Back

Define and maintain continuity Service Level Agreements for all critical resources.


CONTROL ID
00741
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a critical resource list., CC ID: 00740

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Pg 49 requires that SLAs include business continuity plan arrangements. The following checklist should be used when determining the arrangements: Ensure for each treatment selected, the likely costs are the most commercially viable Identify other requirements or changes that need to be made in order… (Pg 49, Pg 67, Australia Better Practice Guide - Business Continuity Management, January 2000)
  • Define and agree to SLAs for all critical IT services based on customer requirements and IT capabilities. This should cover customer commitments; service support requirements; quantitative and qualitative metrics for measuring the service signed off on by the stakeholders; funding and commercial arr… (DS1.3 Service Level Agreements, CobiT, Version 4.1)
  • Service Level Agreements (SLAs) should clearly address business continuity management mechanisms; response times; the types of required audits; the location, cost, and frequency of the audit, the person in charge, and information that will be shared; and penalties when the service provider is not ab… (§ 5.2 (Business Continuity) ¶ 2, IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing)
  • Determine whether there are documented procedures in place for accessing, downloading, and uploading information with TSPs, correspondents, affiliates and other service providers, from primary and recovery locations, in the event of a disruption. (TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:8, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Supporting activities (e.g., technology support, payroll, contracting). (App A Objective 4:2e, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Addresses resilience in operations to prevent data loss, protect sensitive customer information from unauthorized disclosure or manipulation, minimize disruption to service delivery, and prevent the loss of situational awareness of the entity's operations. Evaluate whether this operational resilienc… (App A Objective 8:2f, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Service delivery and support processes (e.g., resilience in supply chain). (App A Objective 8:2f Bullet 3, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether an adequate contingency plan exists to reduce any lapse in audit coverage, particularly coverage of high-risk areas, in the event the outsourced audit relationship is terminated suddenly. (TIER I OBJECTIVES AND PROCEDURES OBJECTIVE 11:10, FFIEC IT Examination Handbook - Audit, April 2012)
  • Determine whether an adequate contingency plan exists to reduce any lapse in audit coverage, particularly coverage of high-risk areas, in the event the outsourced audit relationship is terminated suddenly. (Exam Tier I Obj 11.10, FFIEC IT Examination Handbook - Audit, August 2003)
  • The Service Level Agreements (SLAs) should address business continuity plans and should measure the service provider's responsibility for maintaining disaster recovery and contingency plans. (Pg 17, FFIEC IT Examination Handbook - Outsourcing Technology Services, June 2004)
  • § 4.6.2 Bullet 4: Determine the amount of time the organization can tolerate disruptions to critical services, operations, or material. § 4.7.4 Bullet 2: Ensure that formal agreements are in place stating specific requirements if part of the Contingency Plan depends on external organizations for s… (§ 4.6.2 Bullet 4, § 4.7.4 Bullet 2, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • Vendor Agreements. As the contingency plan is being developed, SLAs with hardware, software, and support vendors may be made for emergency maintenance service. The SLA should specify how quickly the vendor must respond after being notified. The agreement should also give the organization priority st… (§ 3.4.4 ¶ 1 Bullet 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))