Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
12 Secure Purchasing/Acquisition<br />
Section 12.1 constitutes the State <strong>of</strong> Kansas’ Secure Purchasing <strong>Policy</strong>. This policy is to be<br />
accompanied by defined Secure Purchasing Non-Mandatory Procedures that are distributed<br />
in a companion document.<br />
Mandatory<br />
Non-Mandatory<br />
Procedures Baselines Procedures Baselines<br />
12. Secure Purchasing/Acquisition <br />
12.1. Secure Purchasing<br />
12.1.1. Include Security Requirements in Solicitation Documents (4 sets)<br />
12.1.2. Ensure Responses Include Security Requirements (4 sets)<br />
12.1 Secure Purchasing<br />
The State <strong>of</strong> Kansas requires the following <strong>of</strong> defined protocols when purchasing<br />
information systems or equipment to be used in an information system.<br />
Following set protocols when acquiring information systems, or information system<br />
components, ensures that expenditures are made in as wise a manner as possible in<br />
regards to the provisioning <strong>of</strong> IT security. Without such protocols, the potential exists<br />
that purchases could be made that undermine the defined security requirements <strong>of</strong><br />
the State <strong>of</strong> Kansas. Thus, the risk level the State faces could be increased and an<br />
additional purchase to re-establish an appropriate security level may be required.<br />
Before any information system, or component <strong>of</strong> an information system, is purchased,<br />
the vendor <strong>of</strong> the system or system component is required to provide documentation<br />
specifically indicating the security capabilities and requirements <strong>of</strong> the system or<br />
system component. Further, this documentation must be such that the security<br />
controls in the system can be verified by testing. This testing can be performed by the<br />
agency, the State <strong>of</strong> Kansas or a third party on behalf <strong>of</strong> either.<br />
Security capability testing not withstanding, all information systems, or components <strong>of</strong><br />
an information system, purchased must meet the specifications <strong>of</strong> pre-defined<br />
baselines. These baselines will be distributed in a companion document. Further,<br />
where baselines have not yet been defined for a specific purchase, the IT Security<br />
Council will be consulted for an appropriate guideline prior to the issuance <strong>of</strong> any<br />
purchase documents.<br />
37