List three of the seven general areas of evaluation for procurement defined in the EBK.

What will be an ideal response?

---

1. Review contracting documents, such as statements of work or requests for proposals, for inclusion of IT security considerations in accordance with information security requirements, policies, and procedures
2. Assess industry-applicable IT security trends, including practices for mitigating security risks associated with supply chain management
3. Review memoranda of agreement, memoranda of understanding, and/or SLA for agreed levels of IT security responsibility
4. Conduct detailed IT investment reviews and security analyses and review IT investment business cases for security requirements
5. Assess and evaluate the effectiveness of the vendor management program in complying with internal policy with regard to use of third party information and connection requirements
6. Conduct due diligence activities to ensure that vendors are operationally and technically competent to receive third party information, connect and communicate with networks, and deliver and support secure applications
7. Evaluate the effectiveness of the procurement function in addressing information security requirements through procurement activities, and recommend improvements