Anchor: #i1005660

Section 4: Acquiring Systems and Services

Anchor: #i1021471

Introduction

This section establishes how TxDOT reduces the inherent risks in buying information technology equipment or services. As part of the Security Awareness Policy, this section provides a list of topics to consider. These topics ensure security controls are considered when the purchase is made. These considerations address the “Protect” objective of the Texas CyberSecurity Framework.

Anchor: #i1021485

Protocol

TxDOT follows the National Institute of Standards and Technology (NIST) principles for Information Security System and Services Acquisition. These principles advise agencies to follow industry best practices, plan for purchasing information resources, integrate security activities into the project or program lifecycle, document and understand the security configurations, and follow all applicable laws.

Anchor: #i1021581

General Responsibilities

Individuals who purchase IT products or services must obtain documentation to

  • show the chain of supply, including origin, delivery, and support methodologies
  • confirm that the vendor’s personnel have each met the terms and conditions of TxDOT pre-employment personnel assessment processes and procedures
  • secure confidentiality of TxDOT information
  • demonstrate compliance with security controls and requirements.
Anchor: #i1106127

Compliance and Standards

See the “ Acquiring Systems and Services” standard in the Information Security Standards manual for a list of the minimum standards necessary to comply with this objective of the Security Awareness Policy.

Previous page  Next page   Title page