3.3.3 Manage Service Level Agreements
| No: 43028139 | Date(g): 4/11/2021 | Date(h): 29/3/1443 | Status: In-Force |
Effective from 2021-11-04 - Nov 03 2021
To view other versions open the versions tab on the right
Principle
Contractual terms and conditions governing the roles, relationships, obligations and responsibilities of internal stakeholder and third parties should be formally agreed, developed and adequately controlled.
Control Requirements
| 1. | Internal IT Service Level Agreement (SIA) should be formally defined, approved, and communicated to the relevant business department of the Member Organizations. | |
| 2. | The effectiveness of the internal IT SLA should be monitored, measured, and periodically evaluated. | |
| 3. | Internal IT SLA should include the following, but not limited to: | |
| a. | service level agreed between the business functions and the IT department; | |
| b. | specific and measurable targets for IT services against the defined KPI's; and | |
| c. | roles and responsibilities of the business and IT stakeholders. | |
| 4. | The third party relationship process should be defined, approved, implemented, and communicated. | |
| 5. | The effectiveness of the third party relationship process should be monitored, measured, and periodically evaluated. | |
| 6. | Formal SLA should be defined and signed with the third party. | |
| 7. | The third party relationship process should cover following requirements, but not limited to: | |
| a. | outsourcing service providers should have adequate process in place to ensure availability, protection of data and applications outsourced; | |
| b. | periodic reporting, reviewing and evaluating the contractually agreed requirements (in SLAs); | |
| c. | changes to the provision of provided services; | |
| d. | execution of a risk assessment as part of the procurement process; | |
| e. | escalation process in case of SLA breached; | |
| f. | administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of information; | |
| g. | legal assurance from the third party to provide onsite support that mandates onsite presence of certified and experienced relevant support engineer within a defined timeline to support the Member Organizations in adverse situations; | |
| h. | exiting, terminating, or renewing the contract (including escrow agreements if applicable); | |
| i. | compliance with applicable frameworks including but not limited to SAMA Cyber Security, Business Continuity Management and IT Governance Frameworks-and applicable Laws and Regulations; | |
| j. | right to audit (Member Organizations or independent party); and | |
| k. | Non-Disclosure Agreement ('NDA'). | |