Hardware and Software Acquisition
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
7 hours 15 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:00
>> Hi there and welcome to our next lesson,
00:00
Hardware and Software Acquisition.
00:00
We'll be looking at the process involved for
00:00
an organization to purchase hardware and software.
00:00
We'll look at the specification development process,
00:00
so how the organization can
00:00
define exactly what they
00:00
want their software or hardware to do.
00:00
Some of the acquisition steps that need to take
00:00
place, criteria for evaluation,
00:00
some of the considerations
00:00
for system software acquisition,
00:00
some of the selection considerations
00:00
that need to take place,
00:00
and also your role as the IS auditor in all this.
00:00
Let's begin. Hardware and software acquisition.
00:00
First of all, we certainly need to know
00:00
exactly what we're going to be purchasing.
00:00
Whether it's hardware or software,
00:00
we need to basically prepare our list of
00:00
specifications that accurately describe
00:00
what we expect this purchase to do.
00:00
We also need to develop a criteria to
00:00
evaluate the proposals that we receive from vendors.
00:00
On complex purchases of hardware and software,
00:00
these responses could be quite significant,
00:00
quite large, and quite detailed.
00:00
We need to have an idea of how we're actually going to
00:00
evaluate whether they meet our original specifications.
00:00
These can often be presented in
00:00
a number of ways depending on the organization.
00:00
They can be presented to vendors as invitations to
00:00
tender or a request for proposal.
00:00
A lot will depend upon the size of
00:00
what's being purchased and
00:00
some of the requirements and
00:00
legislation around an organization.
00:00
What are in the specification?
00:00
What's the content? First up,
00:00
there needs to be an organizational description.
00:00
The people that you're requesting
00:00
this quote from or requesting a proposal from,
00:00
they need to have an understanding
00:00
of what your business does,
00:00
and that can give them further insight into
00:00
making the proper recommendations for their products.
00:00
We need to also know what the hardware and software
00:00
assurance level expectations are.
00:00
Well, what level do you need
00:00
the hardware and the software to perform at?
00:00
What information processing requirements
00:00
that you might have.
00:00
Are we talking X number of
00:00
transactions per day, for example?
00:00
What hardware requirements there
00:00
are for either the software
00:00
to exist on or for
00:00
the actual hardware that you're purchasing itself?
00:00
Any of the systems software applications,
00:00
particularly, in large systems.
00:00
There might be a number of
00:00
different applications being purchased.
00:00
Any support requirements?
00:00
What's your expectation of support?
00:00
24/7, on-site, remote,
00:00
phone call, and those issues.
00:00
Any adaptability requirements?
00:00
This comes into the organizational description again.
00:00
Will their product need to adapt to
00:00
your environment and how
00:00
well can it adapt to the environment?
00:00
You need to describe
00:00
these specifications so that the vendors have an idea.
00:00
Any constraints that you may have?
00:00
Just in general, time-frames,
00:00
costs anything that's relevant
00:00
and any conversion requirements.
00:00
If you're upgrading a hardware or software,
00:00
is there any data that needs to
00:00
now work with this new purchase?
00:00
Now, there are a number of steps for acquisition.
00:00
It could be simple testimonials
00:00
or visits with other users.
00:00
You could be provisions for competitive bidding.
00:00
Particularly, with government entities,
00:00
they often have very strict rules and regulations
00:00
around how they go out to
00:00
tender particularly for large purchases.
00:00
There is analysis of the bids against the requirements.
00:00
You're going to have a large number of bids potentially,
00:00
and you need to make sure that you can analyze
00:00
them against the requirements that you've identified.
00:00
You also need to compare the bids against each other
00:00
using a pre-defined evaluation criteria.
00:00
You're going to get a lot of data from vendors in
00:00
various formats and you need to have
00:00
a way to basically match like for like.
00:00
You also need to consider
00:00
the vendor's financial condition.
00:00
Particularly with a large purchase that may
00:00
spread over a significant amount of time,
00:00
be that months or years,
00:00
you need to have an understanding
00:00
as to whether that vendor
00:00
will still be around by the time
00:00
that you're finishing your project.
00:00
You also need to look at the vendor support capabilities.
00:00
Do they have the level of support or
00:00
the capability to provide the support that you want?
00:00
You also need to look at the delivery schedule
00:00
against your requirements.
00:00
Will they get the software or
00:00
hardware to you in the time that you're expecting?
00:00
Now, there's also aspects
00:00
that's just pedigree of hardware.
00:00
Is this new technology or software or has
00:00
this been tried and tested and
00:00
is commonly used within the industry?
00:00
Any upgrade capabilities that need to be
00:00
taken into account from either your existing platforms?
00:00
Any security and control facilities?
00:00
You need to make sure that they meet
00:00
those requirements specifically for your organization.
00:00
Any performance that they have against the requirements?
00:00
Are you getting the expected throughput with
00:00
the transaction processing, for example?
