Reply To: Security Incident Response


– most of us are inclined to support some sort of chargeback for negligence – but what would happen if the incident resulted from a state actor or advanced persistent threat? To encourage reporting of all real or potential incidents – which is ultimately what we all want – maybe investigations and remediation could be considered core-services?

What we want to avoid are internal punitive repercussions that will limit reporting – things that customers fear like massive investigation costs and removal or takeover of their resources. On the other hand, perhaps this SLA can show in detail the external factors that customers should perceive as risks – regulatory and accreditation bodies, credit reporting coverage for breached accounts, etc.? Basically, make it clear to data users that internally, UNM IT will help them, that the investigation is about discovery, not punishment. But that there are serious consequences external to UNM – in those cases, they cannot dodge responsibility for negligence.

This SLA could reassure customers that UNM IT will shepherd them through a process that may not have been their fault; otherwise, their fear of internal repercussions and costs may prevent them from reporting suspected issues. Which could allow an APT to thrive on the network. There is a time and place for cost recovery, but I fear implementing it within the Security Incidents SLA will undermine the larger goal, identifying and removing bad actors from the UNM network.

  • This reply was modified 8 years, 3 months ago by ccovey01.