Back

Include business requirements of delivered services in the Service Level Agreement.


CONTROL ID
00840
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a Service Level Agreement framework., CC ID: 00839

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The organization must provide the necessary specifications, data, and other materials specified in the contract to the consignee. This is a control item that constitutes a relatively small risk to financial information. This is an IT general control. (App 2-1 Item Number VI.5.4(2), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • the definition of business requirements regarding outsourcing arrangements; (4.7 42(c)(i), Final Report on EBA Guidelines on outsourcing arrangements)
  • (§ 2.3.1.2, OGC ITIL: Security Management)
  • Define a framework that provides a formalised service level management process between the customer and service provider. The framework should maintain continuous alignment with business requirements and priorities and facilitate common understanding between the customer and provider(s). The framewo… (DS1.1 Service Level Management Framework, CobiT, Version 4.1)
  • Define and agree to SLAs for all critical IT services based on customer requirements and IT capabilities. This should cover customer commitments; service support requirements; quantitative and qualitative metrics for measuring the service signed off on by the stakeholders; funding and commercial arr… (DS1.3 Service Level Agreements, CobiT, Version 4.1)
  • Base definitions of IT services on service characteristics and business requirements. Ensure that they are organised and stored centrally via the implementation of a service catalogue portfolio approach. (DS1.2 Definition of Services, CobiT, Version 4.1)
  • Infrastructure management services include maintaining and managing infrastructure performance, maintaining databases, troubleshooting errors, backing up and restoring services, performing downtime analyses, monitoring IT infrastructure activities, and reporting critical system failures and conseque… (§ 3 (Infrastructure Management), IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing)
  • Each piece of office equipment shall be subject to strict maintenance contract / service level agreement that covers remote access for maintenance purposes. (CF.12.03.08c, The Standard of Good Practice for Information Security)
  • Each piece of office equipment shall be subject to strict maintenance contract / Service Level Agreement that covers securely destroying information when equipment is decommissioned, sold, or sent back to the supplier (e.g., for maintenance). (CF.12.03.08d, The Standard of Good Practice for Information Security)
  • Access to office equipment by maintenance staff (including remote access by external service providers) should be subject to authentication (e.g., password, token, biometric, or Radio Frequency Identification badge) to prevent unauthorized access and provide accountability. (CF.12.03.09b, The Standard of Good Practice for Information Security)
  • Service agreements should specify who is in charge of the computer and network services being provided. (CF.07.07.02a, The Standard of Good Practice for Information Security)
  • Service agreements should specify the capacity requirements of systems and networks (e.g., the projected number of users, normal and peak volumes of work to be handled, response times, and transmission rates). (CF.07.07.02e, The Standard of Good Practice for Information Security)
  • Service agreements should specify Access Control requirements, including access restrictions (e.g., restricting business users and support staff; permissible / disallowed methods of connection; and access points). (CF.07.07.03a, The Standard of Good Practice for Information Security)
  • Service agreements should specify access control requirements, including authentication methods. (CF.07.07.03b, The Standard of Good Practice for Information Security)
  • Service agreements should specify requirements for segregation of facilities. (CF.07.07.04a-2, The Standard of Good Practice for Information Security)
  • Service agreements should specify requirements for protection against malware (e.g., computer viruses, worms, trojan horses, spyware, rootkits, botnet software, keystroke loggers, adware, and malicious mobile code). (CF.07.07.04b, The Standard of Good Practice for Information Security)
  • Service agreements should specify requirements for protecting sensitive information in transit (e.g., by using encryption). (CF.07.07.04c, The Standard of Good Practice for Information Security)
  • Service agreements should specify requirements for installation activity relating to hardware. (CF.07.07.04d-1, The Standard of Good Practice for Information Security)
  • Each piece of office equipment shall be subject to strict maintenance contract / service level agreement that covers remote access for maintenance purposes. (CF.12.03.08c, The Standard of Good Practice for Information Security, 2013)
  • Each piece of office equipment shall be subject to strict maintenance contract / Service Level Agreement that covers securely destroying information when equipment is decommissioned, sold, or sent back to the supplier (e.g., for maintenance). (CF.12.03.08d, The Standard of Good Practice for Information Security, 2013)
  • Access to office equipment by maintenance staff (including remote access by external service providers) should be subject to authentication (e.g., password, token, biometric, or Radio Frequency Identification badge) to prevent unauthorized access and provide accountability. (CF.12.03.09b, The Standard of Good Practice for Information Security, 2013)
  • Service agreements should specify who is in charge of the computer and network services being provided. (CF.07.07.02a, The Standard of Good Practice for Information Security, 2013)
  • Service agreements should specify the capacity requirements of systems and networks (e.g., the projected number of users, normal and peak volumes of work to be handled, response times, and transmission rates). (CF.07.07.02e, The Standard of Good Practice for Information Security, 2013)
  • Service agreements should specify Access Control requirements, including access restrictions (e.g., restricting business users and support staff; permissible / disallowed methods of connection; and access points). (CF.07.07.03a, The Standard of Good Practice for Information Security, 2013)
  • Service agreements should specify access control requirements, including authentication methods. (CF.07.07.03b, The Standard of Good Practice for Information Security, 2013)
  • Service agreements should specify requirements for segregation of facilities. (CF.07.07.04a-2, The Standard of Good Practice for Information Security, 2013)
  • Service agreements should specify requirements for protection against malware (e.g., computer viruses, worms, trojan horses, spyware, rootkits, botnet software, keystroke loggers, adware, and malicious mobile code). (CF.07.07.04b, The Standard of Good Practice for Information Security, 2013)
  • Service agreements should specify requirements for protecting sensitive information in transit (e.g., by using encryption). (CF.07.07.04c, The Standard of Good Practice for Information Security, 2013)
  • Service agreements should specify requirements for installation activity relating to hardware. (CF.07.07.04d-1, The Standard of Good Practice for Information Security, 2013)
  • Service Level Agreements (SLAs) should include security requirements. They should give the organization the right to monitor and disconnect network connections, as needed. Agreements should be made with all outside organizations that are connected to the network. (Action 1.1.8, SANS Computer Security Incident Handling, Version 2.3.1)
  • The agreement shall identify the responsibility for all aspects of the lifecycle and all the activities of the lifecycle. (§ 4.3.4 ¶ 2, Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • A member of the service provider's management shall be appointed and have the responsibility and authority to ensure the service requirements are identified, documented, and fulfilled. (§ 4.1.4 ¶ 1(a), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The service provider and the customer shall agree on the services to be delivered. (§ 6.1 ¶ 1, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The service provider shall agree with the customer on a catalog of services, including the dependencies between the services and service components. (§ 6.1 ¶ 2, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • service level targets or other contractual obligations; (§ 8.3.4.1 ¶ 2(c), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • Although a service organization can contract with a subservice organization to perform functions that form a portion of the service organization's system, it still retains obligations to user entities with regard to those functions. As a result, part of its system of internal control includes activi… (¶ 3.154, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • CMS business partner managers of compartmentalized systems shall specify the required security level when negotiating with general support systems (GSSs) and major applications (MAs) for services. (§ 4.1.3 ¶ 2, CMS Business Partners Systems Security Manual, Rev. 10)
  • A medical device manufacturer shall establish and maintain procedures and instructions to perform and verify that any required servicing meets the specified requirements. (§ 820.200(a), 21 CFR Part 820, Subchapter H - Medical Devices, Part 820 Quality System Regulation)
  • Timeliness. (§ 5.1.1.3 ¶ 1 8., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Reporting of measurements is required; (App A Tier 2 Objectives and Procedures O.5 Bullet 3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)