- This topic has 16 replies, 8 voices, and was last updated 8 years, 9 months ago by base.
-
AuthorPosts
-
-
February 8, 2016 at 12:18 pm #70nssabolKeymaster
Security Assessment SLA
Attachments:
-
February 10, 2016 at 12:38 pm #86gfaustinParticipant
Part of this SLA needs to include a process for communicating security updates to the UNM network to IT personnel (within reason) in colleges/departments and research centers so they can proactively deal with any access problems that may affect staff.
-
February 12, 2016 at 11:21 am #150baseParticipant
Grace, could you clarify please?
In your comment below, are you referring to the communication process as a step in the for-fee service in the SLA, or do you mean this as a separate item, or are you asking for a service by which IT notifies the community of vulnerabilities?
“Part of this SLA needs to include a process for communicating security updates to the UNM network to IT personnel (within reason) in colleges/departments and research centers so they can proactively deal with any access problems that may affect staff.”
Thank you.
-
-
February 11, 2016 at 3:03 pm #100ccovey01Participant
General SLA concern – in most of the current SLAs and Service Catalog, UNM Enterprise services are offered by a single entity, there is no competitive marketplace. Given that, shouldn’t UNM customers (departments) have an equal stake in the writing and re-writing of the SLAs? And should this revision process be set annually for all SLAs and services where UNM departments are the customer?
SLA’s between customers and vendors typically feature the ability for either side to terminate the SLA – what is the escalation/termination process for UNM SLA’s between Central IT and departments? What if customers are gravely unhappy with service delivery? What if the service owner is unhappy with the customer? Is there an arbitrating body to make determinations when the service owner and departments disagree about the SLA or service delivery?Understandably, many Enterprise services now appear to have cost recovery components. Between the service catalogs and the SLAs, funds appear to flow unilaterally from the customer to the service owner. With no cost downside, there’s little incentive for the service owner to be timely or accountable. What mechanisms are in place to ensure accountability by the service owner?
- Inclusion of a 1,2, 3 strikes escalation series might be appropriate accountability mechanism – 1 to 2 incidents lead to remediation meetings and revision of SLA. 3rd incident leads to SLA termination.
- A return to the customer of the full amount or part of the fees for the service might be a necessary baseline for most SLAs and statements of work.
- In the case of a mis-routed ticket, as an example, where the customer followed the appropriate protocol, but the ticket was mis-routed, what can customers expect as compensation in terms of lost time, productivity, or funding?
- What happens if a grant is affected or lost due to an Incident?
Help.UNM appears to be the default mechanism for reporting issues and incidents, per the SLA. It does not presently allow customers to see to whom the ticket is routed, who owns it, etc.,
- To protect both the service owner and customers, perhaps Help ticket responses could by default include the routing and owner of the ticket? Mis-routed tickets do happen, and a mis-routed ticket could become very expensive to either the customer or service owner.
There seems to be a general concern about the number of SLAs appearing weekly, and little time for discussion. Given their importance, and the likely volume of comments forthcoming, would it be better to put them into some sort of document management system, like SharePoint?
- 2.1 – Will these assessments occur at the department’s request only?
- If they are UNM IT originated, what SLAs, processes, and costs apply?
- 2.1 – Where is the MOU (link) mentioned?
- 2.1 – Are any of the scans/reports cloud-based?
- 2.1 – What process will be followed if the service identifies some issue that is less critical than an unauthorized PII or SPI disclosure?
For example, if a department’s service has been interrupted due to UNM IT Security request to Networking to shut off network access to a scanned system or service, and the department then fixes the issue and reports the fix to UNM IT, how many business days does UNM IT have to complete a remediation scan and provide results to customer?
- What is resolution process if vendor or customer disagrees with the assessment as to the severity of a vulnerability?
- If service interruption was in error, what will be the cost if any to the customer?
- 2.1 Request for change- “comply with directions” “Utilize directions from” …..
- 3.1 – Could we get an example statement of work?
- 4.1 – Will departments be given the time the scans takes place, to prepare their users for potential loss of service?
