Reply To: Security Assessment SLA

  • Section 2.1.  Define “security posture.”
  • Section 2.1.  To whom will the “prioritized list of vulnerabilities” be provided?
  • Section 2.1.  “…. A security evaluation will contain recommendations to mitigate risks and formally transfer ownership of that risk to management. “    Which management?   Of the unit requesting the scan?  Central IT management?  Clarify.    Also, what does “formally transfer ownership” mean?
  • Section 2.1.  Are security scans/assessments conducted only following a (service) request by a  unit, or can IT initiate a scan/assessment and then bill the scanned unit?
  • Sections 2.1.2, 3.1, 6.3, etc. “Department” should be replaced by “Unit” or “Academic Unit” where applicable. A Center or a School is not a ‘department’, for example. However, Centers,  Schools, and Departments are all ‘units.’
  • Describe the process that the security teams will follow when contacting unit-level support to inform them a breach has occurred.
  • Section 6.1.  What is the hourly rate for using UNM IT consulting services to investigate a  security breach?    Provide a pointer for current costs associated with this specific level of service.
  • If a machine is breached within a unit, and the unit reports the incident to UNM C-IT, will the unit get billed in response?  This would seem to discourage (‘punitive’) rather than encourage such voluntary reporting.
  • Section 6.1.  “Time spent on resolving incidents that are end-user caused will be billed to the appropriate party at current hourly rate, including travel time. Material will be billed along with any associated expenses incurred to remedy the Incident.”   How will cases where there is joint  (cross-unit) or no obvious ‘end-user’ responsibility be handled/adjudicated?    Two use cases:  (i)  a server that is current on all OS security patches is nevertheless hacked; or  (ii) a departmental  server that is not current on current OS security patches is hacked, but concurrently, it is  determined that the network configurations interfacing to that server were improperly set up  by another unit at the time of building construction.