Back

Identify and include alternatives to meeting the security requirements when acquiring assets.


CONTROL ID
01128
CONTROL TYPE
Acquisition/Sale of Assets or Services
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Plan for acquiring facilities, technology, or services., CC ID: 06892

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The FI should clearly specify security requirements relating to system access control, authentication, transaction authorisation, data integrity, system activity logging, audit trail, security event tracking and exception handling in the early phase of system development or acquisition. The FI shoul… (§ 6.2.1, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The FI should assess if a source code escrow agreement should be in place, based on the criticality of the acquired software to the FI's business, so that the FI can have access to the source code in the event that the vendor is unable to support the FI. Suitable alternatives to replace the software… (§ 5.3.4, Technology Risk Management Guidelines, January 2021)
  • Develop a feasibility study that examines the possibility of implementing the requirements. Business management, supported by the IT function, should assess the feasibility and alternative courses of action and make a recommendation to the business sponsor. (AI1.3 Feasibility Study and Formulation of Alternative Courses of Action, CobiT, Version 4.1)
  • The risk of potential security weaknesses in hardware / software should be reduced by considering alternative methods of providing the required level of security (e.g., an alternative method of authentication or additional application and system monitoring). (CF.16.02.06c, The Standard of Good Practice for Information Security)
  • The risk of potential security weaknesses in hardware / software should be reduced by considering alternative methods of providing the required level of security (e.g., an alternative method of authentication or additional application and system monitoring). (CF.16.02.06c, The Standard of Good Practice for Information Security, 2013)
  • Purchase additional technology to include hardware, software and services to protect ePHI. (§ 4.1.4 Bullet 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • The organization should identify system components for which alternative sourcing is not viable. (App F § SA-14(1)(a), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)