Hi, UNM has an incident response plan that was developed as a standard response for all information security incidents related to ERP and ERP components. In addition, there are specialized incident response plans that have been developed for units with requirements to do so, for example, the Payment Card Industry (PCI) incident response plan. For 2.1.2 Bullet 1, an example of an incident where the department would be responsible for costs associated with responding to an incident is: if a staff member in a department made an unauthorized copy of Personally Identifiable/ Sensitive and Protected (PII/ SPI) information, the department where that employee works would bear the responsibility of paying investigatory costs that the investigative body requires (such as when Internal Audit requires forensics analysis be conducted on that employee’s computer(s)). In addition, if there were a disclosure/ breach of that PII/ SPI where the UNM investigative body determined that Identity Theft Protection services are required as part of UNM’s response, the department would be responsible for those costs, as well. Section 6 reads: This section intentionally left blank. This is related to an incident against the service, not an information security incident. We do distinguish between minor and major incidents. An example of a minor incident is: a virus infection on a workstation where there were Antivirus definitions available that would have prevented an infection if the definitions had been updated, where that workstation has no PII/ SPI, and the workstation was not used as part of an attack on third parties or internal services. An example of a major incident is: a device on the UNM network that was not patched, was taken over by an unauthorized third party, was used to attack other third parties, was used to attack other UNM internal resources, and/ or was used to access and/ or exfiltrate PII/ SPI for which UNM is responsible. Stolen and lost UNM-owned devices, or devices storing PII/ SPI for which UNM is responsible, must be reported to Safety and Risk Services (and stolen devices reported to UNMPD). If PII/ SPI was stored on that device, Safety and Risk Services notifies the ISPO so that we can assist the appropriate UNM entities in responding to any potential or actual breach, as required for the type of PII/ SPI involved.

• This reply was modified 8 years, 4 months ago by base. Reason: Last of the formatting edits

Hi, I think the point you raised is certainly worth further discussion, and my recommendation is that this point be addressed by the leadership teams performing the final SLA review. I agree that moving the billing and payment discussions to a different area would enhance the incentive for units to bring issues forward based on standard criteria, without the risk of financial impact beign a potential consideration. I also appreciate the points you have made regarding ATPs; although, it is worth noting that UNM’s unpatched vulnerabilities are the primary cause of incidents, which are significantly easier to leverage than ATPs.

• 2 Service Description – I note that the service catalog has the standard $150/hour rate for security services, including Purchasing Review. Given that security review is a requirement for most IT purchases, is there a way for departments to estimate these costs and/or centrally provision the IT Security office appropriate budget to perform this required service?

This is an excellent suggestion – I’ll bring that forward.

• Is there a link to Information Security Incident Response MOU, and does that MOU describe the consequences of being listed as an information security incident? How is the process for resolution described? Perhaps this would be better defined as part of the SLA itself?

The MOU will be posted – I believe in the next round of submissions, once it is converted to the new template.

• I don’t see a description of IT security in Regent Policy 7.3. Is that the correct policy?

The reference has to do with the authority of Audit, etc., to perform their work, not as a reference to Information Security and Privacy.  The relationship of the bodies authorized to conduct investigations came up several times, and this was inserted as part of the clarification.

• Under 2.1: are the IT Security features described part of a centrally funded base service, or are those delivered individually, and on request?

These are on request.

• It would be helpful to have a basic security SLA or standard that would be collaboratively developed and others could reference. I would see this including security expectations for anyone managing or overseeing IT assets at UNM. This could cover things like IT and information security practices for servers and workstations, software patches, responses to UNM announced 0 day exploits, etc.

This is another good suggestiong – The Information Security and Privacy Office has been publishing internal specifications for services, and it seems as if those align with what you’re suggesting here.  Those that can be published (publically, that is), like the vulnerability management program, are being published to it.unm.edu/security pages.  Those that require it will be behind authentication.  Does this seem like a good fit

• This relates to 2.1.1 and 2.1.2 – It seems to me that UNM should have a stake in requiring certain levels of security. Are units that do not request services exempt from this SLA? I wouldn’t think that would be preferable.