- 4.1 – Vulnerability scanning tools can take servers, web sites, printers, and systems offline – what is the process to pause or cease scan(s) if service break occurs due to scans/assessment?
- It may be useful for the customer to be able to select between passive and aggressive assessments, where the customer understands the aggressive assessment will more than likely take their services offline. Given that choice, a loss of service could not be declared an Incident by the customer.
4.3 Escalation –
- Request to Add – “Customer can after 1 Incident request meeting on-site with Service Owner and Service Manager”
- Request to Add – “Customer can after 2 Incidents request review and redraft of SLA”
- Request to Add – “Customer can after 3 Incidents request termination of SLA”
- 4.3 – Will the phone number of the lead assessment technician or service owner be provided in the SoW?
- 5.2 – Will customers be able to determine who has been assigned the request?
6 – Incident
- Does the department have the ability to declare an incident?
- Within this SLA, does an interruption in the normal functioning of a service or system include the department’s services or systems that are being assessed/scanned, or is an incident restricted to only the Assessment service itself?
- Request to Add – “If the customer experiences a service interruption due to an IT Security Assessment, and the Assessment is not paused or canceled within 2 business hours after customer notifies Service Owner, an Incident has occurred.”
- Request to Add – “If the customer experiences a service interruption as a result of an IT Security Assessment, where service is removed, and the customer requests a remediation assessment, and the remediation assessment is not completed within 2 business days, an Incident has occurred.”
- If the department experiences incidents, what are the department’s options in terms of escalation and revision of the SLA?
- 9.2 who are the primary stakeholders? Is that the ‘customer’ and UNM IT?
-
February 12, 2016 at 11:51 am #152baseParticipant
Hi Chad,
I can answer the Assessment SLA-specific questions. I am forwarding your comments on the SLA template language to the agreements committee, and your comments on Help.UNM to our service/ incident process owners for review.
Below are responses the Security Assessment SLA-specific comments.
- 2.1 – Will these assessments occur at the department’s request only?</span>
- Yes – for-fee assessment services are not performed except at the request of departments.
If they are UNM IT originated, what SLAs, processes, and costs apply? - 2.1 – Where is the MOU (link) mentioned?
MOUs are not part of the current process, but the MOU/ agreement referred to will be posted to the community for feedback.
- 2.1 – Are any of the scans/reports cloud-based?</span>
Yes, in that we conduct assessments from both on and off campus.
- 2.1 – What process will be followed if the service identifies some issue that is less critical than an unauthorized PII or SPI disclosure? </span>
Those issues will be identified in a report provided to the department.
For the example, an incident would be opened, which is separate from the assessment requested by the department. That incident would follow IT’s standard incident response proedures.
- What is resolution process if vendor or customer disagrees with the assessment as to the severity of a vulnerability?
Customer may document the discrepancy in a memorandum of risk-acceptance.
- If service interruption was in error, what will be the cost if any to the customer?
Security assessment services can include assessments that are low-risk of interruption, and high-risk of interruption. These would be scoped in or out, or scheduled at a time that is least impactful to the customer.
- 2.1 Request for change- “comply with directions” “Utilize directions from” …..
We will consider clarifying wording change.
- 3.1 – Could we get an example statement of work?
We will provide a template SoW in the service catalog.
- 4.1 – Will departments be given the time the scans takes place, to prepare their users for potential loss of service?
All times are mutually agreed to before scans are conducted.
- 4.1 – Vulnerability scanning tools can take servers, web sites, printers, and systems offline – what is the process to pause or cease scan(s) if service break occurs due to scans/assessment?
Information Security and Privacy staff are on call 24X7; either the identified point of contact for the engagement or the on-call staff can cease/ pause the scanning component of an assessment.
- It may be useful for the customer to be able to select between passive and aggressive assessments, where the customer understands the aggressive assessment will more than likely take their services offline. Given that choice, a loss of service could not be declared an Incident by the customer.
