Policies Section
  1. Controls List
  2. Access Controls
  3. Training controls
  4. Audit Controls
  5. Certification
  6. Configuration Management
  7. Contingency Planning
  8. Authentication
  9. Incident Response
  10. Maintenance Controls
  11. Media Protection
  12. Physical Controls
  13. Security Planning
  14. Personnel Security
  15. Risk Assessment
  16. Acquisition
  17. Protection
  18. Integrity
  19. Actions and Controls
Policies Section

System and services acquisition (from NIST)

This System and services acquisition list and description are meant to tie System and services acquisition to activities and behaviors. For NIST's descriptions, see NIST Special Publication 800-53 Recommended Security Controls for Federal Information Systems.

  • System and services acquisition policy and procedures - The methods of design of new systems, how major changes are made to existing systems, the design approval process, how systems are supported, how resources are allocated, how systems are to be documented, how outsourcing can be done and what are the minimum requirements, and many more items should be defined in a system and services acquisition policy. Procedures should provide greater detail about who is responsible and the step by step processes. (low)
  • Allocation of resources - Resources required to acquire and maintain the system must be determined, documented, and allocated by the organization. The security requirements based on the business case must be determined. Items must be budgeted so the resources are available to allow the system to meet the business need. (low)
  • Life cycle support - The system development lifecycle method used by the organization must meet security needs. (low)
  • Acquisitions - Security requirements are declared in acquisition contracts for acquisition systems. This may include guidance about products that are evaluated as secure along with information about required documentation, development practices, testing requirements, and other required security capabilities related to a system. (low)
  • Information system documentation - Sufficient documentation should be provided including user's manuals, installation guides, and administrator guides including information about how to make the system more secure. (low)
  • Software usage restrictions - Only approved software can be used in the organization. Non-approved software such as peer to peer file sharing software or instant messaging software should not be installed on computers. A method to detect, block, or prevent installation of the software should be provided. Software is used in accordance with licensing. (low)
  • User installed software - Rules covering the downloading and installation of software is enforced. Allowed software is specified. (low)
  • Security design principles - Information systems are designed with good security in mind as part of the capabilities. (moderate)
  • Outsourced information system services - Contractors must provide the same level of security and documentation in their products as is expected in the organization. Contracts should specify levels of security, documentation, and performance that are expected. All design notes, source code, and drawings should be delivered to the organization by the contractor. (low)
  • Developer configuration management - A configuration management plan should be put in place by the developer of the system so changes to the system are controlled and authorized. The plan should require security flaws to be tracked. (high)
  • Developer security training - The system should be tested according to a test plan during development. The test results must be documented. (moderate)