Reply To: Email and Calendaring SLA


Posting for Steve Spence:
Microsoft BAA – This means (generally) that Microsoft’s offerings are technically able to be compliant with the information types identified in the BAA; however, there are two elements that always need to be enforced in addition to any vendor BAA – that the institutions operational controls are defined, in place, and enforced, and that the appropriate technical controls are defined, in place, and enforced. While Microsoft’s solutions can meet technically meet those requirements defined in the BAA, UNM’s Data Owners are working with the Information Security and Privacy Office (ISPO) to clarify and codify the technical and operational controls. At the current time, the process is to request approval and authorization from the UNM Data Owner, who will review a specific request, review operational controls, and work with the ISPO to ensure that the appropriate technical controls are defined, in place, and enforced. There is more information at and more information will be forthcoming at that location as it is developed.
IT Agents – I think the intention here was to make sure the local IT support was aware of all of the avenues of communication that we typically use to inform the IT community of changes and support issues. We’ve changed the language to clarify that in the last version.
Support Resources – I see what you mean, but I don’t see an appropriate section in the current document—but it doesn’t mean we shouldn’t create one. This might be another one where it needs to be in alignment with other SLA’s, so I’ll bring it back to the IT Agreements committee.
Calendar – True, but we’re really saying “Do not share your calendar details with everyone unless you really intend to.” We’ve changed the language in the final version to reflect that message.
Attachments – Agreed—I’ve had some issues obtaining data from vendor for the same reason. We can look into that and if we’re successful we could add that as a point in the SLA, but in general I’m not sure we should get into that level of detail regarding how we’re executing a point.
Integration – It doesn’t cover OneDrive/Sharepoint (just FYI) but it’s still a valid question since there are ways of doing Exchange integrations. But again, I’m not sure the SLA is the place for that level of detail, but perhaps the Service Catalog?
Billing – Good point! This is a standard template language. We will share this comment back with the committee.