Reply To: Security Assessment SLA


General SLA concern – in most of the current SLAs and Service Catalog, UNM Enterprise services are offered by a single entity, there is no competitive marketplace.  Given that, shouldn’t UNM customers (departments) have an equal stake in the writing and re-writing of the SLAs?  And should this revision process be set annually for all SLAs and services where UNM departments are the customer?
SLA’s between customers and vendors typically feature the ability for either side to terminate the SLA – what is the escalation/termination process for UNM SLA’s between Central IT and departments?  What if customers are gravely unhappy with service delivery?  What if the service owner is unhappy with the customer? Is there an arbitrating body to make determinations when the service owner and departments disagree about the SLA or service delivery?

Understandably, many Enterprise services now appear to have cost recovery components. Between the service catalogs and the SLAs, funds appear to flow unilaterally from the customer to the service owner.  With no cost downside, there’s little incentive for the service owner to be timely or accountable. What mechanisms are in place to ensure accountability by the service owner?

  • Inclusion of a 1,2, 3 strikes escalation series might be appropriate accountability mechanism – 1 to 2 incidents lead to remediation meetings and revision of SLA.  3rd incident leads to SLA termination.
  • A return to the customer of the full amount or part of the fees for the service might be a necessary baseline for most SLAs and statements of work.
  • In the case of a mis-routed ticket, as an example, where the customer followed the appropriate protocol, but the ticket was mis-routed, what can customers expect as compensation in terms of lost time, productivity, or funding?


  • What happens if a grant is affected or lost due to an Incident?


Help.UNM appears to be the default mechanism for reporting issues and incidents, per the SLA.  It does not presently allow customers to see to whom the ticket is routed, who owns it, etc.,

  • To protect both the service owner and customers, perhaps Help ticket responses could by default include the routing and owner of the ticket?  Mis-routed tickets do happen, and a mis-routed ticket could become very expensive to either the customer or service owner.

There seems to be a general concern about the number of SLAs appearing weekly, and little time for discussion.  Given their importance, and the likely volume of comments forthcoming, would it be better to put them into some sort of document management system, like SharePoint?

  • 2.1 – Will these assessments occur at the department’s request only?
  • If they are UNM IT originated, what SLAs, processes, and costs apply?
  • 2.1 – Where is the MOU (link) mentioned?
  • 2.1  – Are any of the scans/reports cloud-based?
  • 2.1 – What process will be followed if the service identifies some issue that is less critical than an unauthorized PII or SPI disclosure?

    For example, if a department’s service has been interrupted due to UNM IT Security request to Networking to shut off network access to a scanned system or service, and the department then fixes the issue and reports the fix to UNM IT, how many business days does UNM IT have to complete a remediation scan and provide results to customer?


  • What is resolution process if vendor or customer disagrees with the assessment as to the severity of a vulnerability?
  • If service interruption was in error, what will be the cost if any to the customer?
  • 2.1  Request for change- “comply with directions”   “Utilize directions from” …..
  • 3.1 – Could we get an example statement of work?
  • 4.1 – Will departments be given the time the scans takes place, to prepare their users for potential loss of service?
  • 4.1 –  Vulnerability scanning tools can take servers, web sites, printers, and systems offline – what is the process to pause or cease scan(s) if service break occurs due to scans/assessment?
  • It may be useful for the customer to be able to select between passive and aggressive assessments, where the customer understands the aggressive assessment will more than likely take their services offline.  Given that choice, a loss of service could not be declared an Incident by the customer.

    4.3 Escalation –

  • Request to Add – “Customer can after 1  Incident request meeting on-site with Service Owner and Service Manager”
  • Request to Add – “Customer can after 2  Incidents request review and redraft of SLA”
  • Request to Add – “Customer can after 3  Incidents request termination of SLA”
  • 4.3 – Will the phone number of the lead assessment technician or service owner be provided in the SoW?
  • 5.2 – Will customers be able to determine who has been assigned the request?


6 –  Incident

  • Does the department have the ability to declare an incident?
  • Within this SLA, does an interruption in the normal functioning of a service or system include the department’s services or systems that are being assessed/scanned, or is an incident restricted to only the Assessment service itself?
  • Request to Add – “If the customer experiences a service interruption due to an IT Security Assessment, and the Assessment is not paused or canceled within 2 business hours after customer notifies Service Owner, an Incident has occurred.”
  • Request to Add – “If the customer experiences a service interruption as a result of an IT Security Assessment, where service is removed, and the customer requests a remediation assessment, and the remediation assessment is not completed within 2 business days, an Incident has occurred.”
  • If the department experiences incidents, what are the department’s options in terms of escalation and revision of the SLA?
  • 9.2 who are the primary stakeholders? Is that the ‘customer’ and UNM IT?