Back

Include emergency scalability for services, capacity, and capability in the shared service provider's Service Level Agreement.


CONTROL ID
04893
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain Service Level Agreements for all alternate facilities., CC ID: 00745

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • AIs should avoid placing excessive reliance on external vendors in providing BCP support, particularly where a number of institutions are using the services of the same vendor (e.g. to provide back-up facilities or additional hardware). AIs should satisfy themselves that such vendors do actually hav… (5.3.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • The contractual terms should include the lead-time and capacity that vendors are committed to deliver in terms of back-up facilities, technical support or hardware. In some cases, a retainer agreement may be advisable to ensure priority service from the vendors in the face of competing demands from … (5.3.2, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • Sudden unplanned demand increases for services and service levels due to unforeseen circumstances during a disaster/failure should be accommodated by the ICT disaster recovery service providers. These demands may exceed what is stated in the SLA. Procedures and policies should be developed to handle… (§ 9.4, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • expected impact on capacity of agreed service level targets, requirements for service availability and service continuity; (§ 8.4.3 ¶ 2(b), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • When there are dependancies upon critical service providers, does the Business Continuity and Disaster Recovery program include capabilities adequate to support the plan by contract requirements? (§ K.1.2.15.4, Shared Assessments Standardized Information Gathering Questionnaire - K. Business Continuity and Disaster Recovery, 7.0)
  • Alternate locations and capacity for: (TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)