Back

Conduct an acquisition feasibility study prior to acquiring assets.


CONTROL ID
01129
CONTROL TYPE
Acquisition/Sale of Assets or Services
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Plan for acquiring facilities, technology, or services., CC ID: 06892

This Control has the following implementation support Control(s):
  • Include a Business Impact Analysis in the acquisition feasibility study., CC ID: 16231
  • Include environmental considerations in the acquisition feasibility study., CC ID: 16224
  • Conduct a risk assessment to determine operational risks as a part of the acquisition feasibility study., CC ID: 01135
  • Approve the risk assessment report of operational risks as a part of the acquisition feasibility study., CC ID: 11666
  • Establish test environments separate from the production environment to support feasibility testing before product acquisition., CC ID: 01130
  • Establish test environments separate from the production environment to support integration testing before product acquisition., CC ID: 11668
  • Analyze the proposed Information Architecture as it pertains to acquisition feasibility., CC ID: 01132


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Ensuring that the new applications being purchased/developed follow the Information Security policy (Critical components of information security 11) c.2. Bullet 9, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Discussed below are some emerging technologies which are increasingly being adopted/likely to be considered in the near future. However, the security concerns in respect of such technologies need to be considered. (EMERGING TECHNOLOGIES AND INFORMATION SECURITY ¶ 1, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • An APRA-regulated entity could find it useful to develop a technology authorisation process and maintain an 'approved technology register' to facilitate this. The authorisation process would typically assess the benefits of the new technology against the impact of an information security compromise,… (62., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • Customers should evaluate the supplier's quality methodology for the design, construction, supply, and maintenance of the software and should be documented in a supplier audit report. (¶ 5.1, Good Practices For Computerized systems In Regulated GXP Environments)
  • Develop a feasibility study that examines the possibility of implementing the requirements. Business management, supported by the IT function, should assess the feasibility and alternative courses of action and make a recommendation to the business sponsor. (AI1.3 Feasibility Study and Formulation of Alternative Courses of Action, CobiT, Version 4.1)
  • Verify that the process requires the business sponsor to approve and sign off on business functional and technical requirements and feasibility study reports at predetermined key stages. The business sponsor should make the final decision with respect to the choice of solution and acquisition approa… (AI1.4 Requirements and Feasibility Decision and Approval, CobiT, Version 4.1)
  • The capital planning and investment process must include the minimum criteria when considering to invest in information technology. This includes criteria related to quantitatively expressed projected net, risk-adjusted returns and qualitative and quantitative criteria for comparing and prioritizing… (§ 5122(b)(3), Clinger-Cohen Act (Information Technology Management Reform Act))
  • The head of an agency is prohibited from procuring or obtaining, renewing a contract to procure or obtain, or using an Internet of Things device, if the Chief Information Officer of that agency determines during a review required by section 11319(b)(1)(C) of title 40 of a contract for such device th… (§278g?3e.(a) (1) ¶ 1, United States Code - 15 U.S.C. 278g-3a to 278g-3e, IoT Cybersecurity Improvement Act of 2020)
  • Establishment of processes to evaluate and procure technology. (App A Objective 12:4b Bullet 4, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • The organization should conduct an acquisition feasibility study to determine if an off-the-shelf product or a customized product should be obtained. The feasibility study should look at issues such as security, functional, network, performance, maintenance, documentation, expandability, and testing… (Pg 41, Pg 42, Exam Obj 6.1, FFIEC IT Examination Handbook - Development and Acquisition)
  • Determine the institution's processes for evaluating and deploying new and emerging technologies for retail payment systems. Of particular concern are retail payment products and services that do not use established networks such as ACH, or that extend operational processes to the customer location,… (App A Tier 1 Objectives and Procedures Objective 11:1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • After the organization identifies the risks, it can use this information to develop the authentication system requirements. The organization should determine if it has sufficient in-house expertise to evaluate the options or if it needs to hire a consultant. Whichever option the organization chooses… (§ 8.2, FIPS Pub 190, Guideline for the use of Advanced Authentication Technology Alternatives)
  • Conduct a market analysis to identify, assess, and recommend commercial, Government off-the-shelf, and open source products for use within a system and ensure recommended products are in compliance with organization's evaluation and validation requirements. (T0350, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The ISCP Coordinator should ensure that the strategy chosen can be implemented effectively with available personnel and financial resources. The cost of each type of alternate site, equipment replacement, and storage option under consideration should be weighed against budget limitations. The coordi… (§ 3.4.5 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Conduct a market analysis to identify, assess, and recommend commercial, Government off-the-shelf, and open source products for use within a system and ensure recommended products are in compliance with organization's evaluation and validation requirements. (T0350, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization conducts an assessment of the information system, system component, or information system service prior to selection, acceptance, or update. (SA-12(7) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Assess the system, system component, or system service prior to selection, acceptance, modification, or update. (SR-5(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Assess the system, system component, or system service prior to selection, acceptance, modification, or update. (SR-5(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The organization conducts an assessment of the information system, system component, or information system service prior to selection, acceptance, or update. (SA-12(7) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Agencies should continue their prior assessment activities under the acquisition framework to comply with the 2014 revision of the Green Book. For example, the framework describes the Commitment from Leadership element to include management providing clear, strong and ethical executive leadership, a… (Section VII (B) ¶ 3, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)