- Is this in affect since 9/1/2015?
That was the completion date of the original SLA. We were asked to include this SLA as part of the current activities.
- Impact is not being considered when vulnerabilities are identified and services are blocked.
In a security assessment, it is usually at the customers direction that services are temporarily suspended. If this comment is not clarifying or helpful, it may be useful to have a separate conversation to address this.
- 2 – Pricing be noted here in SLA. Can the link be more specific instead of: http://it.unm.edu/servicecatalog/?
The current rate is $150/ hour, but we’ll ask that this be updated.
- 2.1 – Link to “Information Security Incident Response MOU.” ?
The Incident Response document will be posted when it is put into the new template. This document was also completed last fall.
- 3.2 – For “scope of the assessment” – should be Data Custodian since Data Owners and Stewards are defined: http://data.unm.edu/roles-and-responsibilities.html ?
Many assessments do not have sensitive and protected/ classified data that is collected, stored, processed, or transmitted. For those that do, we would require the involvement of the Owner/ Custodian/ Steward. It looks like there is a need to align the language with the updated policy language.
- 3.2 – “Utilize UNM IT Service Desk for requests and incidents” – what are examples of incidents? Do we need incidents?
I’ll bring this to the attention of the process owners for the template language.
- 4.2 – Would that be what is mentioned in 4.1 (for periods of planned maintenance, institutional closures, or as otherwise negotiated in writing.)?
This section typically applices to infrastructure-based services. I’ll bring this to the attention of the process owners for the template language.
- 6.1. – Given an incident can arise from 2.1 (see: “Any vulnerability assessment”) – costs should be stated and what items are charged for. When costs are unknown and uncapped, why would a Department participate in a security assessment?
At best, costs can only be estimated when an assessment uncovers that a breach has occurred.
For a credit card breach, as an example, the regulatory fines are clear (each card brand levies fees if a breach occurs with a merchant that is not compliant with the PCI standard); however, the cost may be much higher if the breach includes a response to 20,000 card holders’ data, as opposed to only a dozen. The nature of the breach and the regulatory response will drive the cost. Breach costs are the obligation of the institution to bear.