At this time, these services are provided by-request only.  There are other services we provide – at no cost, that involve evaluating UNM security posture/ the posture of internet facing services.  The vulnerability management program describes some of the techniques and approaches involved.

• Is seems like this bullet is misplaced in 3.2 Customer responsibilities: “IT Strategic Advisory Committee to collaborate with UNM IT on the service framework to satisfy the University of New Mexico business requirements.”

I think this is part of the updated SLA template – I’ll ask for this to be reviewed.

• Related to that bullet though, shouldn’t there be some IT governance body on campus that includes IT staff who are actually affected by decisions and SLAs that can help to vet, develop and discuss them? Short of that, shouldn’t there be a defined path for escalating issues and communicating needs from IT personnel to the Strategic Advisory Committee?

I’ll ask that this be taken up as well.

• “Maintain appropriate staff expertise in the support of any Customer equipment and/or applications;” Perhaps this statement could be collaboratively expanded into a working set of security expectations for IT providers and consumers on campus.

This is another good comment.  We needed to make sure we covered the fact that we won’t have expertise in all applications, and will rely heavily on departments for any required specialized knowledge in non-standard applications.  I think the specification process is one way to handle these (specifications can be requested from IT).

• Some of these definitions could also set up the conditions for fast track reviews and assessments along the lines of requests meeting certain information requirements could have a quicker security response.

Absolutely.  As much as possible, standardizing the common things we do will help us focus our limited resources.

<div class=”bbp-reply-content”>

• Section 2.1.  Define “security posture.”

We’ll provide a definition.

• Section 2.1.  To whom will the “prioritized list of vulnerabilities” be provided?

To the customer.

• Section 2.1.  “…. A security evaluation will contain recommendations to mitigate risks and formally transfer ownership of that risk to management. “    Which management?   Of the unit requesting the scan?  Central IT management?  Clarify.    Also, what does “formally transfer ownership” mean?

To the management area responsible for the data in question.  For example, the UNM Registrar, for FERPA data.  The risk transference takes the form of a memorandum of risk transference.

• Section 2.1.  Are security scans/assessments conducted only following a (service) request by a  unit, or can IT initiate a scan/assessment and then bill the scanned unit?

Security assessments as defined in this service only take place at the request of the unit.

• Sections 2.1.2, 3.1, 6.3, etc. “Department” should be replaced by “Unit” or “Academic Unit” where applicable. A Center or a School is not a ‘department’, for example. However, Centers,  Schools, and Departments are all ‘units.’

We’ll recommend this change.

• Describe the process that the security teams will follow when contacting unit-level support to inform them a breach has occurred.

This is conducted in an in-person meeting with any appropriate stakeholders (depending upon the scope and nature of the breach).  Details of this process are in the MOU that will be provided in this forum.

• Section 6.1.  What is the hourly rate for using UNM IT consulting services to investigate a  security breach?    Provide a pointer for current costs associated with this specific level of service.

This will be updated in the SLA but is also posted in the service catalog: $150/ hour time and materials.

• If a machine is breached within a unit, and the unit reports the incident to UNM C-IT, will the unit get billed in response?  This would seem to discourage (‘punitive’) rather than encourage such voluntary reporting.

Breaches are not generally covered by this SLA, but are covered in the MOU, which is forthcoming once it is put into the updated SLA template.

• Section 6.1.  “Time spent on resolving incidents that are end-user caused will be billed to the appropriate party at current hourly rate, including travel time. Material will be billed along with any associated expenses incurred to remedy the Incident.”   How will cases where there is joint  (cross-unit) or no obvious ‘end-user’ responsibility be handled/adjudicated?

Not all breaches will result in a bill, but the answer will depend upon the specifics of a given security incident.

