What is evaluated in the security approval process for software purchasing?
This Knowledge Base article contains the criteria that the security team will base approval decisions on.
Software Purchasing
Our review process is based on NIST 800-171r2
Access Control: Ensure the software allows for proper user access control, limiting access to authorized users and providing mechanisms for controlling, managing, and logging user access.
Configuration Management: Check whether the software supports secure configurations and allows for the management of security features and functions.
Identification and Authentication: Confirm that the software has robust mechanisms for user identification and authentication, including multi-factor authentication if necessary.
System and Communications Protection: Evaluate whether the software offers protection mechanisms for data transmission, including data encryption for both at-rest and in-transit.
System and Information Integrity: Check if the software has features to identify, report, and correct system flaws, and protect against malicious code.
Security Assessment: Understand if the software has been tested or certified for security by a reputable third-party organization.
Incident Response: Ensure the software has capabilities for incident detection, response, and reporting if applicable.
Maintenance: Ensure the vendor provides regular security updates and patches.
Risk Assessment: Evaluate whether the vendor or the software itself has any known security vulnerabilities or risks.
Data Protection: Ensure that the software provides mechanisms for protecting CUI data, such as encryption or tokenization.