Back

Include operational requirements in system acquisition contracts.


CONTROL ID
00825
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Include security requirements in system acquisition contracts., CC ID: 01124

This Control has the following implementation support Control(s):
  • Provide suppliers with operational requirement information needed to define required service levels in system acquisition contracts., CC ID: 06890


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • when operational tasks of internal control functions are outsourced, unless the assessment establishes that a failure to provide the outsourced function or the inappropriate provision of the outsourced function would not have an adverse impact on the effectiveness of the internal control function; (4.4 29(b), Final Report on EBA Guidelines on outsourcing arrangements)
  • Before deciding to deploy a security measure, the organization must produce a detailed Operational Requirement, which should clearly define what the system is expected to achieve. (Mandatory Requirement 62, HMG Security Policy Framework, Version 6.0 May 2011)
  • Additional, specialized controls should be defined in a contract. (CF.16.01.05c, The Standard of Good Practice for Information Security)
  • Service agreements should specify maximum permissible down-time. (CF.07.07.02f, The Standard of Good Practice for Information Security)
  • Service agreements should specify critical timescales (i.e., the timescale beyond which a loss of service would be unacceptable to the organization). (CF.07.07.02g, The Standard of Good Practice for Information Security)
  • When determining the requirements for outsourcing, the organization should identify particularly critical or sensitive business environments. (CF.16.03.02c, The Standard of Good Practice for Information Security)
  • Service agreements should specify maximum permissible down-time. (CF.07.07.02f, The Standard of Good Practice for Information Security, 2013)
  • Service agreements should specify critical timescales (i.e., the timescale beyond which a loss of service would be unacceptable to the organization). (CF.07.07.02g, The Standard of Good Practice for Information Security, 2013)
  • When determining the requirements for outsourcing, the organization should identify particularly critical or sensitive business environments. (CF.16.03.02c, The Standard of Good Practice for Information Security, 2013)
  • Additional, specialized controls should be defined in a contract. (CF.16.01.06b, The Standard of Good Practice for Information Security, 2013)
  • The using or acquiring organization should define the storage space requirements for the organizational records, metadata, and audit files. (§ C3.1.1, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The using or acquiring organization should define the acceptable Records Management Application system reliability, availability, response times, and downtimes to satisfy the business requirements. (§ C3.1.3, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The using or acquiring organization should define the Operating System that the Records Management Application will run on. (§ C3.1.5, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • The using or acquiring organization should define the network environment that the Records Management Application will run in. (§ C3.1.6, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
  • Automated access control manufacturers must assure in writing that their systems meet the following standards: the chances of an unauthorized individual gaining access through the normal use of the equipment is not more than 1 in 10,000, and the chances of an authorized user being rejected through n… (§ 5-313, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • The agency's information system shall generate audit records for defined events. These defined events include identifying significant events which need to be audited as relevant to the security of the information system. The agency shall specify which information system components carry out auditing… (§ 5.4.1 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • The organization should ensure contracts to procure authentication systems are written to provide protection in case the vendor cannot provide the required numer of systems. (§ 8.2.8, FIPS Pub 190, Guideline for the use of Advanced Authentication Technology Alternatives)