Document the software product acquisition methodology

Status: Live

The organization will document the software product acquisition methodology. [UCF ID 01138]

Supporting and supported controls

This control directly supports:

This control has the following supporting controls:

Authority documents complied with:

FFIEC IT Examination Handbook – Information Security, Pg 66, Exam Tier I Obj 4.1; Clinger-Cohen Act (Information Technology Management Reform Act), § 5202.35(c); CobiT 4.1, AI5.4; The Standard of Good Practice for Information Security, SM4.3.1(a); Archer Control Table, ATCS-217, ATCS-218, ATCS-408, ATCS-412, ATCS-538, ATCS-540

Banking and Finance Guidance

When acquiring software, the organization should look at how the vendor responds to security issues, the quality of security patches, and the vulnerability history of other software from the same vendor. [Pg 66, Exam Tier I Obj 4.1, FFIEC IT Examination Handbook – Information Security]

US Federal Security Guidance

[§ 5202.35(c), Clinger-Cohen Act (Information Technology Management Reform Act)]

General Guidance

The organization is called upon to ensure that the organization's interests are protected in all acquisition contractual agreements. Include and enforce the rights and obligations of all parties in the contractual terms for the acquisition of software involved in the supply and ongoing use of software. These rights and obligations may include ownership and licensing of intellectual property, maintenance, warranties, arbitration procedures, upgrade terms, and fitness for purpose including security, escrow and access rights. [AI5.4, CobiT 4.1]

Asset management procedures should exist to cover the acquisition of software and hardware. [SM4.3.1(a), The Standard of Good Practice for Information Security]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.