General:
Is this in affect since 9/1/2015?
Impact is not being considered when vulnerabilities are identified and services are blocked.
2 – Pricing be noted here in SLA. Can the link be more specific instead of: http://it.unm.edu/servicecatalog/?
2.1 – Link to “Information Security Incident Response MOU.” ?
3.2 – For “scope of the assessment” – should be Data Custodian since Data Owners and Stewards are defined: http://data.unm.edu/roles-and-responsibilities.html ?
3.2 – “Utilize UNM IT Service Desk for requests and incidents” – what are examples of incidents? Do we need incidents?
4.2 – Would that be what is mentioned in 4.1 (for periods of planned maintenance, institutional closures, or as otherwise negotiated in writing.)?
6.1. – Given an incident can arise from 2.1 (see: “Any vulnerability assessment”) – costs should be stated and what items are charged for. When costs are unknown and uncapped, why would a Department participate in a security assessment?