Reply To: Security Assessment SLA


2 Service Description – I note that the service catalog has the standard $150/hour rate for security services, including Purchasing Review. Given that security review is a requirement for most IT purchases, is there a way for departments to estimate these costs and/or centrally provision the IT Security office appropriate budget to perform this required service?

Is there a link to “<span style=”line-height: 1.5;”>Information Security Incident Response MOU”, and does that MOU describe the consequences of </span>something<span style=”line-height: 1.5;”> being listed as an information security incident? How is the process for resolution described? Perhaps this would be better defined as part of the SLA itself?</span>

I don’t see a description of IT security in Regent Policy 7.3. Is that the correct policy?

Under 2.1: are the IT Security features described part of a centrally funded base service, or are those delivered individually, and on request?

It would be helpful to have a basic security SLA or standard that would be collaboratively developed and others could reference. I would see this including security expectations for anyone managing or overseeing IT assets at UNM. This could cover things like IT and information security practices for servers and workstations, software patches, responses to UNM announced 0 day exploits, etc.

This relates to 2.1.1 and 2.1.2 – It seems to me that UNM should have a stake in requiring certain levels of security. Are units that do not request services exempt from this SLA? I wouldn’t think that would be preferable.

Is seems like this bullet is misplaced in 3.2 Customer responsibilities:

“<span style=”line-height: 1.5;”>IT Strategic Advisory Committee to collaborate with UNM IT on the service framework to satisfy the University of New Mexico business requirements.”</span>

Related to that bullet though, shouldn’t there be some IT governance body on campus that includes IT staff who are actually affected by decisions and SLAs that can help to vet, develop and discuss them? Short of that, shouldn’t there be a defined path for escalating issues and communicating needs from IT personnel to the Strategic Advisory Committee?

“<span style=”line-height: 1.5;”>Maintain appropriate staff expertise in the support of any Customer equipment and/or applications;” – </span><span style=”line-height: 1.5;”>Perhaps this statement could be collaboratively expanded into a working set of security expectations for IT providers and consumers on campus.</span>

Some of these definitions could also set up the conditions for fast track reviews and assessments along the lines of requests meeting certain information requirements could have a quicker security response.