Back

Establish, implement, and maintain a Service Level Agreement framework.


CONTROL ID
00839
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Operational management, CC ID: 00805

This Control has the following implementation support Control(s):
  • Include exceptions in the Service Level Agreements, as necessary., CC ID: 13912
  • Include the appropriate aspects of the Quality Management program in the Service Level Agreement., CC ID: 00845
  • Include the organizational structure for service level management in the Service Level Agreement framework., CC ID: 13633
  • Include the security mechanisms of network services in the Service Level Agreement., CC ID: 12023
  • Include capacity planning in Service Level Agreements., CC ID: 13096
  • Include Operational Level Agreements within Service Level Agreements, as necessary., CC ID: 13631
  • Include funding sources in Service Level Agreements, as necessary., CC ID: 13632
  • Include business requirements of delivered services in the Service Level Agreement., CC ID: 00840
  • Include the management requirements for network services in the Service Level Agreement., CC ID: 12025
  • Include performance requirements in the Service Level Agreement., CC ID: 00841
  • Include the service levels for network services in the Service Level Agreement., CC ID: 12024
  • Include availability requirements in Service Level Agreements., CC ID: 13095


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Where applicable, reviewing and approving the service level agreement and contract with a third-party service provider relating to internet trading. (3.1. ¶ 1 (h), Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading)
  • they maintain the orderliness of the conduct of their business and the banking and payment services they provide; (4.6 40(b), Final Report on EBA Guidelines on outsourcing arrangements)
  • (§ 2.3, OGC ITIL: Security Management)
  • The purpose of the service level management practice is to set clear business-based targets for service levels, and to ensure that delivery of services Is properly assessed, monitored, and managed against these targets. (5.2.15 ¶ 1, ITIL Foundation, 4 Edition)
  • Internal and external Service Level Agreements or equivalent documents need to clearly document the key roles, responsibilities, and procedures. (¶ 17.3, Good Practices For Computerized systems In Regulated GXP Environments)
  • Define a framework that provides a formalised service level management process between the customer and service provider. The framework should maintain continuous alignment with business requirements and priorities and facilitate common understanding between the customer and provider(s). The framewo… (DS1.1 Service Level Management Framework, CobiT, Version 4.1)
  • Work with the business to ensure that the enterprise portfolio of IT-enabled investments contains programmes that have solid business cases. Recognise that there are mandatory, sustaining and discretionary investments that differ in complexity and degree of freedom in allocating funds. IT processes … (PO1.1 IT Value Management, CobiT, Version 4.1)
  • Service agreements should be signed off by an appropriate business representative (e.g., the individual in charge of a business process or activity) and the service provider. (CF.07.07.06b, The Standard of Good Practice for Information Security)
  • Service agreements should be signed off by an appropriate business representative (e.g., the individual in charge of a business process or activity) and the service provider. (CF.07.07.06b, The Standard of Good Practice for Information Security, 2013)
  • Policies and procedures shall be established, and supporting business processes and technical measures implemented, for maintaining complete, accurate, and relevant agreements (e.g., SLAs) between providers and customers (tenants), with an ability to measure and address non-conformance of provisions… (STA-07, Cloud Controls Matrix, v3.0)
  • The organization shall determine if an agreement that defines the stakeholder's responsibilities is necessary when a medical device is incorporated into the network or the connection's configuration is changed. (§ 4.3.4 ¶ 1, Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • A member of the service provider's management shall be appointed with the authority and responsibility for assigning authorities and responsibilities to ensure the service management process is designed, implemented, and approved. (§ 4.1.4 ¶ 1(b), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The service provider shall establish and maintain documents, to include the service management policy and objectives. (§ 4.3.1 ¶ 1(a), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • Service Level Agreement changes shall be coordinated with the service level management process. (§ 7.1 ¶ 5, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • Integrity is measured in terms of what is right and just. In the absence of specific rules, standards, or guidance or in the face of conflicting opinions, a member should test decisions and deeds by asking: "Am I doing what a person of integrity would do? Have I retained my integrity?" Integrity req… (0.300.040.04, AICPA Code of Professional Conduct, August 31, 2016)
  • Members should be diligent in discharging responsibilities to clients, employers, and the public. Diligence imposes the responsibility to render services promptly and carefully, to be thorough, and to observe applicable technical and ethical standards. (0.300.060.05, AICPA Code of Professional Conduct, August 31, 2016)
  • Verify the organization's guidelines for accepting and continuing a client relationship were complied with, based on a review of the engagement files and interviews with the service auditor. (Ques. AT407, Reporting on Controls at a Service Organization Checklist, PRP §21,100)
  • Principle: Firms should manage cybersecurity risk that can arise across the lifecycle of vendor relationships using a risk-based approach to vendor management. Effective practices to manage vendor risk include: - performing pre-contract due diligence on prospective service providers; - establishing … (Vendor Management, Report on Cybersecurity Practices)
  • Departments and agencies which plan, implement, and manage Technical Surveillance Countermeasure programs shall assist other departments and agencies with common Technical Surveillance Countermeasure services. (§ 149.2(a)(5), 32 CFR Part 149, Policy of Technical Surveillance Countermeasures)
  • DoD components shall develop cross-servicing agreements for Technical Surveillance Countermeasure support. (§ 5.10, DoD Instruction 5240.5, DoD Technical Surveillance Countermeasures (TSCM) Survey Program, May 23, 1984)
  • Services offered and SLA, OLA, or contractual provisions. (App A Objective 16:1a Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Effective planning processes for service management that consider services offered, SLAs and contractual provisions, known limitations, and metrics and measurements. (VI.C Action Summary ¶ 2 Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • The organization should have service level agreements with the telecommunications providers that include contingency measures and change management. (Pg E-3, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • The organization should include Service Level Agreements (SLAs) in all outsourcing contracts that specify performance requirements and establish accountability. The organization should develop a process for monitoring the SLAs, nonperformance, dispute resolution, and termination of the contract. (Pg 21, FFIEC IT Examination Handbook - Outsourcing Technology Services, June 2004)
  • Determine whether agreements between the ODFI and originators adequately address • Liabilities and warranties, • Responsibilities for processing arrangements, and • Other originator obligations such as security and audit requirements. (Exam Tier II Obj 8.1, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • Does the Credit Union effectively manage the critical service provider arrangements? (IT - 748 Compliance Q 10, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Supports incident management, service-level management, change management, release management, continuity management, and availability management for databases and data management systems. (T0306, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Supports incident management, service-level management, change management, release management, continuity management, and availability management for databases and data management systems. (T0306, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Proper documentation and reporting of the third party Risk Management process typically includes executed contracts. ("Documentation and Reporting" Bullet 5, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)