A Standard Best Practice Approach to Acquisition of Secure ICT Products

Abstract The activity of purchasing system and software products is a risky one. Without direct insight into how such products are built, how can a customer organization ensure that off-the-shelf products are secure and reliable? In this article, we recommend that customer organizations establish a standard method for acquiring products that helps ensure security. Using ISO 12207–2008 Systems and Software Engineering-Software Lifecycle Processes as a framework, we describe a complete approach that considers risks at every stage of the procurement process. Organizations can use this approach to tailor a repeatable, observable method that can be shared with a supplier. At a time when so many products promise to be faster, cheaper, or better, following a standard method can help those responsible for procuring software ensure the safety and security of their organizations.