and is responsible for following up on any security concerns.
Operation and Management - Bouvet
The project may also fall under our ISO certifications. This is especially the case if we use our own equipment or infrastructure for development, operations, or management on behalf of the client. If this is the case, it means we have greater overall responsibility for the security of the solution, and it is important that the delivery team is aware of this.
All resources managed by the delivery team must be handled in line with all other infrastructure in Bouvet, so the team must have routines for patching and maintenance or ensure that this is handled. Be aware that client resources and data must be handled with separate backup routines so we do not mix data across clients or with our own internal data. Feel free to contact Internal IT & Security to see what they can deliver and assist with to simplify delivery and management.
Bouvet’s Statement of Applicability/Declaration of Application (SOA) for ISO 27001 and ISO 42001 address various controls related to information security and how we should relate to them. If we take on this role, your regional quality manager can assist with advice and guidance to ensure that our responsibilities are met.
Operation and Management - Client or Third Party
If we are only responsible for the development of the solution, it is important that we have defined the interface between us and the organization that takes over and continues to operate the solution:
- How should handover occur
- How do we ensure that the necessary hardware and systems have been set up and configured correctly
- How do we ensure that all parties are aware of the requirements related to deployment, operational incidents, error corrections and similar
Document the roles and responsibilities and other relevant information in the source code system along with other documentation. This increases its visibility and everyone always knows where the information is.
Use of AI
If AI is included in the delivery, you must also clarify how this is regulated in the agreement. AI opens up many opportunities but also introduces new risks in addition to amplifying existing risks, particularly related to privacy. The AI Act is not yet enacted in Norway, but it is expected to come in the near future, and projects that build solutions covered by this should ensure compliance with the proposed AI Act in Norway.
AI as a tool
If you are going to use AI tools, you must ensure that this has been clarified with the client and that the agreement takes it into account. AI can be a fantastic tool, but it also opens up scenarios where we or the client can be harmed if responsibility and use are not clarified. If our equipment or infrastructure is to be used for new tools, this must be clarified with Internal IT & Security before the project starts so that licenses and necessary risk assessments can be carried out.
More information
- Bouvet: Delivery Manager (internal link)
- Bouvet: Statement of Applicability ISO 27001 (internal link)
- Bouvet: Statement of Applicability ISO 42001 (internal link)