3.4.3 System Acquisition
| No: 43028139 | Date(g): 4/11/2021 | Date(h): 29/3/1443 |
Effective from 2021-11-04 - Nov 03 2021
To view other versions open the versions tab on the right
Principle
System acquisition process should be established to ensure risks associated with the system acquisition and related vendor service level are adequately assessed and mitigated prior acquiring system.
Control Requirements
| 1. | System acquisition process should be defined, approved, implemented and communicated by the Member Organizations. | |
| 2. | The effectiveness of the system acquisition process should be measured and periodically evaluated. | |
| 3. | System requirements (i.e. functional and non-functional) should be formally defined and approved as part of system acquisition. | |
| 4. | A feasibility study should be conducted to assess functional and non-functional requirements of the new system particularly in conformance with the SAMA regulatory requirements, and other applicable regulatory requirements. | |
| 5. | Vendor evaluation should be incorporated in the system acquisition process to assess vendor for their offering and capabilities to support system during and post implementation. | |
| 6. | The system acquisition should be supported with a detail implementation plan describing the following, but not limited to: | |
| a. | system implementation milestones (including requirement gathering, development or customization, testing, go-live etc.); | |
| b. | timeline for each milestone and their dependencies; and | |
| c. | resources assigned to milestones. | |
| 7. | The off-the-shelf system or package should be evaluated based on the following, but not limited to: | |
| a. | system conformance with the requirements of the Member Organization; | |
| b. | system creditability and market presence, if required; and | |
| c. | vendor evaluation and service level. | |