IT Examiner School - Oct 2023

Internal Use Only

Acquisition key areas

Acquisition requires a management to review potential vendors' financial strength, support levels, security controls, etc., prior to obtaining products or services.

Vendor selection and review

Contract negotiation and license reviews

Monitoring (SLAs)

Software escrow arrangements

Disposal End ‐ of ‐ Life (EOL)

Change Control

27

Internal Use Only

Vendor Due Diligence A proper due diligence process should focus on the prospective third party’s: • Ability to provide the services needed • Financial condition • Industry expertise • Knowledge & experience of applicable laws and regulations • Reputation (check references, public information) • Scope of operations and deliverables (can they provide adequate service and support?) • Effectiveness of controls (will they make audit reports available?)

28