Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

sa-9(1)

external information system services  | risk assessments / organizational approvals

assessment objective:

Determine if the organization:

sa-9(1)(a)

conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services;

sa-9(1)(b)

sa-9(1)(b)[1]

defines personnel or roles designated to approve the acquisition or outsourcing of dedicated information security services; and

sa-9(1)(b)[2]

ensures that the acquisition or outsourcing of dedicated information security services is approved by organization-defined personnel or roles.

potential assessment methods and objects:

Examine: [select from: System and services acquisition policy; procedures addressing external information system services; acquisition documentation; acquisition contracts for the information system, system component, or information system service; risk assessment reports; approval records for acquisition or outsourcing of dedicated information security services; other relevant documents or records].

Interview: [select from: Organizational personnel with system and services acquisition responsibilities; organizational personnel with information system security responsibilities; external providers of information system services; organizational personnel with information security responsibilities].

Test: [select from: Organizational processes for conducting a risk assessment prior to acquiring or outsourcing dedicated information security services; organizational processes for approving the outsourcing of dedicated information security services; automated mechanisms supporting and/or implementing risk assessment; automated mechanisms supporting and/or implementing approval processes].