Forum Replies Created
-
AuthorPosts
-
ccovey01Participant
3.1
– most of us are inclined to support some sort of chargeback for negligence – but what would happen if the incident resulted from a state actor or advanced persistent threat? To encourage reporting of all real or potential incidents – which is ultimately what we all want – maybe investigations and remediation could be considered core-services?What we want to avoid are internal punitive repercussions that will limit reporting – things that customers fear like massive investigation costs and removal or takeover of their resources. On the other hand, perhaps this SLA can show in detail the external factors that customers should perceive as risks – regulatory and accreditation bodies, credit reporting coverage for breached accounts, etc.? Basically, make it clear to data users that internally, UNM IT will help them, that the investigation is about discovery, not punishment. But that there are serious consequences external to UNM – in those cases, they cannot dodge responsibility for negligence.
This SLA could reassure customers that UNM IT will shepherd them through a process that may not have been their fault; otherwise, their fear of internal repercussions and costs may prevent them from reporting suspected issues. Which could allow an APT to thrive on the network. There is a time and place for cost recovery, but I fear implementing it within the Security Incidents SLA will undermine the larger goal, identifying and removing bad actors from the UNM network.
- This reply was modified 8 years, 8 months ago by ccovey01.
ccovey01Participant2.1.2
– bullet 1 – could we adjust the ‘area’ language and narrow it to department’s business systems? Most departments could have the public or students using either the wireless or an Ethernet drop and an incident could occur, but those departments don’t have any control over that type of user base and their activities.ccovey01Participant2.1.2
– bullet 6 – what is the predefined set of criteria for escalation?
– Suggested criteria:
· Within 1 business day of ticket submission, requestor must receive notification identifying the assigned department (ticket owner)
· The following cycle applies to customer tickets/emails at initiation and at any point after a customer response
-After 3 business days of no response from ticket owner, Help Desk contacts owner for update
-After 3 additional business days of no response, director of owning department contacted by Help Desk for update
-After 6 days of no response, owner and director receive daily reminders from Help Desk to respond to the ticket
-After 7 business days with no response, Incident declared:
— Service Owner contacts ticket owner and owning department director for written response
— Report filed with IT SAC· Whether by policy or thru the interface, ticket owners must put response at the top of their email (we often receive Help.UNM emails with the request for information at the bottom of a very long thread of Help.UNM responses).
· All responses – ‘Holds,’ ‘Waiting for Response, ‘Fulfilled,’ ‘Closed due to Resolution’ etc., must provide details explaining the status change for the ticket.
6.3 – if customer requests a certain priority, initial ticket response must note actual priority designated, and reason for change from customer request
8 – Billing – is this applicable? If it isn’t, does it need to be included in the SLA?- This reply was modified 8 years, 8 months ago by ccovey01.
ccovey01Participant2.2.2
– beyond the annual report, is there a portal for customers to monitor network uptime and issues?
– in the past, network performance has been affected by security issues – it’s understandable that UNM would not want to publish publicly on IT Alerts what the exact cause is. Would it be possible to publish, behind a NetID site, more detailed information for the UNM IT community? With an understanding of the situation, the UNM IT community could monitor and improve their security posture, and inform end users, generally, that the issues are due to an external threat.
– would switches fall under the 2 business day failure replacement window? What happens if it’s a device affecting an entire building?3.1 and 5.1
The KSA report references cost-recovery and so it appears that departments may now need to pay for things they didn’t previously (5.1), but may also need to pay for changes initiated by Networking/Security (3.1).
It makes sense to clearly define in this SLA what services will incur charges, and what will remain core-services – if departments are paying for services, their expectations will be higher. Costs and related service expectations are then best noted here.To avoid misunderstandings, it would be useful to have a well-defined list:
– of the customer initiated requests that will incur charges (firewall changes? DNS additions?)
– of all UNM Networking initiated changes that will be charged to customers (VLAN requirements? subnet redesigns?)
-If a condition is not listed, then would customers assume it is a core-service and they are not to be charged for it?
