Reply To: Security Assessment SLA

#152
base
Participant

Hi Chad,

I can answer the Assessment SLA-specific questions.  I am forwarding your comments on the SLA template language to the agreements committee, and your comments on Help.UNM to our service/ incident process owners for review.

Below are responses the Security Assessment SLA-specific comments.

  • 2.1 – Will these assessments occur at the department’s request only?</span>
  • Yes – for-fee assessment services are not performed except at the request of departments.
    If they are UNM IT originated, what SLAs, processes, and costs apply?
  • 2.1 – Where is the MOU (link) mentioned?

MOUs are not part of the current process, but the MOU/ agreement referred to will be posted to the community for feedback.

  • 2.1  – Are any of the scans/reports cloud-based?</span>

Yes, in that we conduct assessments from both on and off campus.

  • 2.1 – What process will be followed if the service identifies some issue that is less critical than an unauthorized PII or SPI disclosure? </span>

Those issues will be identified in a report provided to the department.

For the example, an incident would be opened, which is separate from the assessment requested by the department.  That incident would follow IT’s standard incident response proedures.

 

  • What is resolution process if vendor or customer disagrees with the assessment as to the severity of a vulnerability?

Customer may document the discrepancy in a memorandum of risk-acceptance.

  • If service interruption was in error, what will be the cost if any to the customer?

Security assessment services can include assessments that are low-risk of interruption, and high-risk of interruption.  These would be scoped in or out, or scheduled at a time that is least impactful to the customer.

  • 2.1  Request for change- “comply with directions”   “Utilize directions from” …..

We will consider clarifying wording change.

  • 3.1 – Could we get an example statement of work?

We will provide a template SoW in the service catalog.

  • 4.1 – Will departments be given the time the scans takes place, to prepare their users for potential loss of service?

All times are mutually agreed to before scans are conducted.

  • 4.1 –  Vulnerability scanning tools can take servers, web sites, printers, and systems offline – what is the process to pause or cease scan(s) if service break occurs due to scans/assessment?

Information Security and Privacy staff are on call 24X7; either the identified point of contact for the engagement or the on-call staff can cease/ pause the scanning component of an assessment.

  • It may be useful for the customer to be able to select between passive and aggressive assessments, where the customer understands the aggressive assessment will more than likely take their services offline.  Given that choice, a loss of service could not be declared an Incident by the customer.

(From above) Security assessment services can include assessments that are low-risk of interruption, and high-risk of interruption.  These would be scoped in or out, or scheduled at a time that is least impactful to the customer.

  • 4.3 – Will the phone number of the lead assessment technician or service owner be provided in the SoW?

(From above) Information Security and Privacy staff are on call 24X7; either the identified point of contact for the engagement or the on-call staff can cease/ pause the scanning component of an assessment.

  • 5.2 – Will customers be able to determine who has been assigned the request?

Only for an identified point of contact, if one is agreed upon.

  • Within this SLA, does an interruption in the normal functioning of a service or system include the department’s services or systems that are being assessed/scanned, or is an incident restricted to only the Assessment service itself?

The incident would be recorded against the assessment service.

  • 9.2 who are the primary stakeholders? Is that the ‘customer’ and UNM IT?

Additional stakeholders could include regulatory bodies and data stewards (e.g., the UNM Registrar, for FERPA data; or the UNM Treasurer, for Credit Card data).

  • This reply was modified 7 years, 7 months ago by base. Reason: re-word sentence to clarify