Financial institutions should establish appropriate acquisition methodologies. The methodologies should match a project's characteristics and risks and require appropriate:
- Project plans;
- Project standards and procedures;
- Quality assurance, risk management, and testing standards and procedures;
- Definitions of product requirements;
- Involvement by all affected parties;
- Vendor, contract, and license reviews; and
- Escrow documentation.
Acquisition projects are similar to development projects because management approves project requests, defines functional, security, and system requirements, and appropriately tests and implements products. Organizations often employ structured acquisition methodologies similar to the SDLC when acquiring significant hardware and software products. However, organizations replace the SDLC design and development phases with a bid solicitation process that involves developing detailed lists of functional, security, and system requirements and distributing them to third parties. The "Acquisition Project Guidance" discussion below centers on the specific activities associated with acquisition projects. Refer to the Project Management and Development sections for additional details relating to general life cycle phase information.
In addition to developing and distributing detailed lists of functional, security, and system requirements, organizations should establish vendor selection criteria and review potential vendors' financial strength, support levels, security controls, etc., prior to obtaining products or services. Additionally, management reviews contracts and licensing agreements to ensure the rights and responsibilities of each party are clear and equitable. Primary risks include inadequately defining requirements, ineffectively assessing vendors, and insufficiently reviewing contracts and agreements.
Contract and licensing issues may arise due to the complexity of contractual requirements. An organization's legal counsel should confirm that performance guarantees, source code accessibility, intellectual property considerations, and software/data security issues are appropriately addressed before management signs contracts.
Financial institutions sometimes acquire software or services from foreign-based third parties. Organizations should appropriately manage the unique risks included in these arrangements. For example, organizations should decide which country's laws will control the relationship and ensure they and their vendors comply with United States' laws that restrict the export of software applications employing encryption techniques. Refer to the "Software Development Contracts and Licensing Agreements" discussion for additional details on contracts and licenses. Refer to the IT Handbook's "Outsourcing Technology Services Booklet" for additional information relating to foreign-based third-party relationships.
Database Management Systems