– Bullet 2 – deactivate hosts and departments
– what is the notification process prior to deactivation?– in routine, non-emergency cases where UNM Networking or Security initiate a change that could affect departments, what sign-off or notification process would apply?
– can a department be charged for work if there was no prior sign off or notification?
– what protocol is followed if a network change interrupts a department’s established business process (assuming the process itself did not represent a security issue)?
– is there a cost to the department to remediate the change or create a workaround?
– would items 6.1 and 6.2 then apply, where an Incident has occurred affecting the department, and would be assigned a Priority designation?
–
In all cases where a charge could occur, should a customer sign off and notification procedure be documented within this SLA?- This reply was modified 8 years, 8 months ago by ccovey01.
ccovey01ParticipantItem 2 – a direct link to the service catalog item for Master Hardware would be useful, that could then link to the Dell B2B site – and via that users would see what Dell provides, discounts, etc.
2.1.1 – so that users, Purchasing, and Auditing could see it, might be useful to link in the Service catalog to exclusions already in place. E.g.,, the HP MP9s that are allowed for digital signage. Having these exclusions listed would save a lot of back and forth email between units and Purchasing and Auditing.
Not related to the SLA – could we get line breaks/basic editing added to this interface? The interface currently only allows unbroken text entry.ccovey01ParticipantAnn,
thank you for these updates. So that the campus could get a sense of the SLA process scope, could you give us the working titles of the forthcoming SLAs?
Thank you – Chadccovey01ParticipantJeff and Tuan,
One trend I see forming is the need for all SLAs to link to
- the specific service catalog/cost statement(s) that they invoke
- as well as all dependent documents, like the Incident Response document
That will help us all consider the full implications of the SLAs.
Again, thanks for your replies to the various discussions.
Chad
ccovey01ParticipantJeff,
Thank you for the replies – on the last point, so the customers would not be part of the stakeholders group?
Chad
ccovey01ParticipantTuan,
My thanks as well for taking the time to reply to all of these responses, in detail, and for being receptive to the suggestions made – Chad
ccovey01ParticipantAnn,
I think there’s some lack of clarity for the UNM community on the timelines for the SLAs:
- Is it that all or the majority of the SLA drafts must be published for comment by the end of February? With comments and redrafting, consideration by IT Agents, etc., to take place now and past Feb. 29 as is appropriate to this level of discussion?
- Or is it the case that not only the drafts, but all discussion and revision ends on Feb. 29 for all SLAs?
Thank you,
Chad
ccovey01Participant2.1.2 – Request to add- “Staff initiating long distance code requests can also see the LCD issued to the end user” – in some cases, the LCD issued is incorrect or users lose the email, this will save repeated Help.UNM requests if initiating staff can maintain their users’ LCDs and test them.
- What is time to completion for LCD creation?
- What is time to completion for phone line move/addition?
- What is time to completion for break/fix of active phone line?
3.1 What are department’s options in terms of cost recovery for loss of services?
6 – Incident
- Does the department have the ability to declare an incident? Within this SLA, does an interruption in the normal functioning of a service or system include the department’s services or systems?
- If the department experiences incidents, what are the department’s options in terms of escalation and revision of the SLA?
6.3 can a department communicate to UNM IT phone systems it considers critical? For example, the receptionist phone line for most departments is critical to the public being able to call that department – if its service is lost, can it be treated as a P1?
9.1 Performance and Reporting- If Targeted uptime is 99.9, shouldn’t there be a reporting interface for customers to see?
9.2 who are the primary stakeholders? In terms of the review facilitation, that’s a bit unclear. Would it be useful to do annual reviews of the SLA with the customers?
ccovey01Participant2.1 need link to backup and restore costs
3.2 – In the case of student organizations, is their local department responsible for their training?
