Cyber Security Effective Practices for Information Technology Procurements

This document provides baseline cybersecurity effective practices that have been reviewed and approved by the Rail Information Security Committee (RISC). This document should be used to supplement an organization’s existing IT management processes and standards, as a means of reducing the risk that procurement and use of a Supplier’s products will exacerbate cybersecurity risk for the Acquirer.

Acquirers may use this document to guide engagement and procurement practices when working with Suppliers, to reduce the risk that the Supplier’s products will present major cybersecurity challenges for the Acquirer. Acquirers may refer to this document when making procurement decisions or when negotiating with Suppliers.

Suppliers may use this document as a guide to align their practices with the reasonable expectations for cybersecurity of railroad Acquirers.

Rail sector asset owners, operators, and suppliers are encouraged to provide feedback on this document. Please send questions, comments, or suggested enhancements to [email protected].


Back to Data Center