Procurement Control

Status: Live

The organization will follow a set of procedures and standards that is consistent with the business organization's overall procurement process and acquisition strategy. [UCF ID 01136]

Supporting and supported controls

This control directly supports:

Acquisition of, facilities, technology, and services [UCF Control ID 01123]

This control has the following supporting controls:

The use of personal devices will be approved only in extreme cases and only if the owner signs a forfeiture statement in case of a security incident [UCF Control ID 04599]

Authority documents complied with:

FFIEC IT Examination Handbook – Development and Acquisition, Pg 40, Exam Obj 6.1; Army Regulation 380-19: Information Systems Security, February 27, 1998, § 1-5.a(5); Clinger-Cohen Act (Information Technology Management Reform Act), § 5201; CobiT 4.1, AI5.1; The Standard of Good Practice for Information Security, SD4.4.2; DISA WIRELESS STIG BLACKBERRY SECURITY CHECKLIST, Version 5, Release 2.4, Version 5 Release 2.4, § 2.2 (WIR0010); Archer Control Table, ATCS-539, ATCS-549, ATCS-613, ATCS-676, ATCS-765, ATCS-766, ATCS-767, ATCS-768, ATCS-769, ATCS-770, ATCS-771, ATCS-772, ATCS-797; Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline, Version 1.2, July 2009, § 4.6.1.F

Banking and Finance Guidance

The organization should distribute a request for proposals (RFP) to third parties. The RFP should define the functional, organizational, and system requirements. The vendor's proposal should address all of the requirements and other issues, such as compatibility of operating systems; delivery dates; licensing; escrow details; maintenance procedures; user training; and warranty information. [Pg 40, Exam Obj 6.1, FFIEC IT Examination Handbook – Development and Acquisition]

Payment Card Guidance

An organization will establish a list of company-approved products. For example, if a wireless Access Point (AP) needs to be replaced, substituting it with a non-sanctioned AP is not acceptable. [§ 4.6.1.F, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline, Version 1.2, July 2009]

US Federal Security Guidance

Only telecommunications or automated information system (TAIS) and non communication emitters that comply with this regulation should be procured. [§ 1-5.a(5), Army Regulation 380-19: Information Systems Security, February 27, 1998]

[§ 5201, Clinger-Cohen Act (Information Technology Management Reform Act)]

Other Configuration Guidance

Only devices that have been approved for use by the CIO should be used. [§ 2.2 (WIR0010), DISA WIRELESS STIG BLACKBERRY SECURITY CHECKLIST, Version 5, Release 2.4, Version 5 Release 2.4]

General Guidance

The organization is called upon to develop and follow a set of procedures and standards that is consistent with the business organization's overall procurement process and acquisition strategy to ensure that the acquisition of IT-related infrastructure, facilities, hardware, software and services satisfies business requirements. [AI5.1, CobiT 4.1]

The organization should have developed guidelines for selecting hardware and software, on how to identify security weaknesses, and on how to review and approve new hardware and software. [SD4.4.2, The Standard of Good Practice for Information Security]