3.2 bullet 9 – local department cannot be held financially responsible for any Web Hosting arrangement that a student organization initiated and maintains- thus need to make distinction between personal/affiliated Web Hosting and true department hosting
3.3 suggest requirement for use of functional email address, or secondary FTE contact to ensure the site is not deleted if say the primary contact graduates or separates from UNM
- This reply was modified 8 years, 9 months ago by ccovey01.
ccovey01ParticipantGeneral SLA concern – in most of the current SLAs and Service Catalog, UNM Enterprise services are offered by a single entity, there is no competitive marketplace. Given that, shouldn’t UNM customers (departments) have an equal stake in the writing and re-writing of the SLAs? And should this revision process be set annually for all SLAs and services where UNM departments are the customer?
SLA’s between customers and vendors typically feature the ability for either side to terminate the SLA – what is the escalation/termination process for UNM SLA’s between Central IT and departments? What if customers are gravely unhappy with service delivery? What if the service owner is unhappy with the customer? Is there an arbitrating body to make determinations when the service owner and departments disagree about the SLA or service delivery?Understandably, many Enterprise services now appear to have cost recovery components. Between the service catalogs and the SLAs, funds appear to flow unilaterally from the customer to the service owner. With no cost downside, there’s little incentive for the service owner to be timely or accountable. What mechanisms are in place to ensure accountability by the service owner?
- Inclusion of a 1,2, 3 strikes escalation series might be appropriate accountability mechanism – 1 to 2 incidents lead to remediation meetings and revision of SLA. 3rd incident leads to SLA termination.
- A return to the customer of the full amount or part of the fees for the service might be a necessary baseline for most SLAs and statements of work.
- In the case of a mis-routed ticket, as an example, where the customer followed the appropriate protocol, but the ticket was mis-routed, what can customers expect as compensation in terms of lost time, productivity, or funding?
- What happens if a grant is affected or lost due to an Incident?
Help.UNM appears to be the default mechanism for reporting issues and incidents, per the SLA. It does not presently allow customers to see to whom the ticket is routed, who owns it, etc.,
- To protect both the service owner and customers, perhaps Help ticket responses could by default include the routing and owner of the ticket? Mis-routed tickets do happen, and a mis-routed ticket could become very expensive to either the customer or service owner.
There seems to be a general concern about the number of SLAs appearing weekly, and little time for discussion. Given their importance, and the likely volume of comments forthcoming, would it be better to put them into some sort of document management system, like SharePoint?
- 2.1 – Will these assessments occur at the department’s request only?
- If they are UNM IT originated, what SLAs, processes, and costs apply?
- 2.1 – Where is the MOU (link) mentioned?
- 2.1 – Are any of the scans/reports cloud-based?
- 2.1 – What process will be followed if the service identifies some issue that is less critical than an unauthorized PII or SPI disclosure?
For example, if a department’s service has been interrupted due to UNM IT Security request to Networking to shut off network access to a scanned system or service, and the department then fixes the issue and reports the fix to UNM IT, how many business days does UNM IT have to complete a remediation scan and provide results to customer?
- What is resolution process if vendor or customer disagrees with the assessment as to the severity of a vulnerability?
- If service interruption was in error, what will be the cost if any to the customer?
- 2.1 Request for change- “comply with directions” “Utilize directions from” …..
- 3.1 – Could we get an example statement of work?
- 4.1 – Will departments be given the time the scans takes place, to prepare their users for potential loss of service?
- 4.1 – Vulnerability scanning tools can take servers, web sites, printers, and systems offline – what is the process to pause or cease scan(s) if service break occurs due to scans/assessment?
- It may be useful for the customer to be able to select between passive and aggressive assessments, where the customer understands the aggressive assessment will more than likely take their services offline. Given that choice, a loss of service could not be declared an Incident by the customer.
4.3 Escalation –
- Request to Add – “Customer can after 1 Incident request meeting on-site with Service Owner and Service Manager”
- Request to Add – “Customer can after 2 Incidents request review and redraft of SLA”
- Request to Add – “Customer can after 3 Incidents request termination of SLA”
- 4.3 – Will the phone number of the lead assessment technician or service owner be provided in the SoW?