(From above) Security assessment services can include assessments that are low-risk of interruption, and high-risk of interruption. These would be scoped in or out, or scheduled at a time that is least impactful to the customer.
- 4.3 – Will the phone number of the lead assessment technician or service owner be provided in the SoW?
(From above) Information Security and Privacy staff are on call 24X7; either the identified point of contact for the engagement or the on-call staff can cease/ pause the scanning component of an assessment.
- 5.2 – Will customers be able to determine who has been assigned the request?
Only for an identified point of contact, if one is agreed upon.
- Within this SLA, does an interruption in the normal functioning of a service or system include the department’s services or systems that are being assessed/scanned, or is an incident restricted to only the Assessment service itself?
The incident would be recorded against the assessment service.
- 9.2 who are the primary stakeholders? Is that the ‘customer’ and UNM IT?
Additional stakeholders could include regulatory bodies and data stewards (e.g., the UNM Registrar, for FERPA data; or the UNM Treasurer, for Credit Card data).
- This reply was modified 8 years, 9 months ago by base. Reason: re-word sentence to clarify
-
February 11, 2016 at 4:10 pm #108aballoParticipant
General:
Is this in affect since 9/1/2015?
Impact is not being considered when vulnerabilities are identified and services are blocked.
2 – Pricing be noted here in SLA. Can the link be more specific instead of: http://it.unm.edu/servicecatalog/?
2.1 – Link to “Information Security Incident Response MOU.” ?
3.2 – For “scope of the assessment” – should be Data Custodian since Data Owners and Stewards are defined: http://data.unm.edu/roles-and-responsibilities.html ?
3.2 – “Utilize UNM IT Service Desk for requests and incidents” – what are examples of incidents? Do we need incidents?
4.2 – Would that be what is mentioned in 4.1 (for periods of planned maintenance, institutional closures, or as otherwise negotiated in writing.)?
6.1. – Given an incident can arise from 2.1 (see: “Any vulnerability assessment”) – costs should be stated and what items are charged for. When costs are unknown and uncapped, why would a Department participate in a security assessment?
-
February 12, 2016 at 12:00 pm #156
-
February 12, 2016 at 12:21 pm #159baseParticipant
- Is this in affect since 9/1/2015?
That was the completion date of the original SLA. We were asked to include this SLA as part of the current activities.
- Impact is not being considered when vulnerabilities are identified and services are blocked.
In a security assessment, it is usually at the customers direction that services are temporarily suspended. If this comment is not clarifying or helpful, it may be useful to have a separate conversation to address this.
- 2 – Pricing be noted here in SLA. Can the link be more specific instead of: http://it.unm.edu/servicecatalog/?
The current rate is $150/ hour, but we’ll ask that this be updated.
- 2.1 – Link to “Information Security Incident Response MOU.” ?
The Incident Response document will be posted when it is put into the new template. This document was also completed last fall.
- 3.2 – For “scope of the assessment” – should be Data Custodian since Data Owners and Stewards are defined: http://data.unm.edu/roles-and-responsibilities.html ?
Many assessments do not have sensitive and protected/ classified data that is collected, stored, processed, or transmitted. For those that do, we would require the involvement of the Owner/ Custodian/ Steward. It looks like there is a need to align the language with the updated policy language.
- 3.2 – “Utilize UNM IT Service Desk for requests and incidents” – what are examples of incidents? Do we need incidents?
I’ll bring this to the attention of the process owners for the template language.
- 4.2 – Would that be what is mentioned in 4.1 (for periods of planned maintenance, institutional closures, or as otherwise negotiated in writing.)?
This section typically applices to infrastructure-based services. I’ll bring this to the attention of the process owners for the template language.
- 6.1. – Given an incident can arise from 2.1 (see: “Any vulnerability assessment”) – costs should be stated and what items are charged for. When costs are unknown and uncapped, why would a Department participate in a security assessment?
At best, costs can only be estimated when an assessment uncovers that a breach has occurred.
