(SLAs) when contracting cloud-based services. The SLA stipulates
               performance expectations and often includes penalties if the vendor

               doesn’t meet these expectations.

               Change and configuration management are two additional controls
               that help reduce outages. Configuration management ensures that
               systems are deployed in a consistent manner that is known to be
               secure. Imaging is a common configuration management technique
               that ensures that systems start with a known baseline. Change

               management helps reduce unintended outages from unauthorized
               changes and can also help prevent changes from weakening security.

               Patch and vulnerability management procedures work together to
               keep systems protected against known vulnerabilities. Patch
               management keeps systems up-to-date with relevant patches.
               Vulnerability management includes vulnerability scans to check for a
               wide variety of known vulnerabilities (including unpatched systems)

               and includes vulnerability assessments done as part of a risk
               assessment.