The university develops, disseminates, and periodically reviews/updates formal, documented procedures to facilitate the implementation of the System and Services Acquisition policy and associated System and Services Acquisition controls.


  • This control applies to the university Chief Information Security Officer (CISO).


  • 1

    The university CISO, in coordination with Information Resource owners, shall develop, document, and disseminate to units a set of controls that addresses the System and Services Acquisition of information resources. These controls should include purpose, scope, roles, responsibilities, management commitment, coordination among university entities, and compliance.

  • 2

    The CISO shall review and update the System and Services Acquisition controls as necessary.