The purpose of the systems and services acquisition policy is to ensure that the information security program is properly inserted into the acquisitions life cycle of an organization, helping to ensure that secure and safe products are procured for the organization. Additionally, this policy ties-in the need for an effective SDLC approach, with information security being a key player.

What the system and services acquisitions policy should address:

• Allocating sufficient resources to adequately protect organizational information systems
• Employing system development life cycle processes that incorporate information security considerations
• Employing software usage and installation restrictions
• Ensuring that third-party providers employ adequate security measures to protect information, applications, and/or services outsourced from the organization