Security Assessment SLA

Grace, could you clarify please?

In your comment below, are you referring to the communication process as a step in the for-fee service in the SLA, or do you mean this as a separate item, or are you asking for a service by which IT notifies the community of vulnerabilities?

“Part of this SLA needs to include a process for communicating security updates to the UNM network  to IT personnel (within reason) in colleges/departments and research centers so they can proactively deal with any access problems that may affect staff.”

Thank you.

Hi Chad,

I can answer the Assessment SLA-specific questions.  I am forwarding your comments on the SLA template language to the agreements committee, and your comments on Help.UNM to our service/ incident process owners for review.

Below are responses the Security Assessment SLA-specific comments.

• 2.1 – Will these assessments occur at the department’s request only?</span>
• Yes – for-fee assessment services are not performed except at the request of departments.
  If they are UNM IT originated, what SLAs, processes, and costs apply?
• 2.1 – Where is the MOU (link) mentioned?

MOUs are not part of the current process, but the MOU/ agreement referred to will be posted to the community for feedback.

• 2.1  – Are any of the scans/reports cloud-based?</span>

Yes, in that we conduct assessments from both on and off campus.

• 2.1 – What process will be followed if the service identifies some issue that is less critical than an unauthorized PII or SPI disclosure? </span>

Those issues will be identified in a report provided to the department.

For the example, an incident would be opened, which is separate from the assessment requested by the department.  That incident would follow IT’s standard incident response proedures.

• What is resolution process if vendor or customer disagrees with the assessment as to the severity of a vulnerability?

Customer may document the discrepancy in a memorandum of risk-acceptance.

• If service interruption was in error, what will be the cost if any to the customer?

Security assessment services can include assessments that are low-risk of interruption, and high-risk of interruption.  These would be scoped in or out, or scheduled at a time that is least impactful to the customer.

• 2.1  Request for change- “comply with directions”   “Utilize directions from” …..

We will consider clarifying wording change.

• 3.1 – Could we get an example statement of work?

We will provide a template SoW in the service catalog.

• 4.1 – Will departments be given the time the scans takes place, to prepare their users for potential loss of service?

All times are mutually agreed to before scans are conducted.

• 4.1 –  Vulnerability scanning tools can take servers, web sites, printers, and systems offline – what is the process to pause or cease scan(s) if service break occurs due to scans/assessment?

Information Security and Privacy staff are on call 24X7; either the identified point of contact for the engagement or the on-call staff can cease/ pause the scanning component of an assessment.

• It may be useful for the customer to be able to select between passive and aggressive assessments, where the customer understands the aggressive assessment will more than likely take their services offline.  Given that choice, a loss of service could not be declared an Incident by the customer.

(From above) Security assessment services can include assessments that are low-risk of interruption, and high-risk of interruption.  These would be scoped in or out, or scheduled at a time that is least impactful to the customer.

• 4.3 – Will the phone number of the lead assessment technician or service owner be provided in the SoW?

(From above) Information Security and Privacy staff are on call 24X7; either the identified point of contact for the engagement or the on-call staff can cease/ pause the scanning component of an assessment.

• 5.2 – Will customers be able to determine who has been assigned the request?

Only for an identified point of contact, if one is agreed upon.

• Within this SLA, does an interruption in the normal functioning of a service or system include the department’s services or systems that are being assessed/scanned, or is an incident restricted to only the Assessment service itself?

The incident would be recorded against the assessment service.

• 9.2 who are the primary stakeholders? Is that the ‘customer’ and UNM IT?

Additional stakeholders could include regulatory bodies and data stewards (e.g., the UNM Registrar, for FERPA data; or the UNM Treasurer, for Credit Card data).

• This reply was modified 8 years, 2 months ago by base. Reason: re-word sentence to clarify

removing out-of-order reply and placing it in context.

• This reply was modified 8 years, 2 months ago by base. Reason: changing order

• Is this in affect since 9/1/2015?

That was the completion date of the original SLA.  We were asked to include this SLA as part of the current activities.

• Impact is not being considered when vulnerabilities are identified and services are blocked.

