Acquisition or sale of facilities, technology, and services

IT Impact Zone
IT Impact Zone


This is a top level control.

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain a product upgrade program., CC ID: 12216
  • Plan for selling facilities, technology, or services., CC ID: 06893
  • Acquire or sell an organization., CC ID: 12421
  • Establish, implement, and maintain payment and settlement functions for selling products and services., CC ID: 13538
  • Plan for acquiring facilities, technology, or services., CC ID: 06892
  • Acquire products or services., CC ID: 11450
  • Return acquired parts when necessary., CC ID: 11590
  • Establish, implement, and maintain facilities, assets, and services acceptance procedures., CC ID: 01144
  • Establish, implement, and maintain error handling procedures for the sale of products and services., CC ID: 13488
  • Establish, implement, and maintain a consumer complaint management program., CC ID: 04570


  • The requirements for acquiring resources must be defined from the development plan and the user requirements. The persons in charge of the user, system development, operation, and application maintenance departments must approve the acquisition requirements. This is a control item that constitutes a… (App 2-1 Item Number II.3(1), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • The organization must develop a system to prevent the fraudulent or erroneous acquisition, use, or disposal of assets. They must develop and implement a system that when anything is acquired, used, or disposed of that has not undergone the proper procedures or approvals is immediately identified and… (Practice Standard § I.1(4) ¶ 3, On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
  • IT acquisition methodology is worked into the initially planning phase for recordkeeping projects. Thus, the initial project plan for development of a recordkeeping system would distinguish and define the IT acquisition process. (User's Guide 7, The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003)
  • The Board should oversee major acquisitions. (§ VI.D, OECD Principles of Corporate Governance, 2004)
  • An organization will establish a list of company-approved products. For example, if a wireless Access Point (AP) needs to be replaced, substituting it with a non-sanctioned AP is not acceptable. (§ 4.6.1.F, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline)
  • Two key factors for ensuring the Information Technology Service Continuity (ITSC) strategy and plans are appropriate as the organization and its environment changes are to ensure the procurement process for obtaining new IT systems includes a sign-off that resilience has not been compromised by any … (§ 5.6 ¶ 2(c), § 5.6 ¶ 2(d), PAS 77 IT Service Continuity Management. Code of Practice, 2006)
  • Network service agreements should include security features, security levels, and management requirements for network services. The organization should monitor and audit the network service provider to ensure it is managing the network securely with features including encryption and authentication a… (§ 10.6.2, ISO 27002 Code of practice for information security management, 2005)
  • Organizational personnel should review the acquisition process to ensure it is consistent with the organization's privacy policies. If any inconsistencies are identified, they should be corrected in a timely manner. (ID 1.2.4, AICPA/CICA Privacy Framework)
  • Products that are covered by this part shall comply with all applicable requirements. An agency shall ensure products comply with the requirements when developing, procuring, maintaining, or using electronic and information technology, unless it would impose an undue burden. (§ 1194.2(a), 36 CFR Part 1194 Electronic and Information Technology Accessibility Standards)
  • Verify that new products are evaluated to ensure they meet the compliance requirements. (Obj 3 (Processes), Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000)
  • Executive agency heads are encouraged to develop and use best practices when acquiring information technology. (§ 5112(f), Clinger-Cohen Act (Information Technology Management Reform Act))
  • The audit policy should state which phases of the system development lifecycle the audit team will be involved in when acquiring applications and systems. (Pg 18, FFIEC IT Examination Handbook - Audit, August 2003)
  • The acquisition process should include developing a detailed list of the functional, security, and system requirements; developing vendor selection criteria; and reviewing contracts and licensing agreements. (Pg 39, Exam Obj 6.1, FFIEC IT Examination Handbook - Development and Acquisition)
  • The acquisition process should include developing a detailed list of the functional, security, and system requirements; developing vendor selection criteria; and reviewing contracts and licensing agreements. (Pg 31, Exam Obj 4.3, FFIEC IT Examination Handbook - Management)
  • The organization must develop, document, and distribute a system and services acquisition policy and procedures for the implementation of the system and services acquisition security controls. (§ 5.6.14, Exhibit 4 SA-1, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • When obtaining products, organizations should ensure they are both WPA2-certified and FIPS-validated; use FIPS-validated cryptographic modules; support NIST AES key wrap with 128-bit HMAC-SHA-1; support the organization's chosen EAP method; communicate in a secure manner; are able to terminate assoc… (§ 7.3.2, Table 8-3 Item 21 thru Table 8-3 Item 36, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST SP 800-97, February 2007)
  • System and Services Acquisition (SA): Organizations must: (i) allocate sufficient resources to adequately protect organizational information systems; (ii) employ system development life cycle processes that incorporate information security considerations; (iii) employ software usage and installation… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • A brief mention is made of creating a plan for acquiring IT resources within the context of security purposes, while the ISF standard defines a plan much like FFIEC Development and Acquisitions, wherein the acquisition plan and procedures are entirely separate from the SDLC (yet still inherently lin… (§ 3.4.3, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • Organizational records and documents should be examined to ensure the system and services acquisition policy and procedures are documented, disseminated, reviewed, and updated and specific responsibilities and actions are defined for the implementation of the systems and services acquisition policy … (SA-1, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)