Security Review for Software

Summary

Overview of security approval process for software purchases.

Body

Issue/Question
  • What is evaluated in the security approval process for software purchasing?

 

Overview

This Knowledge Base article contains the criteria that the security team will base approval decisions on. 

Environment

  • Software Purchasing

 

Resolution

Our review process is based on NIST 800-171r2 

  • Access Control: Ensure the software allows for proper user access control, limiting access to authorized users and providing mechanisms for controlling, managing, and logging user access.

  • Configuration Management: Check whether the software supports secure configurations and allows for the management of security features and functions.

  • Identification and Authentication: Confirm that the software has robust mechanisms for user identification and authentication, including multi-factor authentication if necessary.

  • System and Communications Protection: Evaluate whether the software offers protection mechanisms for data transmission, including data encryption for both at-rest and in-transit.

  • System and Information Integrity: Check if the software has features to identify, report, and correct system flaws, and protect against malicious code.

  • Security Assessment: Understand if the software has been tested or certified for security by a reputable third-party organization.

  • Incident Response: Ensure the software has capabilities for incident detection, response, and reporting if applicable.

  • Maintenance: Ensure the vendor provides regular security updates and patches.

  • Risk Assessment: Evaluate whether the vendor or the software itself has any known security vulnerabilities or risks.

  • Data Protection: Ensure that the software provides mechanisms for protecting CUI data, such as encryption or tokenization.

Details

Details

Article ID: 146532
Created
Mon 7/17/23 3:51 PM
Modified
Mon 11/13/23 4:08 PM