List four of the nine recommendations in the EBK for a secure procurement process.

What will be an ideal response?

1. Collaborate with various stakeholders (which may include internal client, lawyers, CIOs, CISOs, IT security professionals, privacy professionals, security engineers, suppliers, and others) on the procurement of IT security products and services
2. Ensure the inclusion of risk-based IT security requirements in acquisition plans, cost estimates, statements of work, contracts, and evaluation factors for award, service level agreements, and other pertinent procurement documents
3. Ensure that suppliers understand the importance of IT security
4. Ensure that investments are aligned with enterprise architecture and security requirements
5. Conduct detailed IT investment reviews and security analyses, and review IT investment business cases for security requirements
6. Ensure that the organization's IT contracts do not violate laws and regulations, and require compliance with standards when applicable
7. Specify policies for use of third party information by vendors/partners, and connection requirements/acceptable use policies for vendors that connect to networks
8. Ensure that appropriate changes and improvement actions are implemented as required
9. Whenever applicable, calculate return on investment (ROI) of key purchases related to IT infrastructure and security