For a credit card breach, as an example, the regulatory fines are clear (each card brand levies fees if a breach occurs with a merchant that is not compliant with the PCI standard); however, the cost may be much higher if the breach includes a response to 20,000 card holders’ data, as opposed to only a dozen. The nature of the breach and the regulatory response will drive the cost. Breach costs are the obligation of the institution to bear.
-
-
February 11, 2016 at 10:04 pm #126susierParticipant
- Section 2.1. Define “security posture.”
- Section 2.1. To whom will the “prioritized list of vulnerabilities” be provided?
- Section 2.1. “…. A security evaluation will contain recommendations to mitigate risks and formally transfer ownership of that risk to management. “ Which management? Of the unit requesting the scan? Central IT management? Clarify. Also, what does “formally transfer ownership” mean?
- Section 2.1. Are security scans/assessments conducted only following a (service) request by a unit, or can IT initiate a scan/assessment and then bill the scanned unit?
- Sections 2.1.2, 3.1, 6.3, etc. “Department” should be replaced by “Unit” or “Academic Unit” where applicable. A Center or a School is not a ‘department’, for example. However, Centers, Schools, and Departments are all ‘units.’
- Describe the process that the security teams will follow when contacting unit-level support to inform them a breach has occurred.
- Section 6.1. What is the hourly rate for using UNM IT consulting services to investigate a security breach? Provide a pointer for current costs associated with this specific level of service.
- If a machine is breached within a unit, and the unit reports the incident to UNM C-IT, will the unit get billed in response? This would seem to discourage (‘punitive’) rather than encourage such voluntary reporting.
- Section 6.1. “Time spent on resolving incidents that are end-user caused will be billed to the appropriate party at current hourly rate, including travel time. Material will be billed along with any associated expenses incurred to remedy the Incident.” How will cases where there is joint (cross-unit) or no obvious ‘end-user’ responsibility be handled/adjudicated? Two use cases: (i) a server that is current on all OS security patches is nevertheless hacked; or (ii) a departmental server that is not current on current OS security patches is hacked, but concurrently, it is determined that the network configurations interfacing to that server were improperly set up by another unit at the time of building construction.
-
February 12, 2016 at 12:41 pm #164baseParticipant
<div class=”bbp-reply-content”>
- Section 2.1. Define “security posture.”
We’ll provide a definition.
- Section 2.1. To whom will the “prioritized list of vulnerabilities” be provided?
To the customer.
- Section 2.1. “…. A security evaluation will contain recommendations to mitigate risks and formally transfer ownership of that risk to management. “ Which management? Of the unit requesting the scan? Central IT management? Clarify. Also, what does “formally transfer ownership” mean?
To the management area responsible for the data in question. For example, the UNM Registrar, for FERPA data. The risk transference takes the form of a memorandum of risk transference.
- Section 2.1. Are security scans/assessments conducted only following a (service) request by a unit, or can IT initiate a scan/assessment and then bill the scanned unit?
Security assessments as defined in this service only take place at the request of the unit.
- Sections 2.1.2, 3.1, 6.3, etc. “Department” should be replaced by “Unit” or “Academic Unit” where applicable. A Center or a School is not a ‘department’, for example. However, Centers, Schools, and Departments are all ‘units.’
We’ll recommend this change.
- Describe the process that the security teams will follow when contacting unit-level support to inform them a breach has occurred.
This is conducted in an in-person meeting with any appropriate stakeholders (depending upon the scope and nature of the breach). Details of this process are in the MOU that will be provided in this forum.
- Section 6.1. What is the hourly rate for using UNM IT consulting services to investigate a security breach? Provide a pointer for current costs associated with this specific level of service.
This will be updated in the SLA but is also posted in the service catalog: $150/ hour time and materials.
- If a machine is breached within a unit, and the unit reports the incident to UNM C-IT, will the unit get billed in response? This would seem to discourage (‘punitive’) rather than encourage such voluntary reporting.
Breaches are not generally covered by this SLA, but are covered in the MOU, which is forthcoming once it is put into the updated SLA template.