In a security assessment, it is usually at the customers direction that services are temporarily suspended.  If this comment is not clarifying or helpful, it may be useful to have a separate conversation to address this.

• 2 – Pricing be noted here in SLA.   Can the link be more specific instead of: http://it.unm.edu/servicecatalog/?

The current rate is $150/ hour, but we’ll ask that this be updated.

• 2.1 – Link to “Information Security Incident Response MOU.”  ?

The Incident Response document will be posted when it is put into the new template.  This document was also completed last fall.

• 3.2 – For “scope of the assessment” – should be Data Custodian since Data Owners and Stewards are defined: http://data.unm.edu/roles-and-responsibilities.html  ?

Many assessments do not have sensitive and protected/ classified data that is collected, stored, processed, or transmitted.  For those that do, we would require the involvement of the Owner/ Custodian/ Steward.  It looks like there is a need to align the language with the updated policy language.

• 3.2 – “Utilize UNM IT Service Desk for requests and incidents” – what are examples of incidents? Do we need incidents?

I’ll bring this to the attention of the process owners for the template language.

• 4.2 – Would that be what is mentioned in 4.1 (for periods of planned maintenance, institutional closures, or as otherwise negotiated in writing.)?

This section typically applices to infrastructure-based services.  I’ll bring this to the attention of the process owners for the template language.

• 6.1. – Given an incident can arise from 2.1 (see: “Any vulnerability assessment”) – costs should be stated and what items are charged for. When costs are unknown and uncapped, why would a Department participate in a security assessment?

At best, costs can only be estimated when an assessment uncovers that a breach has occurred.

For a credit card breach, as an example, the regulatory fines are clear (each card brand levies fees if a breach occurs with a merchant that is not compliant with the PCI standard); however, the cost may be much higher if the breach includes a response to 20,000 card holders’ data, as opposed to only a dozen.  The nature of the breach and the regulatory response will drive the cost.  Breach costs are the obligation of the institution to bear.

<div class=”bbp-reply-content”>

• Section 2.1.  Define “security posture.”

We’ll provide a definition.

• Section 2.1.  To whom will the “prioritized list of vulnerabilities” be provided?

To the customer.

• Section 2.1.  “…. A security evaluation will contain recommendations to mitigate risks and formally transfer ownership of that risk to management. “    Which management?   Of the unit requesting the scan?  Central IT management?  Clarify.    Also, what does “formally transfer ownership” mean?

To the management area responsible for the data in question.  For example, the UNM Registrar, for FERPA data.  The risk transference takes the form of a memorandum of risk transference.

• Section 2.1.  Are security scans/assessments conducted only following a (service) request by a  unit, or can IT initiate a scan/assessment and then bill the scanned unit?

Security assessments as defined in this service only take place at the request of the unit.

• Sections 2.1.2, 3.1, 6.3, etc. “Department” should be replaced by “Unit” or “Academic Unit” where applicable. A Center or a School is not a ‘department’, for example. However, Centers,  Schools, and Departments are all ‘units.’

We’ll recommend this change.

• Describe the process that the security teams will follow when contacting unit-level support to inform them a breach has occurred.

This is conducted in an in-person meeting with any appropriate stakeholders (depending upon the scope and nature of the breach).  Details of this process are in the MOU that will be provided in this forum.

• Section 6.1.  What is the hourly rate for using UNM IT consulting services to investigate a  security breach?    Provide a pointer for current costs associated with this specific level of service.

This will be updated in the SLA but is also posted in the service catalog: $150/ hour time and materials.

• If a machine is breached within a unit, and the unit reports the incident to UNM C-IT, will the unit get billed in response?  This would seem to discourage (‘punitive’) rather than encourage such voluntary reporting.

Breaches are not generally covered by this SLA, but are covered in the MOU, which is forthcoming once it is put into the updated SLA template.

• Section 6.1.  “Time spent on resolving incidents that are end-user caused will be billed to the appropriate party at current hourly rate, including travel time. Material will be billed along with any associated expenses incurred to remedy the Incident.”   How will cases where there is joint  (cross-unit) or no obvious ‘end-user’ responsibility be handled/adjudicated?

