Back

Plan for acquiring facilities, technology, or services.


CONTROL ID
06892
CONTROL TYPE
Acquisition/Sale of Assets or Services
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Acquisition or sale of facilities, technology, and services, CC ID: 01123

This Control has the following implementation support Control(s):
  • Involve all stakeholders in the acquisition process., CC ID: 13169
  • Require third parties to disclose all known vulnerabilities in third party products and services., CC ID: 15491
  • Allocate sufficient resources to protect Information Systems during capital planning., CC ID: 01444
  • Establish, implement, and maintain system acquisition contracts., CC ID: 14758
  • Identify and include alternatives to meeting the security requirements when acquiring assets., CC ID: 01128
  • Conduct an acquisition feasibility study prior to acquiring assets., CC ID: 01129
  • Establish, implement, and maintain a product and services acquisition strategy., CC ID: 01133
  • Establish, implement, and maintain a product and services acquisition program., CC ID: 01136
  • Establish, implement, and maintain a software product acquisition methodology., CC ID: 01138
  • Establish and maintain a register of approved third parties, technologies and tools., CC ID: 06836
  • Promote joint acquisition of products or services., CC ID: 11453


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The organization should provide staff with clinical decision support tools as appropriate. (CORE - 28(b), URAC Health Utilization Management Standards, Version 6)
  • Define the responsibilities, relationships, authorities and performance criteria of project team members, and specify the basis for acquiring and assigning competent staff members and/or contractors to the project. The procurement of products and services required for each project should be planned … (PO10.8 Project Resources, CobiT, Version 4.1)
  • Create a strategic plan that defines, in co-operation with relevant stakeholders, how IT goals will contribute to the enterprise's strategic objectives and related costs and risks. It should include how IT will support IT-enabled investment programmes, IT services and IT assets. IT should define how… (PO1.4 IT Strategic Plan, CobiT, Version 4.1)
  • facilities; and (§ 5.1 Guidance ¶ 1(c)(3), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives. (A1.2, Trust Services Criteria)
  • The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its objectives. (A1.2 ¶ 1, Trust Services Criteria, (includes March 2020 updates))
  • One or more process(es) used in procuring BES Cyber Systems that address the following, as applicable: (B. R1. 1.2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Supply Chain Risk Management CIP-013-1)
  • Due diligence in research and selection of third-party service providers. (App A Objective 6.31.b, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Management should oversee outsourced operations through the following: - Appropriate due diligence in third-party research, selection, and relationship management. - Contractual assurances for security responsibilities, controls, and reporting. - Nondisclosure agreements regarding the institution'… (II.C.20 Oversight of Third-Party Service Providers, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle] that incorporates information security and privacy considerations; (SA-3a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle] that incorporates information security and privacy considerations; (SA-3a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle] that incorporates information security and privacy considerations; (SA-3a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle] that incorporates information security and privacy considerations; (SA-3a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle] that incorporates information security and privacy considerations; (SA-3a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Acquire, develop, and manage the system using [Assignment: organization-defined system development life cycle] that incorporates information security and privacy considerations; (SA-3a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)