- 5.2 – Will customers be able to determine who has been assigned the request?
6 – Incident
- Does the department have the ability to declare an incident?
- Within this SLA, does an interruption in the normal functioning of a service or system include the department’s services or systems that are being assessed/scanned, or is an incident restricted to only the Assessment service itself?
- Request to Add – “If the customer experiences a service interruption due to an IT Security Assessment, and the Assessment is not paused or canceled within 2 business hours after customer notifies Service Owner, an Incident has occurred.”
- Request to Add – “If the customer experiences a service interruption as a result of an IT Security Assessment, where service is removed, and the customer requests a remediation assessment, and the remediation assessment is not completed within 2 business days, an Incident has occurred.”
- If the department experiences incidents, what are the department’s options in terms of escalation and revision of the SLA?
- 9.2 who are the primary stakeholders? Is that the ‘customer’ and UNM IT?
ccovey01ParticipantGovernance Issues when Enterprise SLAs are mis-applied to supplemental services-
Can see no issue with this SLA as it applies strictly to UNM IT and its vendor relations. However, a form of this Enterprise SLA has mistakenly been interjected into department supplemental purchases. The power of a central authority to delay or stop appropriate departmental purchases should be regulated by the fair application of the appropriate SLAs. Ad hoc or incorrect application of Enterprise SLAs to departmental or supplemental services will subvert the UNM SLA process -which is to say that departments, Purchasing, and UNM IT should all be absolutely clear on which SLAs apply to what purchases.
The history below is meant to illustrate that purchasing intervention by UNM IT, whether mistaken or appropriate, can delay critical departmental purchases, nullify discounts and maintenance agreements between departments and vendors, and ultimately interfere with the internal operations and governance of UNM departments. Timeliness is crucial to the purchasing department/customer.
• What happens if a department’s grant is affected or lost due to delays caused by UNM IT purchase reviews?
• IT Agents could discuss where and how UNM IT interjects into purchases. On larger questions of governance, IT Agents with coordination from IT SAC can provide leadership. This is an opportunity to revive IT Agents and get campus-wide buy-in for SLAs and standard development.
• When UNM IT, the service owner, interjects into department purchases, a separate Purchasing SLA should immediately trigger with some of the following conditions:
• Service owner has 3 business days upon notification from Purchasing or the Customer to request documents for review.
• All documents for review should be submitted to the customer at the same time, within the 3 business day window.
• Once submitted, service owner has 3 business days to review the documents submitted by the customer or vendor. Within that window, customer should be notified whether documents are accepted or rejected. If rejected, detailed response for rejection to be submitted by service owner to customer.
• Additional document submissions by customer create 3 day window for review by service owner.
• Customer or Vendor and service owner will likely disagree on some rejections, so some sort of arbitration process needs to be clarified.
• If service owner fails to complete review in a timely manner and the purchase is subsequently canceled by Purchasing or the vendor, who will pay costs to re-initiate a purchase or maintenance agreement if discounts or other incentives have been lost due to the cancellation?
History of delayed department purchase:
• Department submitted PO, Purchasing noted that Department needed to complete security review on Dec 17th, 2015. No document was provided to the department.
• Department asked for guidance on this new process December 21st via Help.UNM
• Without explanation, ticket was put on Hold
• January 4, 2016 – Department inquires as to Hold, told to submit Security Questionnaire
• Jan 7 – Security Questionnaire submitted and accepted
• Jan 11-26 – Department and Purchasing inquire on status multiple times via Help.UNM and calling 7-5757 – no response from UNM IT
• Jan 26 – After repeated requests from Purchasing, UNM IT declares the purchase –mistakenly – a duplication of Enterprise services
• UNM IT then requests customer and vendor complete 23 page Enterprise Vendor Questionnaire. No explanation given for why this document was not provided to Department on Jan 7, the same day that the Security Questionnaire was provided.- This reply was modified 8 years, 9 months ago by ccovey01.
-
AuthorPosts