Acquisition of facilities, technology, and services

UCF ID: 01123
Control Type: IT Impact Zone
Status: Live

Supporting and supported controls

This is a top level control.

This control has the following supporting controls:

    Define security requirements and/or specifications in information system acquisition contracts. [UCF Control ID 01124]
    Identify and consider alternative courses of action to meet security requirements when acquiring IT assets. [UCF Control ID 01128]
    Conduct an acquisition feasibility study for acquiring off-the-shelf or customized products. [UCF Control ID 01129]
    Establish and maintain an acquisition strategy for acquiring outsourced or off-the-shelf products and/or services. [UCF Control ID 01133]
    Ensure third-party outsourcing providers meet organizational standards and employ adequate compliance controls. [UCF Control ID 01134]
    Conduct a risk analysis of major acquisition project to determine operational risks and have the report approved by appropriate personnel. [UCF Control ID 01135]
    Establish and maintain procedures and standards for procuring hardware, software, services, and facilities. [UCF Control ID 01136]
    Establish and maintain a software product acquisition methodology. [UCF Control ID 01138]
    Establish and maintain procedures for the acceptance of facilities, technology, and technology services. [UCF Control ID 01144]
    Allocate sufficient resources, as part of the capital planning process, to protect information systems. [UCF Control ID 01444]

Authority documents complied with:

AICPA/CICA Privacy Framework, ID 1.2.4; AICPA Suitable Trust Services Principles and Criteria, ¶ .17 § 3.8, ¶ .20 § 3.11, ¶ .24 § 3.12, ¶ .29 § 3.11; Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000, Obj 3 (Processes); FFIEC IT Examination Handbook – Audit, August 2003, Pg 18; FFIEC IT Examination Handbook – Development and Acquisition, Pg 39, Exam Obj 6.1; FFIEC IT Examination Handbook – Information Security, Exam Tier II Obj H.4; FFIEC IT Examination Handbook – Management, Pg 31, Exam Obj 4.3; Clinger-Cohen Act (Information Technology Management Reform Act), § 5312(c)(1); FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 5.6.14, Exhibit 4 SA-1; The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003, User's Guide 7; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.4.3; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3, App F § SA-1, App F § SA-3; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, SA-1; CobiT, Version 4.1, AI3.1; The Standard of Good Practice for Information Security, SM4.3.2(b), SM4.3.2(c), CI2.5.3(b), CI2.5.3(c), NW1.3.3(a), SD4.4.1; ISO/IEC 17799 Code of Practice for Information Security Management, 2005, § 10.6.2; ISO/IEC 27002 Code of practice for information security management, 2005, § 10.6.2; OECD Principles of Corporate Governance, 2004, § VI.D; Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST SP 800-97, February 2007, § 7.3.2, Table 8-3 Item 21 thru Table 8-3 Item 36; Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline, Version 1.2, July 2009, § 4.6.1.F; DoD Instruction 8500.2 Information Assurance (IA) Implementation, DCAS-1; PAS 77 IT Service Continuity Management. Code of Practice, 2006, § 5.6 ¶ 2(c), § 5.6 ¶ 2(d)

Banking and Finance Guidance

Verify that new products are evaluated to ensure they meet the compliance requirements. [Obj 3 (Processes), Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000]

The audit policy should state which phases of the system development lifecycle the audit team will be involved in when acquiring applications and systems. [Pg 18, FFIEC IT Examination Handbook – Audit, August 2003]

The acquisition process should include developing a detailed list of the functional, security, and system requirements; developing vendor selection criteria; and reviewing contracts and licensing agreements. [Pg 39, Exam Obj 6.1, FFIEC IT Examination Handbook – Development and Acquisition]

[Exam Tier II Obj H.4, FFIEC IT Examination Handbook – Information Security]

The acquisition process should include developing a detailed list of the functional, security, and system requirements; developing vendor selection criteria; and reviewing contracts and licensing agreements. [Pg 31, Exam Obj 4.3, FFIEC IT Examination Handbook – Management]

Payment Card Guidance

An organization will establish a list of company-approved products. For example, if a wireless Access Point (AP) needs to be replaced, substituting it with a non-sanctioned AP is not acceptable. [§ 4.6.1.F, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline, Version 1.2, July 2009]

US Federal Security Guidance

§ 5312(c)(1) The act does not define a documented plan for general governmental acquisition of IT, but does require a similar, albeit more narrowly focused acquisition plan for use in its “Solutions-based Contracting” pilot program. [§ 5312(c)(1), Clinger-Cohen Act (Information Technology Management Reform Act)]

System and Services Acquisition (SA): Organizations must: (i) allocate sufficient resources to adequately protect organizational information systems; (ii) employ system development life cycle processes that incorporate information security considerations; (iii) employ software usage and installation restrictions; and (iv) ensure that third-party providers employ adequate security measures to protect information, applications, and/or services outsourced from the organization. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

Have you examined the System Security Authorization Agreement (SSAA) to ensure that only approved products from the NIST-approved product list are acquired? [DCAS-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation]

