UCF ID: 01135 |
Control Type: Process or Activity |
Status: Live |
Supporting and supported controls
This control directly supports:
- • Acquisition of facilities, technology, and services [UCF Control ID 01123]
There are no supporting controls.
Authority documents complied with:
FFIEC IT Examination Handbook – Development and Acquisition, Exam Obj 6.1; FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004, Pg 11, Exam Tier I Obj 3.3, Exam Tier II Obj B.1; Clinger-Cohen Act (Information Technology Management Reform Act), § 5122(b)(5); Federal Information System Controls Audit Manual (FISCAM), February 2009, SP-1; GAO/PCIE Financial Audit Manual (FAM), § 260.44; CobiT, Version 4.1, AI1.2, AI1.4; The Standard of Good Practice for Information Security, SM3.3.2(b), SM4.3.4, CB5.3.8, CI5.4.9, NW4.4.9; BIS Sound Practices for the Management and Supervision of Operational Risk, Principle 4; DoD Instruction 8500.2 Information Assurance (IA) Implementation, DCDS-1; Technology Risk Management Guide for Bank Examiners – OCC Bulletin 98-3, ¶ 44
Banking and Finance Guidance
[Exam Obj 6.1, FFIEC IT Examination Handbook – Development and Acquisition]
The organization should analyze each Request for Proposal (RFP) response to ensure it meets the organization's needs. The following information should be confirmed and assessed to ensure the service provider meets the RFP requirements: corporate history; qualifications and backgrounds of principal(s); references; reviews of financial statements; reputation; delivery capability; technology architectures; security history; legal and regulatory compliance; insurance coverage; and the ability to meet disaster recovery and business continuity requirements. [Pg 11, Exam Tier I Obj 3.3, Exam Tier II Obj B.1, FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004]
Prior to new products or services being introduced in the organization, the operational risks should be assessed. [Principle 4, BIS Sound Practices for the Management and Supervision of Operational Risk]
US Federal Security Guidance
[§ 5122(b)(5), Clinger-Cohen Act (Information Technology Management Reform Act)]
[SP-1, Federal Information System Controls Audit Manual (FISCAM), February 2009]
[§ 260.44, GAO/PCIE Financial Audit Manual (FAM)]
Acquisition or outsourcing of dedicated IA services such as incident monitoring, analysis and response; operation of IA devices, such as firewalls; or key management services are supported by a formal risk analysis and approved by the DoD Component CIO. [DCDS-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation]
The bank should conduct quality assurance reviews whenever it engages in a significant combination with another institution or acquires another business. [¶ 44, Technology Risk Management Guide for Bank Examiners – OCC Bulletin 98-3]
General Guidance
The organization is called upon to identify, document and analyze risks associated with the business processes as part of the organization's process for the development of requirements. Risks include threats to data integrity, security, availability, privacy, and compliance with laws and regulations. Required internal control measures and audit trails should be identified as part of these requirements.
The organization is called upon to not move forward with any projects until the business sponsor approves and signs off on business functional and technical requirements and feasibility study reports at predetermined key stages. Each sign-off follows successful completion of quality reviews. The business sponsor has the final decision with respect to choice of solution and acquisition approach. [AI1.2, AI1.4, CobiT, Version 4.1]
A risk analysis should be performed at an early stage of development for all systems and networks and prior to major application or network changes to determine if the changes will pose risk. All new hardware and software should be approved by appropriate personnel. [SM3.3.2(b), SM4.3.4, CB5.3.8, CI5.4.9, NW4.4.9, The Standard of Good Practice for Information Security]
Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.