3.3.3 Manage Service Level Agreements
| No: 43028139 | Date(g): 4/11/2021 | Date(h): 29/3/1443 | Status: In-Force |
Principle
Contractual terms and conditions governing the roles, relationships, obligations and responsibilities of internal stakeholder and third parties should be formally agreed, developed and adequately controlled.
Control Requirements
| 1. | Internal IT Service Level Agreement (SIA) should be formally defined, approved, and communicated to the relevant business department of the Member Organizations. | |
| 2. | The effectiveness of the internal IT SLA should be monitored, measured, and periodically evaluated. | |
| 3. | Internal IT SLA should include the following, but not limited to: | |
| a. | service level agreed between the business functions and the IT department; | |
| b. | specific and measurable targets for IT services against the defined KPI's; and | |
| c. | roles and responsibilities of the business and IT stakeholders. | |
| 4. | The third party relationship process should be defined, approved, implemented, and communicated. | |
| 5. | The effectiveness of the third party relationship process should be monitored, measured, and periodically evaluated. | |
| 6. | Formal SLA should be defined and signed with the third party. | |
| 7. | The third party relationship process should cover following requirements, but not limited to: | |
| a. | outsourcing service providers should have adequate process in place to ensure availability, protection of data and applications outsourced; | |
| b. | periodic reporting, reviewing and evaluating the contractually agreed requirements (in SLAs); | |
| c. | changes to the provision of provided services; | |
| d. | execution of a risk assessment as part of the procurement process; | |
| e. | escalation process in case of SLA breached; | |
| f. | administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of information; | |
| g. | legal assurance from the third party to provide onsite support that mandates onsite presence of certified and experienced relevant support engineer within a defined timeline to support the Member Organizations in adverse situations; | |
| h. | exiting, terminating, or renewing the contract (including escrow agreements if applicable); | |
| i. | compliance with applicable frameworks including but not limited to SAMA Cyber Security, Business Continuity Management and IT Governance Frameworks-and applicable Laws and Regulations; | |
| j. | right to audit (Member Organizations or independent party); and | |
| k. | Non-Disclosure Agreement ('NDA'). | |