Back

Include emergency scalability for services, capacity, and capability in the shared service provider's Service Level Agreement.


CONTROL ID
04893
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain Service Level Agreements for all alternate facilities., CC ID: 00745

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • AIs should avoid placing excessive reliance on external vendors in providing BCP support, particularly where a number of institutions are using the services of the same vendor (e.g. to provide back-up facilities or additional hardware). AIs should satisfy themselves that such vendors do actually hav… (5.3.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • The contractual terms should include the lead-time and capacity that vendors are committed to deliver in terms of back-up facilities, technical support or hardware. In some cases, a retainer agreement may be advisable to ensure priority service from the vendors in the face of competing demands from … (5.3.2, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • Cloud service providers' ability to dynamically scale resources in response to a genuine spike in demand is discussed and verified as part of capacity and availability planning for online services. (Control: ISM-1579; Revision: 2, Australian Government Information Security Manual, June 2023)
  • Cloud service providers' ability to dynamically scale resources in response to a genuine spike in demand is discussed and verified as part of capacity and availability planning for online services. (Control: ISM-1579; Revision: 2, Australian Government Information Security Manual, September 2023)
  • Sudden unplanned demand increases for services and service levels due to unforeseen circumstances during a disaster/failure should be accommodated by the ICT disaster recovery service providers. These demands may exceed what is stated in the SLA. Procedures and policies should be developed to handle… (§ 9.4, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • expected impact on capacity of agreed service level targets, requirements for service availability and service continuity; (§ 8.4.3 ¶ 2(b), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • When there are dependancies upon critical service providers, does the Business Continuity and Disaster Recovery program include capabilities adequate to support the plan by contract requirements? (§ K.1.2.15.4, Shared Assessments Standardized Information Gathering Questionnaire - K. Business Continuity and Disaster Recovery, 7.0)
  • Alternate locations and capacity for: (TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Alternate sites may be owned and operated by the organization (internal recovery), or commercial sites may be available under contract. If contracting for the site with a commercial vendor, adequate testing time, work space, security requirements, hardware requirements, telecommunications requiremen… (§ 3.4.3 ¶ 7, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))