Back

Establish, implement, and maintain a service management monitoring and metrics program.


CONTROL ID
13916
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Monitoring and measurement, CC ID: 00636

This Control has the following implementation support Control(s):
  • Report on the average advertised download speed., CC ID: 15567
  • Communicate trends in service management to all interested personnel and affected parties., CC ID: 13926
  • Report on the average actual sustained download speed., CC ID: 15568
  • Monitor service availability when implementing the service management monitoring and metrics program., CC ID: 13921
  • Report on the system average interruption frequency., CC ID: 15565


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Interfaces for an automated real-time monitoring of the service (minimum capacity, availability as well as elimination of malfunctions) are established to be able to monitor compliance with the service level agreements agreed upon and to promptly respond to deviations. At least once a year, an audit… (Section 5.12 DLL-02 Description of additional requirements (confidentiality and availability) ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The purpose of the measurement and reporting practice is to support good decision-making and continual improvement by decreasing the levels of uncertainty. This is achieved through the collection of relevant data on various managed objects and the valid assessment of this data in an appropriate cont… (5.1.5 ¶ 1, ITIL Foundation, 4 Edition)
  • monitor and report on demand and consumption of services. (§ 8.4.2 ¶ 1(b), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • Reports on the performance and effectiveness of the SMS and the services shall be produced using information from the SMS activities and delivery of the services. Service reporting shall include trends. (§ 9.4 ¶ 2, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • Sufficient Relevant Data. Obtain sufficient relevant data to afford a reasonable basis for conclusions or recommendations in relation to any professional services performed. (2.300.001.01 d., AICPA Code of Professional Conduct, August 31, 2016)
  • Fully maintaining, patching, monitoring, and protecting the portions of PaaS service offering OSs and applications for which they are responsible (which may vary from none to all) as defined in the service offering SLA/description and/or the Mission Owner's SLA/contract. (Section 6.4 ¶ 1 Bullet 4, sub-bullet 3, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Metrics and measurements used to evaluate service management effectiveness. (App A Objective 16:1a Bullet 6, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Effective planning processes for service management that consider services offered, SLAs and contractual provisions, known limitations, and metrics and measurements. (VI.C Action Summary ¶ 2 Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Review service performance reports identifying any significant issues and variances, initiating, where necessary, corrective actions and ensuring that all outstanding issues are followed up. (T0389, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Review service performance reports identifying any significant issues and variances, initiating, where necessary, corrective actions and ensuring that all outstanding issues are followed up. (T0389, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)