Back

Involve all stakeholders in the acquisition process.


CONTROL ID
13169
CONTROL TYPE
Human Resources Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Plan for acquiring facilities, technology, or services., CC ID: 06892

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Find out the applications required for the considered business processes by involving the responsible and/or the users of the applications (§ 8.1.3 Subsection 2 Bullet 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • When acquiring the applications, also the users and/or the persons responsible for the application as well as the persons responsible for the business processes should be asked how they estimate the required security level. (§ 8.1.3 ¶ 5, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • To provide consistent, effective and secure technological solutions enterprisewide, establish a technology forum to provide technology guidelines, advice on infrastructure products and guidance on the selection of technology, and measure compliance with these standards and guidelines. This forum sho… (PO3.4 Technology Standards, CobiT, Version 4.1)
  • Senior management should involve IT audit in major application development, acquisition, conversion, and testing. (Audit Participation in Application Development, Acquisition, Conversions, and Testing, FFIEC IT Examination Handbook - Audit, April 2012)