Reply To: Security Assessment SLA

  • 2 Service Description – I note that the service catalog has the standard $150/hour rate for security services, including Purchasing Review. Given that security review is a requirement for most IT purchases, is there a way for departments to estimate these costs and/or centrally provision the IT Security office appropriate budget to perform this required service?

This is an excellent suggestion – I’ll bring that forward.


  • Is there a link to Information Security Incident Response MOU, and does that MOU describe the consequences of being listed as an information security incident? How is the process for resolution described? Perhaps this would be better defined as part of the SLA itself?


The MOU will be posted – I believe in the next round of submissions, once it is converted to the new template.

  • I don’t see a description of IT security in Regent Policy 7.3. Is that the correct policy?

The reference has to do with the authority of Audit, etc., to perform their work, not as a reference to Information Security and Privacy.  The relationship of the bodies authorized to conduct investigations came up several times, and this was inserted as part of the clarification.


  • Under 2.1: are the IT Security features described part of a centrally funded base service, or are those delivered individually, and on request?

These are on request.


  • It would be helpful to have a basic security SLA or standard that would be collaboratively developed and others could reference. I would see this including security expectations for anyone managing or overseeing IT assets at UNM. This could cover things like IT and information security practices for servers and workstations, software patches, responses to UNM announced 0 day exploits, etc.


This is another good suggestiong – The Information Security and Privacy Office has been publishing internal specifications for services, and it seems as if those align with what you’re suggesting here.  Those that can be published (publically, that is), like the vulnerability management program, are being published to pages.  Those that require it will be behind authentication.  Does this seem like a good fit

  • This relates to 2.1.1 and 2.1.2 – It seems to me that UNM should have a stake in requiring certain levels of security. Are units that do not request services exempt from this SLA? I wouldn’t think that would be preferable.

At this time, these services are provided by-request only.  There are other services we provide – at no cost, that involve evaluating UNM security posture/ the posture of internet facing services.  The vulnerability management program describes some of the techniques and approaches involved.


  • Is seems like this bullet is misplaced in 3.2 Customer responsibilities: “IT Strategic Advisory Committee to collaborate with UNM IT on the service framework to satisfy the University of New Mexico business requirements.”

I think this is part of the updated SLA template – I’ll ask for this to be reviewed.

  • Related to that bullet though, shouldn’t there be some IT governance body on campus that includes IT staff who are actually affected by decisions and SLAs that can help to vet, develop and discuss them? Short of that, shouldn’t there be a defined path for escalating issues and communicating needs from IT personnel to the Strategic Advisory Committee?

I’ll ask that this be taken up as well.


  • “Maintain appropriate staff expertise in the support of any Customer equipment and/or applications;” Perhaps this statement could be collaboratively expanded into a working set of security expectations for IT providers and consumers on campus.

This is another good comment.  We needed to make sure we covered the fact that we won’t have expertise in all applications, and will rely heavily on departments for any required specialized knowledge in non-standard applications.  I think the specification process is one way to handle these (specifications can be requested from IT).


  • Some of these definitions could also set up the conditions for fast track reviews and assessments along the lines of requests meeting certain information requirements could have a quicker security response.

Absolutely.  As much as possible, standardizing the common things we do will help us focus our limited resources.