Reply To: Security Assessment SLA


<div class=”bbp-reply-content”>

  • Section 2.1.  Define “security posture.”

We’ll provide a definition.

  • Section 2.1.  To whom will the “prioritized list of vulnerabilities” be provided?

To the customer.

  • Section 2.1.  “…. A security evaluation will contain recommendations to mitigate risks and formally transfer ownership of that risk to management. “    Which management?   Of the unit requesting the scan?  Central IT management?  Clarify.    Also, what does “formally transfer ownership” mean?

To the management area responsible for the data in question.  For example, the UNM Registrar, for FERPA data.  The risk transference takes the form of a memorandum of risk transference.

  • Section 2.1.  Are security scans/assessments conducted only following a (service) request by a  unit, or can IT initiate a scan/assessment and then bill the scanned unit?

Security assessments as defined in this service only take place at the request of the unit.

  • Sections 2.1.2, 3.1, 6.3, etc. “Department” should be replaced by “Unit” or “Academic Unit” where applicable. A Center or a School is not a ‘department’, for example. However, Centers,  Schools, and Departments are all ‘units.’

We’ll recommend this change.

  • Describe the process that the security teams will follow when contacting unit-level support to inform them a breach has occurred.

This is conducted in an in-person meeting with any appropriate stakeholders (depending upon the scope and nature of the breach).  Details of this process are in the MOU that will be provided in this forum.

  • Section 6.1.  What is the hourly rate for using UNM IT consulting services to investigate a  security breach?    Provide a pointer for current costs associated with this specific level of service.

This will be updated in the SLA but is also posted in the service catalog: $150/ hour time and materials.

  • If a machine is breached within a unit, and the unit reports the incident to UNM C-IT, will the unit get billed in response?  This would seem to discourage (‘punitive’) rather than encourage such voluntary reporting.

Breaches are not generally covered by this SLA, but are covered in the MOU, which is forthcoming once it is put into the updated SLA template.

  • Section 6.1.  “Time spent on resolving incidents that are end-user caused will be billed to the appropriate party at current hourly rate, including travel time. Material will be billed along with any associated expenses incurred to remedy the Incident.”   How will cases where there is joint  (cross-unit) or no obvious ‘end-user’ responsibility be handled/adjudicated?

Not all breaches will result in a bill, but the answer will depend upon the specifics of a given security incident.

  • Two use cases:  (i)  a server that is current on all OS security patches is nevertheless hacked;

Dependencies could include whether there were phished administrative credentials, insufficient security configurations implemented, etc., but will depend upon the specifics of a given security incident.

  • or  (ii) a departmental  server that is not current on current OS security patches is hacked, but concurrently, it is  determined that the network configurations interfacing to that server were improperly set up  by another unit at the time of building construction.

Root cause analysis would be separate from any billing considerations.  Root cause analysis is critical to prevent recurrence and improve security posture over time.