CCI-003141
CCI-003141 Definition
| Status | |
| Type | CheckType.policy |
Master Assessment Datasheet
Implementation Guidance
Determine if [SA-09(01)_ODP; personnel or roles that approve the acquisition or outsourcing of dedicated information security services is/are defined] approve the acquisition or outsourcing of dedicated information security services.
Validation Procedures
Examine: [SELECT FROM: System and services acquisition policy; supply chain risk management policy and procedures; procedures addressing external system services; acquisition documentation; acquisition contracts for the system, system component, or system service; risk assessment reports; approval records for the acquisition or outsourcing of dedicated security services; system security plan; supply chain risk management plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with system and service acquisition responsibilities; organizational personnel with system security responsibilities; external providers of system services; organizational personnel with information security responsibilities; organizational personnel with supply chain risk management responsibilities]. Test: [SELECT FROM: Organizational processes for conducting a risk assessment prior to acquiring or outsourcing dedicated security services; organizational processes for approving the outsourcing of dedicated security services; mechanisms supporting and/or implementing risk assessment; mechanisms supporting and/or implementing approval processes].