Datacenter – Colocation SLA

Eugene,

Thanks for taking the time to comment:

– The IT data center is tier 4 including co-lo
2.1.1
– I will post the Co-location Facility Access Agreement this week.  Today if possible.
– The second bullet on 2.1.1 should say Request escorted access.  I will update the SLA.
– Yes unescorted access is available 24/7.  I will update the SLA. 
–  I will ask our agreements committee about must vs shall language.
2.2.2
– Co-location racks are visually inspected.  If there are warning lights/indicators or unusual sounds the technical contact will be notified.   Facilities equipment is visually inspected for leaks, unusual noises or warning lights.  Issues are addressed immediately using the appropriate request/incident methodology.   There is no separate report for the walk through.         
3.2
– When a request comes in to store sensitive data hosted via colo, the request is forwarded security.  Security refers the customer to the data steward for approval.  Once approved security validates the technical controls.
– Different customers can be collocated in the same racks.  The rack doors are not locked so yes collocation customers do have physical access to other colo customer equipment.  Equipment is not racked based on data type.
– Unescorted access is 24/7.  This will be updated in the SLA.  Escorted access is during business hours. Escorted access can be escalated in the event of an emergency.  Escalation is done by placing a call to the IT service desk. 
– 3.2 is referring to enhancing or adding features to the service.  4.3 is the process for requesting exceptions to the SLA.
– No, the special data types are not listed in the Data Classification Standard, they have been classified by the appropriate UNM Data Owners/ Stewards, as identified in UNM Policy 2580, and as denoted on the Data Governance web site at: http://data.unm.edu/data-classification.html
If IT receives a request for a Colocation service that involves a new data element not on the list, it will be forwarded to the Data Owners, who will classify that data element.
Regards,
Brian

• This reply was modified 8 years, 2 months ago by tbui.

Q: 2 What happens if a department is working with an external contractor? What is the process for UNM IT when interacting with contractors hired to implement solutions for UNM?

A: We only get involved from access perspective.  Contractors working on Co-Lo equipment must be escorted by the Co-Lo customer.  If the contractor needs frequent access to the co-lo space there is an option to grant unescorted access. 

Q: 2.1 Community is misspelled also “physical compute servers”? Physical Servers?

A: I will correct both on the SLA.

Q: 2.1 Is 10 gigabit networking available in the colocation space? Is there an additional charge? 

A: 10 Gb networking is not available at this time.  We have not received enough interest to invest in the infrastructure.  If you would like to have it you can make a request and we can discuss options. 

Q: 2.1.1 “Request access to the Data Center via Help.UNM, with a minimum of one (1) business day prior to visit” What happens in the event of an Incident?

A: Relay the urgency to the service desk and they can raise the priority of the ticket.  Or you can request unescorted access which will give you 24/7 access to the datacenter.  

Q: 7 Maintenance Window for Colocation servers is not listed? 

A: There is no maintenance window for the datacenter at this time.   

Q: If UNM IT needs the change the regular maintenance window, they should generate a new SLA to make sure it meets the business requirements of UNM.

A: If IT has a need for a maintenance window in the future we will update the SLA and give customers 90 days’ notice of the change. 

Q: 2.1 – For departments paying for a full rack, can UNM IT limit equipment installed into that rack to equipment owned/operated by the contracting department?

A: If a department is paying for a full rack the rack is dedicated to the department.  

Q: 2.1.1- Is NATing of equipment in the rack supported so that we can limit exposure of traffic between web servers and data base servers, for instance?

A: We do not offer NAT for co-lo at this time.  It is on the road map.  Nat will be available to LoboCloud customers in the near future.

Q: “Refrain from bypassing or circumventing security (firewall rules);” – I suggest something like “Will engage IT security and IT Networking as appropriate on all proposed changes to security (firewall rules)

A: There are special circumstances in which co-lo customers can bypass the firewall.  We want to call this out specifically. 

Q : 2.2.1 – Add “Meet or exceed UNM Data Center Standard requirements for a Tier 4 facility”? If not Tier 4, perhaps you could specify which tier it satisfies.

A: Good catch.  I will add it the SLA. 

Q: 3.1
More definition of this would be useful “Communicate and deactivate network access for hosts and/or network segments when infection or violation of security policies are identified;”
Where will reports on performance be accessible?

A: Per Security:
Standard Communication Approach:
For documents that describe our operational security processes, it is our practice to keep those documents from publication.  

Below are a couple of redacted, non-sensitive steps taken from our Standard Operating Procedure SOP that covers responding to incidents on deptweb.  The steps listed below are representative of the standard steps in our SOPs that describe what we do in incident response in terms of standard customer communications:  
a. Attempt to contact department … (to) make the first attempt to un-publish the compromised site;
b. If department can’t be contacted … or if malware is being distributed through the compromised site … un-publish the compromised site.
Exceptions:
While there are rare exceptions to the approach referenced above, those exceptions involve either:
• An apparent breach/ exposure of Personally Identifiable/ Sensitive and Protected Information (PII/ SPI) that require an immediate disconnect or similar response;
• An apparent Denial of Service (DoS) attack that also requires an immediate disconnect or response.
Hopefully this helps clarify the standard approach that we use in responding to such incidents from the perspective of customer communication.  

Q: For Scheduled Maintenance, is all Change Management and notification through CAB or are there other venues? are processes for standing maintenance windows, scheduled maintenance, and emergency maintenance requests documented somewhere?

A: Yes we follow our standard change management processes for changes to the datacenter.  Change would go through CAB/TAT.  Notifications will be posted on IT alerts.  If an outage of Co-Lo services is required we would reach out to co-lo customers. There is no need for a maintenance window at this time.  If a maintenance window is needed in the future IT will update the SLA and give co-lo customers at least 90 days’ notice. 

Q: 3.2 Is there any training or certification that should be required for qualified personnel?

A: Yes we give co-lo customers training before they begin using the service and upon request.  I will update the SLA.   

Q: 4.2 Can department owners of racked equipment participate in service exception planning via CAB or some other process?

A: Yes.  We will notify customers of any maintenance that may impact them.  At that time we will discuss customer requirements.

Q: 7 Same question as 4.2 related to input into changes in maintenance windows.
A: After seeing this question for the second time I think it would be best to update the SLA with the appropriate information.  I will update the SLA.  

Q: 2.1.1 End-User (Department IT) Requirements to Use the Service
Request access to the Data Center via Help.UNM, with a minimum of one (1) business day prior to visit;
What happens if a critical co-location server goes down and the owner needs immediate access?

A: Relay the urgency to the service desk and they can raise the priority of the ticket.  Or you can request unescorted access which will give you 24/7 access to the datacenter.  

Q: 2.2.2 Specific Service Levels
Ensure bi-weekly walk-through by UNM IT to observe condition of Customer’s devices;
Does IT contact the customer if they find an issue? Does IT physically touch the machines?

A: Yes IT will contact the customer if we notice anything unusual.  No IT will not touch customer machines unless the customer requests IT to do so.