Back

Establish, implement, and maintain a software product acquisition methodology.


CONTROL ID
01138
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Plan for acquiring facilities, technology, or services., CC ID: 06892

This Control has the following implementation support Control(s):
  • Align the service management program with the Code of Conduct., CC ID: 14211
  • Store source code documentation in escrow by an independent third party., CC ID: 01139
  • Review software licensing agreements to ensure compliance., CC ID: 01140
  • Establish, implement, and maintain third party Software Maintenance Agreements., CC ID: 01143


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • A person may acquire or sell any software, including software with encryption capabilities, that is generally available, as is, and designed for installation by the purchaser. (§ 90(1)(b)(i), The Electronic Communications and Transactions Act, 2002)
  • A person may acquire or sell any software, including software with encryption capabilities, that is publicly available, in the public domain, or accessible to the public in any form. (§ 90(1)(b)(ii), The Electronic Communications and Transactions Act, 2002)
  • A person may acquire or sell any software, including software with encryption capabilities, that is a computing device because it uses or incorporates in any form software exempted from any requirement for a validated license. (§ 90(1)(b)(iii), The Electronic Communications and Transactions Act, 2002)
  • Software package acquisition is an alternative to in-house systems development and should be subject to broadly similar controls as the project life cycle. As inappropriate handling of software licences may expose AIs to a significant risk of patent infringement, and financial and reputation losses,… (4.2.5, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • The licensed corporation should maintain an effective governance process for (a) the acquisition, deployment and use of software applications or services which read, write or modify Relevant Information, and (b) ensuring the security, authenticity, reliability, integrity, confidentiality and timely … (13., Circular to Licensed Corporations - Use of external electronic data storage)
  • The organization should follow procedures to ensure the quality of packaged software. These procedures should include defining the prerequisites, defining user requirements, setting the objectives, ensuring the specifications, test confirmation notes, design documents, and other documents are availa… (T13.1, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • For all critical applications, either the source code must be received from the vendor or a software escrow agreement should be in place with a third party to ensure source code availability in the event the vendor goes out of business. It needs to be ensured that product updates and programme fixes… (Critical components of information security 11) c.25., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Taking decisions on any new applications to be acquired / developed or any old applications to be discarded (Critical components of information security 11) c.2. Bullet 6, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The FI should assess if a source code escrow agreement should be in place, based on the criticality of the acquired software to the FI's business, so that the FI can have access to the source code in the event that the vendor is unable to support the FI. Suitable alternatives to replace the software… (§ 5.3.4, Technology Risk Management Guidelines, January 2021)
  • It is important that the FI assesses the robustness of the vendor's software development and quality assurance practices, and ensures stringent security practices are in place to safeguard and protect any sensitive data the vendor has access to over the course of the project. Any vendor access to th… (§ 5.3.2, Technology Risk Management Guidelines, January 2021)
  • Selecting the proper enabling technology for continuous auditing is critical to its long-term success. When selecting continuous auditing software, a clear set of objectives and a plan for determining risks and priorities must be developed, and the software selection criteria should include the form… (§ 6 (Data Access and Use), IIA Global Technology Audit Guide (GTAG) 3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment)
  • Service agreements should specify requirements for installation activity relating to software. (CF.07.07.04d-3, The Standard of Good Practice for Information Security)
  • Standards / procedures should apply to all software acquired throughout the organization, including Operating System and virtualization software. (CF.16.02.03a, The Standard of Good Practice for Information Security)
  • Standards / procedures should apply to all software acquired throughout the organization, including enterprise software (e.g., Enterprise Resource Planning and Customer Relationship Management applications). (CF.16.02.03b, The Standard of Good Practice for Information Security)
  • Standards / procedures should apply to all software acquired throughout the organization, including Commercial Off-the-Shelf Software. (CF.16.02.03c, The Standard of Good Practice for Information Security)
  • Standards / procedures should apply to all software acquired throughout the organization, including security software (e.g., data leakage protection, Digital Rights Management, and Intrusion Detection Software). (CF.16.02.03d, The Standard of Good Practice for Information Security)
  • Service agreements should specify requirements for installation activity relating to software. (CF.07.07.04d-3, The Standard of Good Practice for Information Security, 2013)
  • Standards / procedures should apply to all software acquired throughout the organization, including Operating System and virtualization software. (CF.16.02.03a, The Standard of Good Practice for Information Security, 2013)
  • Standards / procedures should apply to all software acquired throughout the organization, including enterprise software (e.g., Enterprise Resource Planning and Customer Relationship Management applications). (CF.16.02.03b, The Standard of Good Practice for Information Security, 2013)
  • Standards / procedures should apply to all software acquired throughout the organization, including Commercial Off-the-Shelf Software. (CF.16.02.03c, The Standard of Good Practice for Information Security, 2013)
  • Standards / procedures should apply to all software acquired throughout the organization, including security software (e.g., data leakage protection, Digital Rights Management, and Intrusion Detection Software). (CF.16.02.03d, The Standard of Good Practice for Information Security, 2013)
  • Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System; and (B. R1. 1.2. 1.2.5., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Supply Chain Risk Management CIP-013-1)
  • Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System and their associated EACMS and PACS; and (B. R1. 1.2. 1.2.5., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Supply Chain Risk Management CIP-013-2, Version 2)
  • The information assurance manager must ensure that Commercial Off-the-Shelf Software that will be used in a system that requires public key-enabling has passed the interoperability testing before it is acquired. (§ 3.4.2.2 ¶ AC34.140, DISA Access Control STIG, Version 2, Release 3)
  • This examination procedure may be performed in coordination with related examination procedures in the "Development and Acquisition" booklet. Determine whether management appropriately chooses software (e.g., to meet the entity's infrastructure and operational requirements) and considers whether to … (App A Objective 13:5, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Financial institution management should implement effective control and risk transfer practices as part of its overall IT risk mitigation strategy. These practices should include the following: - Establishing, implementing, and enforcing IT policies, standards, and procedures. - Documenting policies… (III.C Risk Mitigation, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Verify that the acquisition, development, and use of mobile code to be deployed in the system meets [Assignment: organization-defined mobile code requirements]. (SC-18(2) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • The organization ensures that the acquisition, development, and use of mobile code to be deployed in the information system meets [Assignment: organization-defined mobile code requirements]. (SC-18(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Verify that the acquisition, development, and use of mobile code to be deployed in the system meets [Assignment: organization-defined mobile code requirements]. (SC-18(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Verify that the acquisition, development, and use of mobile code to be deployed in the system meets [Assignment: organization-defined mobile code requirements]. (SC-18(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The organization ensures that the acquisition, development, and use of mobile code to be deployed in the information system meets [Assignment: organization-defined mobile code requirements]. (SC-18(2) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)