SA-9 Outsourced System Services
Control: Ensure that third-party providers of system services employ adequate security controls in accordance with applicable laws, directives, policies, regulations, standards, guidance, and established service level agreements. The organization monitors security control compliance.
Illustrative Controls and TIBCO LogLogic Solution
The process of defining and managing service levels addresses how an organization meets the functional and operational expectations of its users and, ultimately, the objectives of the business. Deficiencies in this area could significantly impact reporting and disclosure of an entity. For example, if systems are poorly managed or system functionality is not delivered as required, information might not be processed as intended.
To satisfy this control objective, administrators must configure alerts to ensure all critical application failures, including firewalls, routers, switches, servers, and applications, are notified immediately. Alerts must be reviewed periodically. In addition, administrators must perform independent reviews on the security, availability, and processing integrity of third-party service providers by continuously monitoring the service level agreements through adequate logging and reporting.
The LogLogic® Compliance Suite - FISMA Edition can continuously monitor the availability of the IT infrastructure using behavioral-based alerts. Administrators can configure alerts to monitor the performance of firewalls, routers, switches, servers, applications, and operating systems so they can be notified immediately if of failures. Real-time reports and custom, regular-expression searches also enable administrators to quickly identify and determine the root cause of any problems. This further mitigates risk and minimizes interruptions to service availability.