Not all breaches will result in a bill, but the answer will depend upon the specifics of a given security incident.

• Two use cases:  (i)  a server that is current on all OS security patches is nevertheless hacked;

Dependencies could include whether there were phished administrative credentials, insufficient security configurations implemented, etc., but will depend upon the specifics of a given security incident.

• or  (ii) a departmental  server that is not current on current OS security patches is hacked, but concurrently, it is  determined that the network configurations interfacing to that server were improperly set up  by another unit at the time of building construction.

Root cause analysis would be separate from any billing considerations.  Root cause analysis is critical to prevent recurrence and improve security posture over time.

</div>

Please let me know if there are additional concerns that have not been addressed through the comments in the feedback here.

I will forward your comments on the SLA processes.

• 2 Service Description – I note that the service catalog has the standard $150/hour rate for security services, including Purchasing Review. Given that security review is a requirement for most IT purchases, is there a way for departments to estimate these costs and/or centrally provision the IT Security office appropriate budget to perform this required service?

This is an excellent suggestion – I’ll bring that forward.

• Is there a link to Information Security Incident Response MOU, and does that MOU describe the consequences of being listed as an information security incident? How is the process for resolution described? Perhaps this would be better defined as part of the SLA itself?

The MOU will be posted – I believe in the next round of submissions, once it is converted to the new template.

• I don’t see a description of IT security in Regent Policy 7.3. Is that the correct policy?

The reference has to do with the authority of Audit, etc., to perform their work, not as a reference to Information Security and Privacy.  The relationship of the bodies authorized to conduct investigations came up several times, and this was inserted as part of the clarification.

• Under 2.1: are the IT Security features described part of a centrally funded base service, or are those delivered individually, and on request?

These are on request.

• It would be helpful to have a basic security SLA or standard that would be collaboratively developed and others could reference. I would see this including security expectations for anyone managing or overseeing IT assets at UNM. This could cover things like IT and information security practices for servers and workstations, software patches, responses to UNM announced 0 day exploits, etc.

This is another good suggestiong – The Information Security and Privacy Office has been publishing internal specifications for services, and it seems as if those align with what you’re suggesting here.  Those that can be published (publically, that is), like the vulnerability management program, are being published to it.unm.edu/security pages.  Those that require it will be behind authentication.  Does this seem like a good fit

• This relates to 2.1.1 and 2.1.2 – It seems to me that UNM should have a stake in requiring certain levels of security. Are units that do not request services exempt from this SLA? I wouldn’t think that would be preferable.

At this time, these services are provided by-request only.  There are other services we provide – at no cost, that involve evaluating UNM security posture/ the posture of internet facing services.  The vulnerability management program describes some of the techniques and approaches involved.

• Is seems like this bullet is misplaced in 3.2 Customer responsibilities: “IT Strategic Advisory Committee to collaborate with UNM IT on the service framework to satisfy the University of New Mexico business requirements.”

I think this is part of the updated SLA template – I’ll ask for this to be reviewed.

• Related to that bullet though, shouldn’t there be some IT governance body on campus that includes IT staff who are actually affected by decisions and SLAs that can help to vet, develop and discuss them? Short of that, shouldn’t there be a defined path for escalating issues and communicating needs from IT personnel to the Strategic Advisory Committee?

I’ll ask that this be taken up as well.

• “Maintain appropriate staff expertise in the support of any Customer equipment and/or applications;” Perhaps this statement could be collaboratively expanded into a working set of security expectations for IT providers and consumers on campus.

This is another good comment.  We needed to make sure we covered the fact that we won’t have expertise in all applications, and will rely heavily on departments for any required specialized knowledge in non-standard applications.  I think the specification process is one way to handle these (specifications can be requested from IT).

• Some of these definitions could also set up the conditions for fast track reviews and assessments along the lines of requests meeting certain information requirements could have a quicker security response.

Absolutely.  As much as possible, standardizing the common things we do will help us focus our limited resources.