00:00
Then we've got review and negotiation of
00:00
price contract terms and
00:00
the preparation of written analysis reports.
00:00
Those last three items are
00:00
particularly of interest to you as an auditor,
00:00
as there will be certainly aspects that you may need to
00:00
review if you're called
00:00
in to audit a particular acquisition.
00:00
There's few criteria for evaluation.
00:00
It really depends upon
00:00
the need of the particular project.
00:00
This will vary depending on hardware,
00:00
software, or the size and
00:00
the scope of what you're actually purchasing.
00:00
But things such as turnaround time,
00:00
response times, system reaction time,
00:00
throughput, any workload
00:00
compatibility, capacity, or utilization.
00:00
It really depends upon the nature
00:00
of what's being purchased.
00:00
Now, you as the IS auditor,
00:00
you need to determine if
00:00
the acquisition process began with the business need.
00:00
Is this meeting the business requirements
00:00
that identified by the organization?
00:00
Are the strategic or operational goals of the business?
00:00
You also need to show that the requirements for
00:00
this need are matched to the specification.
00:00
You need to essentially check and
00:00
ensure that all the integrity of
00:00
the process has been met
00:00
and also determine if several vendors were considered.
00:00
This is particularly important for
00:00
some organizations who have restrictions in
00:00
terms of either legislative or compliance requirements
00:00
in terms of how they approach
00:00
market for large purchases and a review
00:00
of the comparison between vendors
00:00
against the actual criteria.
00:00
Now, in terms specifically
00:00
of system software acquisition,
00:00
some of the considerations so, obviously the business,
00:00
functional, and technical needs are key.
00:00
You need to also make sure
00:00
that there is a cost-benefit analysis done.
00:00
In terms of the benefit to the business,
00:00
is this going to be worth the money,
00:00
basically? Any obsolescence considerations?
00:00
Is the software end-of-life
00:00
scheduled and is that going to
00:00
meet the requirements for the business?
00:00
Any compatibility requirements with existing systems?
00:00
Will this need to integrate with either software or
00:00
hardware that's already within the business?
00:00
Security is a fairly important need obviously.
00:00
Any demands on staff?
00:00
Will this software be able to be
00:00
maintained by the number
00:00
of staff that you have in the business?
00:00
Or will this put a stress in
00:00
terms of operating the software itself?
00:00
That leads into obviously any training
00:00
or hiring requirements to support this.
00:00
Will the software be able to meet
00:00
the business's planned future growth needs?
00:00
Also, looking at any impacts
00:00
on the system and network performance.
00:00
Will this software be able to be run on
00:00
an existing organization's network or will it result
00:00
in the rest of the network running
00:00
very slowly, for example?
00:00
There's also a consideration between
00:00
open-source versus proprietary code.
00:00
Now, some additional selection considerations.
00:00
Product versus system requirements.
00:00
The product scalability and interoperability,
00:00
any custom references that might be provided.
00:00
We've also got the vendor viability
00:00
and financial stability,
00:00
availability of complete and reliable documentation,
00:00
and the vendor support.
00:00
Are they able to provide
00:00
you with the support that you're expecting?
00:00
Source code availability can be key
00:00
with certain products so
00:00
there might be a requirement for
00:00
a source code review to take place.
00:00
Any the years of experience in
00:00
offering a product that the vendor has?
00:00
Any list of recent or
00:00
replanned replacements to the product?
00:00
Again, just making sure that
00:00
the end-of-life dates within
00:00
the time frames that you expect,
00:00
and the number of clients sites that are
00:00
currently using the product and obviously,
00:00
the acceptance testing of
00:00
the product itself within your organization.
00:00
As an IS auditor,
00:00
what's your role in software acquisition?
00:00
Basically, it's to analyze and review
00:00
the documentation for the feasibility study to
00:00
make sure that the due diligence was done by
00:00
all parties who are involved in this process.
00:00
Review the request for proposal.
00:00
Determine whether the selected vendor is
00:00
supported by RFP documentation.
00:00
In other words, is the request for
00:00
proposal meeting
00:00
the requirements within the organization?
00:00
Review the vendor contract prior to signing
00:00
and ensure that the contract
00:00
is reviewed by legal counsel.
00:00
A lot of the due diligence and
00:00
compliance requirements for the organization.
00:00
Also, review the RFA to ensure
00:00
that security sponsors are also included.
00:00
That's the end of our lesson.
00:00
We have covered some of the processes around hardware
00:00
and software acquisition within a large organization.
00:00
We have looked at the details
00:00
around specification development,
00:00
so what needs to be done to ensure that
00:00
the organization is purchasing
00:00
the correct hardware and software.
00:00
Some of the steps within the acquisition process,
00:00
criterias that can be used for evaluation,
00:00
some considerations specifically for
00:00
the system software acquisition,
00:00
and the IS auditor's role throughout this entire process.
00:00
That's the end of our lesson.
00:00
I hope you enjoyed it, and
00:00
I will see you at the next one.
Up Next
