Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
12. Secure Purchasing/Acquisition<br />
These Acquisition Non-Mandatory Procedures support the Enterprise Security <strong>Policy</strong> (ITEC<br />
7230 Rev 1) and the Default Security Requirements (ITEC <strong>7230A</strong>).<br />
Mandatory<br />
Non-Mandatory<br />
Procedures Baselines Procedures Baselines<br />
12. Secure Purchasing/Acquisition <br />
12.1. Secure Purchasing<br />
12.1.1. Include Security Requirements in Solicitation Documents (4 sets)<br />
12.1.2. Ensure Responses Include Security Requirements (4 sets)<br />
12.2. Maintain Records <br />
12.1. Secure Purchasing<br />
The following are the Non-Mandatory Procedures that support the Secure Purchasing<br />
section <strong>of</strong> the Default Security Requirements:<br />
12.1.1. Include Security Requirements in Solicitation Documents<br />
All Requests for Proposal, Information and/or Quotation (RFP, RFI, RFQ)<br />
documents should include system security requirements to ensure that system<br />
proposed by proponents meet the security requirements <strong>of</strong> the agency:<br />
12.1.1.1 Required Security Capabilities<br />
To ensure solutions that are acquired rather than developed meet the<br />
Agency’s security requirements, all acquisition documents must<br />
specify the expected security capabilities <strong>of</strong> the system:<br />
• Include defined security requirements <strong>of</strong> the solution (see<br />
section 5.4.1.2 <strong>of</strong> these Non-Mandatory Procedures).<br />
• Review all documents prior to issuance to ensure security<br />
requirements have been included.<br />
12.1.1.2 Required Design and Development Process<br />
To ensure that solutions have been constructed using a methodology<br />
that provides definable, consistent and measurable security<br />
capabilities, all acquisition documents must specify that solution<br />
design and development processes be provided:<br />
• Include request for indication <strong>of</strong> the design and development<br />
process for the solution (see section 5.4.1.2 <strong>of</strong> these Non-<br />
Mandatory Procedures).<br />
• Review all documents prior to issuance to ensure design and<br />
development requirements have been included.<br />
42