Page 152 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 152
Vendor, Consultant, and Contractor Agreements and
Controls
Vendor, consultant, and contractor controls are used to define the
levels of performance, expectation, compensation, and consequences
for entities, persons, or organizations that are external to the primary
organization. Often these controls are defined in a document or policy
known as a service-level agreement (SLA).
Using SLAs is an increasingly popular way to ensure that
organizations providing services to internal and/or external customers
maintain an appropriate level of service agreed on by both the service
provider and the vendor. It’s a wise move to put SLAs in place for any
data circuits, applications, information processing systems, databases,
or other critical components that are vital to your organization’s
continued viability. SLAs are important when using any type of third-
party service provider, which would include cloud services. The
following issues are commonly addressed in SLAs:
System uptime (as a percentage of overall operating time)
Maximum consecutive downtime (in seconds/minutes/and so on)
Peak load
Average load
Responsibility for diagnostics
Failover time (if redundancy is in place)
SLAs also commonly include financial and other contractual remedies
that kick in if the agreement is not maintained. For example, if a
critical circuit is down for more than 15 minutes, the service provider
might agree to waive all charges on that circuit for one week.
SLAs and vendor, consultant, and contractor controls are an
important part of risk reduction and risk avoidance. By clearly
defining the expectations and penalties for external parties, everyone
involved knows what is expected of them and what the consequences
are in the event of a failure to meet those expectations. Although it
may be very cost effective to use outside providers for a variety of