US Internal Revenue Guidance

The organization must develop, document, and distribute a system and services acquisition policy and procedures for the implementation of the system and services acquisition security controls. [§ 5.6.14, Exhibit 4 SA-1, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

Records Management Guidance

IT acquisition methodology is worked into the initially planning phase for recordkeeping projects. Thus, the initial project plan for development of a recordkeeping system would distinguish and define the IT acquisition process. [User's Guide 7, The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003]

NIST Guidance

A brief mention is made of creating a plan for acquiring IT resources within the context of security purposes, while the ISF standard defines a plan much like FFIEC Development and Acquisitions, wherein the acquisition plan and procedures are entirely separate from the SDLC (yet still inherently linked). [§ 3.4.3, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

App F § SA-1 The organization must develop, document, disseminate, implement and periodically review and update a system and services acquisition policy and procedure that includes information security considerations and that addresses purpose, scope, roles, responsibilities, management commitment, coordination within the organization, and compliance.
App F § SA-3 The organization should create a policy to manages the information system using a system development life cycle methodology that includes information security considerations; define and documents information system security roles and responsibilities throughout the system development life cycle; and identify individuals having information system security roles and responsibilities. [App F § SA-1, App F § SA-3, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3]

Organizational records and documents should be examined to ensure the system and services acquisition policy and procedures are documented, disseminated, reviewed, and updated and specific responsibilities and actions are defined for the implementation of the systems and services acquisition policy and procedures control. Any problems discovered during the implementation of the systems and services acquisition policy and procedures control should be documented and used to improve the controls. The systems and services acquisition policy and procedures should be examined for purpose, scope, and responsibilities; compliance with laws, regulations, and directives; and consistency with the organization's mission and function.
Interviews should be conducted with personnel who are responsible for acquiring services and systems for the organization. [SA-1, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

When obtaining products, organizations should ensure they are both WPA2-certified and FIPS-validated; use FIPS-validated cryptographic modules; support NIST AES key wrap with 128-bit HMAC-SHA-1; support the organization's chosen EAP method; communicate in a secure manner; are able to terminate associations after a configurable time period; log security events and forward them to audit servers in real time; support SNMPv3; support authentication and data encryption for administrative sessions; support independent management interfaces; allow mobile devices to be configured to specify valid authentication servers by name; support IPsec or another security method for mutually-authenticated secure communications; support Network Time Protocol (NTP); and use software and/or firmware that is easily upgradable. [§ 7.3.2, Table 8-3 Item 21 thru Table 8-3 Item 36, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST SP 800-97, February 2007]

ISO Guidance

Network service agreements should include security features, security levels, and management requirements for network services. The organization should monitor and audit the network service provider to ensure it is managing the network securely with features including encryption and authentication and procedures to restrict access. [§ 10.6.2, ISO/IEC 17799 Code of Practice for Information Security Management, 2005]

Network service agreements should include security features, security levels, and management requirements for network services. The organization should monitor and audit the network service provider to ensure it is managing the network securely with features including encryption and authentication and procedures to restrict access. [§ 10.6.2, ISO/IEC 27002 Code of practice for information security management, 2005]

General Guidance

Organizational personnel should review the acquisition process to ensure it is consistent with the organization's privacy policies. If any inconsistencies are identified, they should be corrected in a timely manner. [ID 1.2.4, AICPA/CICA Privacy Framework]

The acquisition of software related to system security should be consistent with the organization's security policy. [¶ .17 § 3.8, ¶ .20 § 3.11, ¶ .24 § 3.12, ¶ .29 § 3.11, AICPA Suitable Trust Services Principles and Criteria]

The organization is called upon to produce a plan for the acquisition, implementation and maintenance of the technological infrastructure that meets established business functional and technical requirements and is in accord with the organization's technology direction. The plan should consider future flexibility for capacity additions, transition costs, technical risks and the lifetime of the investment for technology upgrades. Assess the complexity costs and the commercial viability of the vendor and product when adding new technical capability. [AI3.1, CobiT, Version 4.1]

Documented procedures and standards should be developed for the acquisition of hardware and software. Security requirements and high reliability should be considered when acquiring new hardware and software. [SM4.3.2(b), SM4.3.2(c), CI2.5.3(b), CI2.5.3(c), NW1.3.3(a), SD4.4.1, The Standard of Good Practice for Information Security]

EU Guidance

The Board should oversee major acquisitions. [§ VI.D, OECD Principles of Corporate Governance, 2004]

UK and Canadian Guidance

Two key factors for ensuring the Information Technology Service Continuity (ITSC) strategy and plans are appropriate as the organization and its environment changes are to ensure the procurement process for obtaining new IT systems includes a sign-off that resilience has not been compromised by any of the improvements or upgrades and to ensure a resilience assessment is included in the due diligence on merger and acquisition activities. [§ 5.6 ¶ 2(c), § 5.6 ¶ 2(d), PAS 77 IT Service Continuity Management. Code of Practice, 2006]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.