Control A14.1.1

This document does not have a lot of details and seem unrelated to the topic of acquiring a new information system. Can you please help by providing examples on this doc?

Answer: The basic difference between internal developed and acquired information systems is that when systems are acquired, the information systems requirements identified in this template should be included in the contract or service agreement established between the organization and the supplier. When the information systems is developed internally, the information in this template is included in the organization's development process.

Here are some examples for each field in this template, considering the information system will be acquired:
- Name of information system: Contract Payment Reporting System (CPRS)
- Version of existing information system: New system to be acquired (the inf ormation in this field will define which and how acquiring information will be included in the "Method of checking and testing implemented security controls")
- Impact value from risk assessment: 7 (in a scale from 1 to 9)
- Functional specification of the information system: The system must maintain information that identifies each entity in the contract, including: entity name, entity ID number, entity contact information, etc.
- Necessary automated controls: The system must prevent the duplicate entry of contract records (e.g., by editing contract ID numbers or entity names.). The system must provide on-line warning message to the user when duplication is identified.
- Necessary manual controls: The system only must sent information about contracts after an authorized user approves the request.
- Method of checking and testing implemented security controls: The security controls in the acquired CPRS will be tested by an independent party using as reference the ISO 15048:2008 - Information technology -- Security techniques -- Evaluation criteria for IT security -- Part 3: Security assurance components