Back

Include that the shared service provider will not oversubscribe their services in the Service Level Agreement.


CONTROL ID
04892
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain Service Level Agreements for all alternate facilities., CC ID: 00745

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • if back-up facilities are shared by other parties (e.g. subsidiaries of the institution), the AI needs to verify whether all parties can be accommodated concurrently; and (6.1.3 Bullet 5, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • The organization should ensure that contractual agreements with alternate sites who share the facilities with several organizations guarantee access to the required least amount of Information Technology assets needed to operate during an emergency. (Attach B ¶ 14, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • In the case where a regulated institution has contractual arrangements for recovery facilities that are shared with a number of other organisations, the contract between a regulated institution and the alternate site provider would normally guarantee access to the minimum IT assets required to opera… (Attachment B ¶ 14, The AD_offical_Name should be: APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Processes should be developed by the outsourced service providers to ensure shared services are not oversubscribed without increasing capabilities and capacities. This should include policy and procedural tasks to monitor and maintain a balance between shared services and existing capacity and capab… (§ 7.11.2, § 7.11.4, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)