- Section 6.1. “Time spent on resolving incidents that are end-user caused will be billed to the appropriate party at current hourly rate, including travel time. Material will be billed along with any associated expenses incurred to remedy the Incident.” How will cases where there is joint (cross-unit) or no obvious ‘end-user’ responsibility be handled/adjudicated?
Not all breaches will result in a bill, but the answer will depend upon the specifics of a given security incident.
- Two use cases: (i) a server that is current on all OS security patches is nevertheless hacked;
Dependencies could include whether there were phished administrative credentials, insufficient security configurations implemented, etc., but will depend upon the specifics of a given security incident.
- or (ii) a departmental server that is not current on current OS security patches is hacked, but concurrently, it is determined that the network configurations interfacing to that server were improperly set up by another unit at the time of building construction.
Root cause analysis would be separate from any billing considerations. Root cause analysis is critical to prevent recurrence and improve security posture over time.
</div>
-
February 12, 2016 at 10:33 am #144cdeanParticipant
I have concerns about the SLA process. The ones I’ve read so far are too general with a significant amount of boilerplate language simply carried from one SLA to the other. Although I understand that the timeline was set by President Frank for SLA generation, it’s not clear to me that the President set the timeline for the comment period. It seems highly unlikely that busy IT employees have the time to read, consider, and respond to these critically important documents. Several of the SLAs will need tweaked to satisfy specific departmental needs and that language needs built into every SLA produced during this process. However, my biggest concern is the lack of consequences if the terms of the SLA are not met. I attended an IT UNM meeting last fall where the CIO spoke about SLAs back when SLA generation was to be a collaborative effort with involvement from IT Agents and others from the UNM IT community. When asked about consequences if the SLA terms were not met, the CIO’s response was that people would lose their jobs. Perhaps the CIO didn’t anticipate that meeting attendees would have questions about consequences but such a superficial reply to a serious question is troubling to me. The bottom line is that there needs to be specific, well-defined consequences for not meeting the SLA terms for both the customer and Central IT on every SLA.
This particular SLA has serious issues and needs work but others have commented on the specifics. I simply don’t have time to do so right now and therefore am limiting my comments to the overall process.- This reply was modified 8 years, 9 months ago by cdean.
-
February 12, 2016 at 12:24 pm #160elishaParticipant
2 Service Description – I note that the service catalog has the standard $150/hour rate for security services, including Purchasing Review. Given that security review is a requirement for most IT purchases, is there a way for departments to estimate these costs and/or centrally provision the IT Security office appropriate budget to perform this required service?
Is there a link to “<span style=”line-height: 1.5;”>Information Security Incident Response MOU”, and does that MOU describe the consequences of </span>something<span style=”line-height: 1.5;”> being listed as an information security incident? How is the process for resolution described? Perhaps this would be better defined as part of the SLA itself?</span>
I don’t see a description of IT security in Regent Policy 7.3. Is that the correct policy?
Under 2.1: are the IT Security features described part of a centrally funded base service, or are those delivered individually, and on request?
It would be helpful to have a basic security SLA or standard that would be collaboratively developed and others could reference. I would see this including security expectations for anyone managing or overseeing IT assets at UNM. This could cover things like IT and information security practices for servers and workstations, software patches, responses to UNM announced 0 day exploits, etc.
This relates to 2.1.1 and 2.1.2 – It seems to me that UNM should have a stake in requiring certain levels of security. Are units that do not request services exempt from this SLA? I wouldn’t think that would be preferable.
Is seems like this bullet is misplaced in 3.2 Customer responsibilities:
“<span style=”line-height: 1.5;”>IT Strategic Advisory Committee to collaborate with UNM IT on the service framework to satisfy the University of New Mexico business requirements.”</span>
Related to that bullet though, shouldn’t there be some IT governance body on campus that includes IT staff who are actually affected by decisions and SLAs that can help to vet, develop and discuss them? Short of that, shouldn’t there be a defined path for escalating issues and communicating needs from IT personnel to the Strategic Advisory Committee?
