2.1:
HTTPS should be a standard by which ALL UNM content is served. The service should include HTTPS by default.
2.1.1 bullet 2:
Ensuring that the hosted web sites are secure and updated is a shared responsibility with end users responsible for things like secure code and keeping WordPress installations up-to-date and web infrastructure security a responsibility of the hosting provider.
2.2.2: The calculation for availability is vague. There should be specifics on the exact calculation used when determining availability.
Are network outages or degradation, as an example, part of the service and accounted for in the calculation? Are those outages part of the web service or excluded from the calculation.
Example:
YEARLY UPTIME CALCULATION = [(hours service up) / ((365.25*24) – (hours down for scheduled updates and maintenance[1]) – (hours down for emergency security updates[2]))] * 100
[1] Schedule updates and maintenance are posted at least 7 days prior to the update or occur during UNM IT’s scheduled maintenance windows described here: http://it.unm.edu/availability/index.html
[2] Patches and updates that are flagged as “critical” or higher by the vendor may be installed outside of the scheduled maintenance windows.
3.2 bullet 8: This provision risks deleting code or work product that a department may have on cPanel servers if their backup was performed prior to the cPanel snapshot reversion. A customer could be performing backups at reasonable intervals and still be harmed by this provision of the SLA. Will UNM IT notify users when a snapshot reversion will take place allowing users to make backups?
3.3 bullet 5: A department could store or host sensitive info on a non-UNM IT hosted service through a UNM IT hosted web site that would violate the spirit of this item.
I think that we are missing a bigger opportunity here where we could leverage enterprise web infrastructure, services and data (including existing institutional data assets) to allow departments to more securely collect and store sensitive information that may exist elsewhere on campus (Banner, ODS, etc.). It seems like a UNM enterprise service web service should strive to provide this environment where the end-goal is less duplication, better security, and a better understanding by the enterprise about where we are housing and storing, potentially, sensitive data.
Thanks,
Eugene