Reply To: Security Assessment SLA

  • Is this in affect since 9/1/2015?


That was the completion date of the original SLA.  We were asked to include this SLA as part of the current activities.

  • Impact is not being considered when vulnerabilities are identified and services are blocked.

In a security assessment, it is usually at the customers direction that services are temporarily suspended.  If this comment is not clarifying or helpful, it may be useful to have a separate conversation to address this.


The current rate is $150/ hour, but we’ll ask that this be updated.


  • 2.1 – Link to “Information Security Incident Response MOU.”  ?

The Incident Response document will be posted when it is put into the new template.  This document was also completed last fall.



Many assessments do not have sensitive and protected/ classified data that is collected, stored, processed, or transmitted.  For those that do, we would require the involvement of the Owner/ Custodian/ Steward.  It looks like there is a need to align the language with the updated policy language.

  • 3.2 – “Utilize UNM IT Service Desk for requests and incidents” – what are examples of incidents? Do we need incidents?

I’ll bring this to the attention of the process owners for the template language.


  • 4.2 – Would that be what is mentioned in 4.1 (for periods of planned maintenance, institutional closures, or as otherwise negotiated in writing.)?

This section typically applices to infrastructure-based services.  I’ll bring this to the attention of the process owners for the template language.


  • 6.1. – Given an incident can arise from 2.1 (see: “Any vulnerability assessment”) – costs should be stated and what items are charged for. When costs are unknown and uncapped, why would a Department participate in a security assessment?

At best, costs can only be estimated when an assessment uncovers that a breach has occurred.

For a credit card breach, as an example, the regulatory fines are clear (each card brand levies fees if a breach occurs with a merchant that is not compliant with the PCI standard); however, the cost may be much higher if the breach includes a response to 20,000 card holders’ data, as opposed to only a dozen.  The nature of the breach and the regulatory response will drive the cost.  Breach costs are the obligation of the institution to bear.