Service level agreement

Questions 82 to 84 — check if the level of availability stated and detailed in the service level agreement meets your requirements.

Questions 82 to 84 — service level agreement

Table 1 lists who is responsible for answering each question.

Context and help for questions 82 to 84

Record your answers to these questions in either:

Questions to answer

  1. Does the service level agreement include a performance percentage for an expected and minimum availability over a clearly defined period?
    1. If yes — are the business requirements for availability met?
    • Example — does the service support your government organisation’s recovery time objective and acceptable interruption window?
  2. Does the service level agreement include defined, scheduled outage windows?
    1. If yes — do the specified outage windows affect New Zealand business operations?
    2. If no — has the service provider implemented technologies that enable them to perform maintenance activities without the need for an outage?
  3. Does the service level agreement include a compensation clause for a breach of the guaranteed availability percentages?
    1. If yes — does this provide an adequate level of compensation should the service provider breach the service level agreement?

Table 1: Who answers each question
Entity Questions to answer
Government organisation 82a, 83a, 84a
Service provider 82, 83, 83b, 84

Where to find the service provider’s answers

You can get the answers to the service provider’s questions from a combination of:

  • direct communication with the provider
  • the provider’s policies and audit reports on their website
  • previous assessments by other government organisations.

If you do not have the service provider’s answers

If you need higher assurance for the information, consider a different public cloud service if:

  • the provider does not give you their answers or other information you need for your risk assessment
  • you cannot get acceptable third-party assurance
  • there are no ways to lessen the risk of this incomplete information.

Independent assurance reports — New Zealand Information Security Manual

Context and help for questions 82 to 84

The following guidance gives you context and help for answering questions about the service level agreement.

Direct contracts — check for information you can use

Another NZ government organisation may have previously assessed the public cloud service you’re looking to use. See which organisation to contact for information by:

NZ government agreements and contracts — check for certification documents you can use

You can use certification documents to help with your risk assessment of using either:

  • an all-of-government agreement
  • a Marketplace contract.

To get these, contact the security team at the Department of Internal Affairs at ictassurance@dia.govt.nz.

Define the level of availability

The service level agreement typically specifies the level of expected availability as a performance percentage. Make sure you understand exactly what the defined percentage means and see whether or not these levels meet your requirements for availability.

Example — defined level of availability

An uptime of 99.9% over a year allows for up to 9 hours of unscheduled outages without breaching the service level agreement.

Scheduled outage windows

Review any scheduled outage windows that are defined in the service level agreement. Make sure they will not harm your business operations.

Example — reviewing the scheduled outage windows for potential problems

A service level agreement has a 3-hour scheduled outage on the first Tuesday of each month between 17:00 and 20:00 Eastern Daylight Time (EDT).

This may harm your business operations because the outage would occur between 10:00 and 13:00 on Wednesday in New Zealand.

Some providers can do maintenance activities without needing an outage to their services. If this is the case, make sure the service level agreement says this.

If there is no mention of outages in the service level agreement, you should not assume they will not happen.

Remedies or compensation for outages

If the service level agreement is breached, you need to know the:

  • range of remedies available — this helps the service provider and government organisation to work out a solution
  • minimum remedy for an outage
  • compensation clauses that take into account the impact on your government organisation if the service is unavailable.

While it’s rare to be able to negotiate contracts for public cloud services, the Government Chief Digital Officer’s examples of terms and conditions can help you to understand what you should be looking for in contracts.

Pay attention to what is best practice for government organisations.

Terms and conditions for negotiating contracts for public cloud services

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated