UCF ID: 01133 |
Control Type: Establish/Maintain Documentation |
Status: Live |
Supporting and supported controls
This control directly supports:
- • Acquisition of facilities, technology, and services [UCF Control ID 01123]
There are no supporting controls.
Authority documents complied with:
FFIEC IT Examination Handbook – Development and Acquisition, Pg 40, Exam Obj 6.1; FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004, Pg 8, Pg 9, Exam Tier I Obj 3.2, Exam Tier II Obj A.1; Clinger-Cohen Act (Information Technology Management Reform Act), § 5122; The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003, § F.4.5.1; ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines, § 3.2.7(b); The Standard of Good Practice for Information Security, SM6.4.2, SD4.4.3
Banking and Finance Guidance
The acquisition standards should address the same requirements as the development standards. The acquisition standards should focus on which controls the product has already built into it. [Pg 40, Exam Obj 6.1, FFIEC IT Examination Handbook – Development and Acquisition]
The organization should develop a requirements definition document to use for deciding which outsource provider to select for a contract. This document should contain descriptions of the organization's expectations for the outsource provider. It should include information on the scope and nature of the work (service description and customer support); standards and service levels (availability, quality, continuity, security, and change management); service provider characteristics (experience, reputation, technology architecture, and legal and compliance history); monitoring and reporting (measurement requirements, right to audit, and responses to security events); transition requirements (training and migration of data to the service provider); contract duration and termination and assignment of rights and property (terms of the contract, confidentiality of data, dispute resolution, right to cancel, ownership of data, and return of data ); and protections against liability (indemnification and insurance). [Pg 8, Pg 9, Exam Tier I Obj 3.2, Exam Tier II Obj A.1, FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004]
US Federal Security Guidance
Provides an acquisition strategy that requires procurement of IT off-the-shelf or through contract and so the acquisition strategy, provided the government agency determines it is feasible, will always result in acquisition of IT from an outside source. [§ 5122, Clinger-Cohen Act (Information Technology Management Reform Act)]
Records Management Guidance
You should determine whether you will buy services to build or build yourself. You can use in-house technology, additional technology brought from outside and tailored to suit needs or you can have someone else design additional technology. Cost, flexibility and integration speed are generally the biggest factors in choosing among these possibilities. [§ F.4.5.1, The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003]
[§ 3.2.7(b), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines]
General Guidance
Formulation of an acquisition strategy is not explicitly called for, as the acquisition section of the standard refers only to technology acquired through third parties; the ISF Standard of Good Practices for Information Security, like FFIEC, separates development and acquisition, so any other formulated strategy would most likely occur during initial planning for systems design.
The organization should supply remote workers with approved computers. These computers should be purchased from approved suppliers, tested prior to being given to remote users, supported by a maintenance agreement, and have physical controls to protect against theft. The acquisition of new hardware and software should be from an approved supplier, meet the organization's security requirements, have high reliability, and have a maintenance contract with the supplier. [SM6.4.2, SD4.4.3, The Standard of Good Practice for Information Security]
Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.