Back

Include availability requirements in Service Level Agreements.


CONTROL ID
13095
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a Service Level Agreement framework., CC ID: 00839

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Management of IT functions should ideally formulate a service level agreement with business units to cover system availability and performance requirements, capacity for growth, and the level of support provided to users. The responsible IT functions should ensure that adequate procedures are in pla… (5.1.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • In the case of outsourcing the storage of backup copies, it is necessary to consider the reliability, security, and utilization system (whether stored documents are available whenever necessary, etc.) of the company entrusted with operations. (P45.2. ¶ 2, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • their capacity to withstand denial-of-service attacks (Control: ISM-1431; Revision: 5; Bullet 1, Australian Government Information Security Manual, June 2023)
  • their capacity to withstand denial-of-service attacks (Control: ISM-1431; Revision: 5; Bullet 1, Australian Government Information Security Manual, September 2023)
  • Define and agree to SLAs for all critical IT services based on customer requirements and IT capabilities. This should cover customer commitments; service support requirements; quantitative and qualitative metrics for measuring the service signed off on by the stakeholders; funding and commercial arr… (DS1.3 Service Level Agreements, CobiT, Version 4.1)
  • Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and (CP-8(1)(a), StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and (CP-8(1)(a), StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and (CP-8(1)(a) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and (CP-8(1)(a) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives); and (CP-8(1)(a), FedRAMP Security Controls High Baseline, Version 5)
  • Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives); and (CP-8(1)(a), FedRAMP Security Controls Moderate Baseline, Version 5)
  • Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives); and (CP-8(1)(a), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives); and (CP-8(1)(a), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and (CP-8(1) ¶ 1(a) Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and (CP-8(1) ¶ 1(a) High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Accessibility: length of time necessary to retrieve the data from storage and the storage facility's operating hours; (§ 3.4.2 ¶ 2 Bullet 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Site availability; (§ 3.4.3 ¶ 9 Bullet 5, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Existing Compatible Equipment. Equipment currently housed and used by the contracted hot site or by another organization within the organization may be used. Agreements made with hot sites and reciprocal internal sites stipulate that similar and compatible equipment will be available for contingency… (§ 3.4.4 ¶ 1 Bullet 3, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • SLAs can facilitate prompt recovery following software or hardware problems associated with the telecommunications. An SLA also may be developed with the NSP or ISP to guarantee the desired network availability and establish tariffs if the vendor's network is unavailable. If the NSP or ISP is contra… (§ 5.3.2 ¶ 10, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Backup media should be stored offsite in a secure, environmentally controlled location. When selecting the offsite location, hours of the location, ease of accessibility to backup media, physical storage limitations, and the contract terms should be taken into account. The ISCP Coordinator should re… (§ 5.1.5 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and (CP-8(1)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and (CP-8(1)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and (CP-8(1)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives); and (CP-8(1)(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives); and (CP-8(1)(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Based solely on the exercise of a right and unrelated to feasibility or the value of a service, increase the cost of, or decrease the availability of, the product or service. (§ 6-1-1308 (1)(c)(II), Colorado Revised Statutes, Title 6, Article 1, Part 13, Colorado Privacy Act)
  • Based solely on the exercise of a right and unrelated to feasibility or the value of a service, increase the cost of, or decrease the availability of, the product or service. (§ 6-1-1308 (1)(c)(II), Colorado Revised Statutes, Title 6, Article 1, Part 13, Colorado Privacy Act)
  • Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and (CP-8(1)(a), TX-RAMP Security Controls Baseline Level 2)