Back

Establish, implement, and maintain facilities, assets, and services acceptance procedures.


CONTROL ID
01144
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Acquisition or sale of facilities, technology, and services, CC ID: 01123

This Control has the following implementation support Control(s):
  • Test new hardware or upgraded hardware and software against predefined performance requirements., CC ID: 06740
  • Test new hardware or upgraded hardware and software for error recovery and restart procedures., CC ID: 06741
  • Follow the system's operating procedures when testing new hardware or upgraded hardware and software., CC ID: 06742
  • Test new hardware or upgraded hardware and software for implementation of security controls., CC ID: 06743
  • Test new hardware or upgraded hardware and software for implementation of predefined continuity arrangements., CC ID: 06744
  • Correct defective acquired goods or services., CC ID: 06911
  • Authorize new assets prior to putting them into the production environment., CC ID: 13530


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Any new business products introduced along with the underlying information systems need to be assessed as part of a formal product approval process which incorporates, inter-alia, security related aspects and fulfilment of relevant legal and regulatory prescriptions. A bank needs to develop an autho… (Critical components of information security 13) (ii), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Banks need to carry out due diligence with regard to new technologies since they can potentially introduce additional risk exposures. A bank needs to authorise the large scale use and deployment in production environment of technologies that have matured to a state where there is a generally agreed … (Critical components of information security 13) (i), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • A process should be established to assess the risk of end user developed or acquired applications to the FI, and ensure appropriate controls and security measures are implemented to address the identified risks, and approval is obtained before being used. The FI should ensure proper testing before t… (§ 6.5.3, Technology Risk Management Guidelines, January 2021)
  • The organization should ensure products purchased absent delivery assurances provided with formally evaluated procedures are delivered in a way that provides confidence that the product will be received in an unaltered state. (Control: 0937, Australian Government Information Security Manual: Controls)
  • The organization should verify the software integrity by using the vendor supplied checksum, when available. (Control: 0284 Bullet 1, Australian Government Information Security Manual: Controls)
  • The organization should develop a process to authorize new technologies that includes conducting a risk assessment to assess the benefits against the risk. (¶ 64, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • New technologies potentially introduce a set of additional information security vulnerabilities, both known and unknown. An APRA-regulated entity would typically apply appropriate caution when considering the introduction of new technologies. (60., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • An APRA-regulated entity could find it useful to develop a technology authorisation process and maintain an 'approved technology register' to facilitate this. The authorisation process would typically assess the benefits of the new technology against the impact of an information security compromise,… (62., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • A financial institution's processes for acquisition and development of ICT systems should also apply to ICT systems developed or managed by the business function's end users outside the ICT organisation (e.g. end user computing applications) using a risk-based approach. The financial institution sho… (3.6.2 74, Final Report EBA Guidelines on ICT and security risk management)
  • Hardware and software development and testing should be documented and formally agreed upon by all parties. (¶ 13.1, Good Practices For Computerized systems In Regulated GXP Environments)
  • The organization should develop, formally document, and use test scripts, which are related to the user requirements specifications and the functional specifications, to show that the system has been installed and is operating and performing satisfactorily. (¶ 13.4, Good Practices For Computerized systems In Regulated GXP Environments)
  • Suspected or confirmed fraudulent or counterfeit parts shall be detected before formal part acceptance. (§ 4.1.5.a, SAE AS 5553: Fraudulent/Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition, Revision A)
  • Additional tests and inspections should be conducted, as necessary, when acquisitions must be made from other than authorized suppliers or when there is reason to doubt a part's authenticity. (App E § E.1 ¶ 1, SAE AS 5553: Fraudulent/Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition, Revision A)
  • Staff who work in remote environments should only use computing devices that are tested prior to use. (CF.14.01.03b, The Standard of Good Practice for Information Security)
  • The organization shall establish and implement an inspection process to ensure the purchased product meets the specified requirements. The organization shall document in the purchasing information the verification arrangements and the product release method when the verification will be conducted at… (§ 7.4.3, ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
  • The organization shall verify that the delivered product or service complies with all the requirements of the agreement. (§ 6.1.1.3(e)(1), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The supplier shall transfer the service or the product to the organization in accordance with the agreement to close the agreement. (§ 6.1.2.3(f)(2), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall verify and validate the system elements against the acceptance criteria in the agreement. (§ 6.4.5.3(b)(3), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • Management should authorize the use of all new processing facilities. The following procedures should be considered for inclusion in the authorization process: Checking hardware and software for compatibility; identifying vulnerabilities and controls needed if laptops, home computers, or other equip… (§ 6.1.4, ISO 27002 Code of practice for information security management, 2005)
  • In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall establish acceptance criteria for planned new information systems, upgrades and new versions. They shall carry out suitable tests of the system prior to acceptance. (§ 14.2.9 Health-specific control ¶ 1, ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002, Second Edition)
  • the acceptance of products and services; (8.1 ¶ 1(b)(2), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • Are there established criteria for accepting new Information Systems? (§ G.6, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Are there established criteria for accepting Information Systems upgrades? (§ G.6, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Are there established criteria for accepting new versions of Information Systems? (§ G.6, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Employ application whitelisting and an application vetting process for systems identified by the organization. (CM.4.073, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Employ application whitelisting and an application vetting process for systems identified by the organization. (CM.4.073, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • § 820.80(a): A medical device manufacturer shall establish and maintain acceptance procedures, including inspections, tests, or other verification activities. § 820.80(b): A medical device manufacturer shall establish and maintain acceptance procedures for incoming product. They shall be inspected… (§ 820.80(a), § 820.80(b), 21 CFR Part 820, Subchapter H - Medical Devices, Part 820 Quality System Regulation)
  • The device manufacturer or the specification developer maintains ultimate responsibility for ensuring software is validated, regardless of the contractual relationships, sources of components, distribution of tasks, or the development environment. (§ 4.10 ¶ 4, General Principles of Software Validation; Final Guidance for Industry and FDA Staff, Version 2.0)
  • Approved the selected software's use and determined that it met the entity's infrastructure requirements and strategic objectives. (App A Objective 13:5c Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Evaluates open source software components during software due diligence. (App A Objective 13:6g Bullet 4, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Validates that new hardware complies with institution policies and guidelines. (App A Objective 6.11.k, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Review major acquisitions of hardware and software to determine if the acquisitions are within the limits approved by the board of directors. (App A Objective 12:11, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Conduct import/export reviews for acquiring systems and software. (T0412, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization should use an independent tester to conduct analysis and penetration testing against the technology products, components, and systems that are delivered. (SG.SA-11 Additional Considerations A3, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should use independent analysis and penetration testing against all delivered systems, system components, and technology products. (App F § SA-12(7), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Conduct import/export reviews for acquiring systems and software. (T0412, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization conducts an assessment of the information system, system component, or information system service prior to selection, acceptance, or update. (SA-12(7) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Assess the system, system component, or system service prior to selection, acceptance, modification, or update. (SR-5(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • The organization conducts an assessment of the information system, system component, or information system service prior to selection, acceptance, or update. (SA-12(7) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)