David
25/01/2017 10:50
Dear Forum,
Is anyone aware of a regulatory or industry best practice paper that gives guidance on the controls that should be included in the contract or service level agreements with Software as a Service (SaaS) vendors?
These may vary slightly from vendor to vendor but there are typical items such as notification period for planned downtime, approval process for changing software/infrastructure, recovery time/point objectives, retention period for data, etc. that should be covered.
I have my own notes from experience but would like to verify them against industry best practice/regulatory expectations so links to guidelines would be appreciated.