Back

Include performance requirements in the Service Level Agreement.


CONTROL ID
00841
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a Service Level Agreement framework., CC ID: 00839

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • A telecommunication service provider shall provide a telecommunication service which can be intercepted. (§ 12(1)(a), South African Interception of Communications Act, No 6/2007)
  • A service provider shall provide a service which has the capability to be intercepted. (§ 79(1)(a), The Electronic Communications and Transactions Act, 2002)
  • Management of IT functions should ideally formulate a service level agreement with business units to cover system availability and performance requirements, capacity for growth, and the level of support provided to users. The responsible IT functions should ensure that adequate procedures are in pla… (5.1.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • App 2-1 Item Number VI.5.4(5): The organization must ensure that the acceptance of deliverables are based on the consignment contract. This is a control item that constitutes a greater risk to financial information. This is an IT general control. App 2-1 Item Number VI.5.5(3): A quality management p… (App 2-1 Item Number VI.5.4(5), App 2-1 Item Number VI.5.5(3), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • The FI should ensure that contractual terms and conditions governing the roles, relationships, obligations and responsibilities of all contracting parties are set out fully in written agreements. The requirements and conditions covered in the agreements would usually include performance targets, ser… (§ 5.1.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • ICT performance and capacity planning and monitoring solutions for critical ICT systems and services with defined availability requirements, to detect important performance and capacity constraints in a timely manner; (Title 3 3.3.4(a) 54.b(vii), Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • define the key KPIs and key risk indicators which, if breached, may trigger an exit (both stressed and non-stressed). (§ 10.17 Bullet 4, SS2/21 Outsourcing and third party risk management, March 2021)
  • Assess current performance and capacity of IT resources to determine if sufficient capacity and performance exist to deliver against agreed-upon service levels. (DS3.2 Current Performance and Capacity, CobiT, Version 4.1)
  • Define and agree to SLAs for all critical IT services based on customer requirements and IT capabilities. This should cover customer commitments; service support requirements; quantitative and qualitative metrics for measuring the service signed off on by the stakeholders; funding and commercial arr… (DS1.3 Service Level Agreements, CobiT, Version 4.1)
  • Each piece of office equipment shall be subject to strict maintenance contract / service level agreement that covers security requirements for protecting information. (CF.12.03.08a, The Standard of Good Practice for Information Security)
  • Service agreements should specify dates / times when the service is required. (CF.07.07.02d, The Standard of Good Practice for Information Security)
  • Service agreements should specify requirements for detecting service interruptions. (CF.07.07.04g-1, The Standard of Good Practice for Information Security)
  • Service agreements should specify requirements for recovering from service interruptions. (CF.07.07.04g-2, The Standard of Good Practice for Information Security)
  • Each piece of office equipment shall be subject to strict maintenance contract / service level agreement that covers security requirements for protecting information. (CF.12.03.08a, The Standard of Good Practice for Information Security, 2013)
  • Service agreements should specify dates / times when the service is required. (CF.07.07.02d, The Standard of Good Practice for Information Security, 2013)
  • Service agreements should specify requirements for detecting service interruptions. (CF.07.07.04g-1, The Standard of Good Practice for Information Security, 2013)
  • Service agreements should specify requirements for recovering from service interruptions. (CF.07.07.04g-2, The Standard of Good Practice for Information Security, 2013)
  • Network and infrastructure Service Level Agreements (in-house or outsourced) shall clearly document security controls, capacity and service levels, and business or customer requirements. (IS-31, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • For each service delivered, the organization shall establish one or more SLAs based on the documented service requirements. The SLA(s) shall include service level targets, workload limits and exceptions (§ 8.3.3 ¶ 2, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • Inclusion of reasonable performance standards (e.g., SLAs, RTOs); (TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:3 Bullet 3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • The vendor can provide and maintain service level performance that meets the requirements of the client, and (TIER II OBJECTIVES AND PROCEDURES F.2. Bullet 7, FFIEC IT Examination Handbook - Audit, April 2012)
  • The service level agreements provide a baseline for measuring performance. The performance should be associated with penalties and incentive clauses. (Pg 34, FFIEC IT Examination Handbook - Management)
  • The organization should ensure outsourced providers covered by service level agreements comply with all plans and performance penalties. (Pg 38, FFIEC IT Examination Handbook - Operations, July 2004)
  • The service provider contract should include performance standards that define the minimum service level requirements. Examples of performance standards include the acceptable minimum percentage of system uptime and maximum acceptable number of processing errors. The performance requirements should … (Pg 13, Exam Tier I Obj 3.4, FFIEC IT Examination Handbook - Outsourcing Technology Services, June 2004)
  • Significant elements of the service are identified and based on the institution's requirements; (App A Tier 2 Objectives and Procedures O.5 Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Measurements specify what constitutes inadequate performance; and (App A Tier 2 Objectives and Procedures O.5 Bullet 4, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Does the Credit Union review service provider performance reports on a regular basis? (IT - Vendor Oversight Q 13, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Ensure that appropriate Service-Level Agreements (SLAs) and underpinning contracts have been defined that clearly set out for the customer a description of the service and the measures for monitoring the service. (T0370, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization should have a Memorandum of Agreement that contains the approvals, consents, and detailed operational conditions of using foreign nationals for maintenance and diagnostic activities. (App F § MA-5(4)(b), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Ensure that appropriate Service-Level Agreements (SLAs) and underpinning contracts have been defined that clearly set out for the customer a description of the service and the measures for monitoring the service. (T0370, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The third party contract should specify performance measures that define the responsibilities and expectations of all parties. ("Contract Negotiation" ¶ 2 "Performance Measures or Benchmarks", Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)