Q: 2.1 – For departments paying for a full rack, can UNM IT limit equipment installed into that rack to equipment owned/operated by the contracting department?
A: If a department is paying for a full rack the rack is dedicated to the department.
Q: 2.1.1- Is NATing of equipment in the rack supported so that we can limit exposure of traffic between web servers and data base servers, for instance?
A: We do not offer NAT for co-lo at this time. It is on the road map. Nat will be available to LoboCloud customers in the near future.
Q: “Refrain from bypassing or circumventing security (firewall rules);” – I suggest something like “Will engage IT security and IT Networking as appropriate on all proposed changes to security (firewall rules)
A: There are special circumstances in which co-lo customers can bypass the firewall. We want to call this out specifically.
Q : 2.2.1 – Add “Meet or exceed UNM Data Center Standard requirements for a Tier 4 facility”? If not Tier 4, perhaps you could specify which tier it satisfies.
A: Good catch. I will add it the SLA.
Q: 3.1
More definition of this would be useful “Communicate and deactivate network access for hosts and/or network segments when infection or violation of security policies are identified;”
Where will reports on performance be accessible?
A: Per Security:
Standard Communication Approach:
For documents that describe our operational security processes, it is our practice to keep those documents from publication.
Below are a couple of redacted, non-sensitive steps taken from our Standard Operating Procedure SOP that covers responding to incidents on deptweb. The steps listed below are representative of the standard steps in our SOPs that describe what we do in incident response in terms of standard customer communications:
a. Attempt to contact department … (to) make the first attempt to un-publish the compromised site;
b. If department can’t be contacted … or if malware is being distributed through the compromised site … un-publish the compromised site.
Exceptions:
While there are rare exceptions to the approach referenced above, those exceptions involve either:
• An apparent breach/ exposure of Personally Identifiable/ Sensitive and Protected Information (PII/ SPI) that require an immediate disconnect or similar response;
• An apparent Denial of Service (DoS) attack that also requires an immediate disconnect or response.
Hopefully this helps clarify the standard approach that we use in responding to such incidents from the perspective of customer communication.
Q: For Scheduled Maintenance, is all Change Management and notification through CAB or are there other venues? are processes for standing maintenance windows, scheduled maintenance, and emergency maintenance requests documented somewhere?
A: Yes we follow our standard change management processes for changes to the datacenter. Change would go through CAB/TAT. Notifications will be posted on IT alerts. If an outage of Co-Lo services is required we would reach out to co-lo customers. There is no need for a maintenance window at this time. If a maintenance window is needed in the future IT will update the SLA and give co-lo customers at least 90 days’ notice.
Q: 3.2 Is there any training or certification that should be required for qualified personnel?
A: Yes we give co-lo customers training before they begin using the service and upon request. I will update the SLA.
Q: 4.2 Can department owners of racked equipment participate in service exception planning via CAB or some other process?
A: Yes. We will notify customers of any maintenance that may impact them. At that time we will discuss customer requirements.
Q: 7 Same question as 4.2 related to input into changes in maintenance windows.
A: After seeing this question for the second time I think it would be best to update the SLA with the appropriate information. I will update the SLA.