“<span style=”line-height: 1.5;”>Maintain appropriate staff expertise in the support of any Customer equipment and/or applications;” – </span><span style=”line-height: 1.5;”>Perhaps this statement could be collaboratively expanded into a working set of security expectations for IT providers and consumers on campus.</span>
Some of these definitions could also set up the conditions for fast track reviews and assessments along the lines of requests meeting certain information requirements could have a quicker security response.
-
February 12, 2016 at 1:20 pm #169baseParticipant
- 2 Service Description – I note that the service catalog has the standard $150/hour rate for security services, including Purchasing Review. Given that security review is a requirement for most IT purchases, is there a way for departments to estimate these costs and/or centrally provision the IT Security office appropriate budget to perform this required service?
This is an excellent suggestion – I’ll bring that forward.
- Is there a link to Information Security Incident Response MOU, and does that MOU describe the consequences of being listed as an information security incident? How is the process for resolution described? Perhaps this would be better defined as part of the SLA itself?
The MOU will be posted – I believe in the next round of submissions, once it is converted to the new template.
- I don’t see a description of IT security in Regent Policy 7.3. Is that the correct policy?
The reference has to do with the authority of Audit, etc., to perform their work, not as a reference to Information Security and Privacy. The relationship of the bodies authorized to conduct investigations came up several times, and this was inserted as part of the clarification.
- Under 2.1: are the IT Security features described part of a centrally funded base service, or are those delivered individually, and on request?
These are on request.
- It would be helpful to have a basic security SLA or standard that would be collaboratively developed and others could reference. I would see this including security expectations for anyone managing or overseeing IT assets at UNM. This could cover things like IT and information security practices for servers and workstations, software patches, responses to UNM announced 0 day exploits, etc.
This is another good suggestiong – The Information Security and Privacy Office has been publishing internal specifications for services, and it seems as if those align with what you’re suggesting here. Those that can be published (publically, that is), like the vulnerability management program, are being published to it.unm.edu/security pages. Those that require it will be behind authentication. Does this seem like a good fit
- This relates to 2.1.1 and 2.1.2 – It seems to me that UNM should have a stake in requiring certain levels of security. Are units that do not request services exempt from this SLA? I wouldn’t think that would be preferable.
At this time, these services are provided by-request only. There are other services we provide – at no cost, that involve evaluating UNM security posture/ the posture of internet facing services. The vulnerability management program describes some of the techniques and approaches involved.
- Is seems like this bullet is misplaced in 3.2 Customer responsibilities: “IT Strategic Advisory Committee to collaborate with UNM IT on the service framework to satisfy the University of New Mexico business requirements.”
I think this is part of the updated SLA template – I’ll ask for this to be reviewed.
- Related to that bullet though, shouldn’t there be some IT governance body on campus that includes IT staff who are actually affected by decisions and SLAs that can help to vet, develop and discuss them? Short of that, shouldn’t there be a defined path for escalating issues and communicating needs from IT personnel to the Strategic Advisory Committee?
I’ll ask that this be taken up as well.
- “Maintain appropriate staff expertise in the support of any Customer equipment and/or applications;” Perhaps this statement could be collaboratively expanded into a working set of security expectations for IT providers and consumers on campus.
This is another good comment. We needed to make sure we covered the fact that we won’t have expertise in all applications, and will rely heavily on departments for any required specialized knowledge in non-standard applications. I think the specification process is one way to handle these (specifications can be requested from IT).
- Some of these definitions could also set up the conditions for fast track reviews and assessments along the lines of requests meeting certain information requirements could have a quicker security response.
Absolutely. As much as possible, standardizing the common things we do will help us focus our limited resources.
-
-
February 12, 2016 at 12:29 pm #162ccovey01Participant
Jeff and Tuan,
One trend I see forming is the need for all SLAs to link to
- the specific service catalog/cost statement(s) that they invoke
- as well as all dependent documents, like the Incident Response document
That will help us all consider the full implications of the SLAs.
Again, thanks for your replies to the various discussions.
Chad
-
-
AuthorPosts
- The topic ‘Security Assessment SLA’ is closed to new replies.