• Two use cases:  (i)  a server that is current on all OS security patches is nevertheless hacked;

Dependencies could include whether there were phished administrative credentials, insufficient security configurations implemented, etc., but will depend upon the specifics of a given security incident.

• or  (ii) a departmental  server that is not current on current OS security patches is hacked, but concurrently, it is  determined that the network configurations interfacing to that server were improperly set up  by another unit at the time of building construction.

Root cause analysis would be separate from any billing considerations.  Root cause analysis is critical to prevent recurrence and improve security posture over time.

</div>

Hi Chad,

The customer would be considered part of the stakeholder group from the outset of the engagement.

Jeff

Hi Chad,

I can answer the Assessment SLA-specific questions.  I am forwarding your comments on the SLA template language to the agreements committee, and your comments on Help.UNM to our service/ incident process owners for review.

Below are responses the Security Assessment SLA-specific comments.

• 2.1 – Will these assessments occur at the department’s request only?</span>
• Yes – for-fee assessment services are not performed except at the request of departments.
  If they are UNM IT originated, what SLAs, processes, and costs apply?
• 2.1 – Where is the MOU (link) mentioned?

MOUs are not part of the current process, but the MOU/ agreement referred to will be posted to the community for feedback.

• 2.1  – Are any of the scans/reports cloud-based?</span>

Yes, in that we conduct assessments from both on and off campus.

• 2.1 – What process will be followed if the service identifies some issue that is less critical than an unauthorized PII or SPI disclosure? </span>

Those issues will be identified in a report provided to the department.

For the example, an incident would be opened, which is separate from the assessment requested by the department.  That incident would follow IT’s standard incident response proedures.

• What is resolution process if vendor or customer disagrees with the assessment as to the severity of a vulnerability?

Customer may document the discrepancy in a memorandum of risk-acceptance.

• If service interruption was in error, what will be the cost if any to the customer?

Security assessment services can include assessments that are low-risk of interruption, and high-risk of interruption.  These would be scoped in or out, or scheduled at a time that is least impactful to the customer.

• 2.1  Request for change- “comply with directions”   “Utilize directions from” …..

We will consider clarifying wording change.

• 3.1 – Could we get an example statement of work?

We will provide a template SoW in the service catalog.

• 4.1 – Will departments be given the time the scans takes place, to prepare their users for potential loss of service?

All times are mutually agreed to before scans are conducted.

• 4.1 –  Vulnerability scanning tools can take servers, web sites, printers, and systems offline – what is the process to pause or cease scan(s) if service break occurs due to scans/assessment?

Information Security and Privacy staff are on call 24X7; either the identified point of contact for the engagement or the on-call staff can cease/ pause the scanning component of an assessment.

• It may be useful for the customer to be able to select between passive and aggressive assessments, where the customer understands the aggressive assessment will more than likely take their services offline.  Given that choice, a loss of service could not be declared an Incident by the customer.

(From above) Security assessment services can include assessments that are low-risk of interruption, and high-risk of interruption.  These would be scoped in or out, or scheduled at a time that is least impactful to the customer.

• 4.3 – Will the phone number of the lead assessment technician or service owner be provided in the SoW?

(From above) Information Security and Privacy staff are on call 24X7; either the identified point of contact for the engagement or the on-call staff can cease/ pause the scanning component of an assessment.

• 5.2 – Will customers be able to determine who has been assigned the request?

Only for an identified point of contact, if one is agreed upon.

• Within this SLA, does an interruption in the normal functioning of a service or system include the department’s services or systems that are being assessed/scanned, or is an incident restricted to only the Assessment service itself?

The incident would be recorded against the assessment service.

• 9.2 who are the primary stakeholders? Is that the ‘customer’ and UNM IT?

Additional stakeholders could include regulatory bodies and data stewards (e.g., the UNM Registrar, for FERPA data; or the UNM Treasurer, for Credit Card data).

• This reply was modified 8 years, 5 months ago by base. Reason: re-word sentence to clarify