Forum Replies Created
-
AuthorPosts
-
elishaParticipant
2.1.1.1
“Supported by Microsoft BAA (Business Associates Agreement) on FERPA and HIPAA compliance;” – Does this mean it is approved as a location (OneDrive) or transfer tool (email) for FERPA and HIPAA data?I’m not sure why this is part of the e-mail SLA: “Ensure participation in IT Agents ”
2.1.1.2
It seems like the description of support resources would be better in a support section than an “End User Requirements” section.
Similarly, granting access to the calendar, seems more like a feature than an end user requirement.
2.1.2
“For security reasons, messages with certain file types attached will not be delivered. See this list for
more information;” It would be helpful if the user received a message of non-delivery. I had some issues a while back with an HR form that quietly failed to deliver whenever I sent a message with it as an attachment.“Integration with systems and applications are not covered by this service SLA.” Especially if this SLA also includes OneDrive and possibly Sharepoint, it would be helpful to know where to look/start for conversations about integration.
8 Unless the plan is to start billing for e-mail and calendaring, this section may not be that relevant to this SLA.
elishaParticipantOn demand snapshot and recovery would make this a usable service for us.
elishaParticipantI see a few asterisks at the end of sentences that suggest there is a footnote or disclaimer, but I can’t find what they are referencing.
Under 2.1, would it make sense to include storage and tablespace monitoring? What about performance monitoring?
2.1.2 – is migration of data from production to integration or some other from of data refresh on integration systems part of “Data recovery” portion of the service, or should that be spelled out separately?
Is application of special configuration changes for the database(s) limited to vendor-recommended changes, or are other departmentally determined specialized configurations covered? e.g. a peer or industry recommendation not specifically endorsed by the vendor?
I’m assuming more tuning is possible as a paid consultation?
2.2.2 – When recommending the amount of CPU, RAM, storage etc. needed to right size a database, is there a process for resolving that or evidence collection practices that would help departments analyze the need?
3.1 – add bullet “Plan database upgrades with the contracting department” ?
Would it be good to add in there somewhere that database availability and hosting can be purchased to comply with any of the data center tiers defined in the Data Center standard?
elishaParticipant2.1 – For departments paying for a full rack, can UNM IT limit equipment installed into that rack to equipment owned/operated by the contracting department?
2.1.1- Is NATing of equipment in the rack supported so that we can limit exposure of traffic between web servers and data base servers, for instance?
“Refrain from bypassing or circumventing security (firewall rules);” – I suggest something like “Will engage IT security and IT Networking as appropriate on all proposed changes to security (firewall rules)
2.2.1 – Add “Meet or exceed UNM Data Center Standard requirements for a Tier 4 facility”? If not Tier 4, perhaps you could specify which tier it satisfies.
3.1
More definition of this would be useful “Communicate and deactivate network access for hosts and/or network segments when infection or violation of security policies are identified;”Where will reports on performance be accessible?
For Scheduled Maintenance, is all Change Management and notification through CAB or are there other venues? are processes for standing maintenance windows, scheduled maintenance, and emergency maintenance requests documented somewhere?
3.2 Is there any training or certification that should be required for qualified personnel?
4.2 Can department owners of racked equipment participate in service exception planning via CAB or some other process?
7 Same question as 4.2 related to input into changes in maintenance windows.
elishaParticipant1. It might be a good idea to specify in the General Overview what kinds of machines may take advantage of this.
It says in 2.1 that it is “Available for data stored on servers connected on the campus network;” Does that mean any fixed computer in any location on the campus network, or do the servers have to live in the data center?
Can the number of backups/duration of retention be extended?
How far away from the data center is the offsite backup? Is it far enough away to safely assume data continuity in the face of a major regional disaster?
How is the integrity of backups monitored/measured? Is that a UNM IT function or an End User one?
Are on-demand snapshots possible?
2.1.1 – “Maintain and ensure devices have up-to-date virus/malware and protection and operating system
(critical) updates installed within one week of vendor distribution;” This is not always possible for major systems.2.1.2 – “Customers must purchase additional storage prior to exceeding capacity;” is there monitoring that notifies end users when limits are being approached?
2.2.2 – same question as I have on other SLAs regarding selection of 99.9% uptime for this service, how it is measured, etc. Are new backups triggered automatically when they fail due to backup service downtime?
elishaParticipant2.1 Does this use the Cascade system, or something else? Should it use Cascade? Is there a webservice that could be queried?
2.1.1 – Where should department IT go for triage scripts if they are going to support this service?
2.2.1 – Is there an upper bound on the number of days? How do things get escalated?
2.2.2 – I see 99.9% availability in most of these SLAs. Is this a default or service specific? Is this measured? What is the process for measurement? How are acceptable availability levels determined?
3.1 – Are there billable services associated with this service? Which ones? What is the need for the billing portal in association with this?
3.2 This seems irrelevant to a directory service? “Maintain appropriate staff expertise in the maintenance and support of any customer supported equipment and/or applications;”
elishaParticipantIs there a proposed timeline for compliance, and when would the Office of the CIO like any variations from the standard to be filed? Is there a standard template for filing an exception? I’m also wondering what manner of communication is preferred for confirming data center standard tier.
Under Process for Review or Update of the Standard, I’m not clear about this language:
Process documentation development
Each site will have policies defining roles, responsibilities, and performance standards
Each site change will require a review and update of all documentation
Site Books will be developed for each site covering all tasks and responsibilities required to support that site. This will include all policies, site standards, and procedures”
Does site refer to a Server Room or Department? This would make sense to me, but I couldn’t tell if it was referring to a service owner responsibility or a process for refining this document.
- This reply was modified 8 years, 10 months ago by elisha.
elishaParticipant2.1.1.2 “<span style=”line-height: 1.5;”>Will utilize departmental (local) IT contact for first level triage of incidents and service requests, when available;”</span>
Is there a triage document or some troubleshooting process local IT departments should follow? I’m not sure what I would tell an end user who was having trouble with LoboAlerts other than direct them to call 7-5757.
2.2.1 “<span style=”line-height: 1.5;”>Delivery times and delivery completion cannot be guaranteed due to differences among the carriers and an individual’s location and data coverage;”</span>
This is understandable. Notifications are sometimes confusing when they are sent out for stale events. It might be good to define text messages as the avenue for active events, and e-mail or some other channel for events that are reported 12-24 hours or more after the event.
“<span style=”line-height: 1.5;”>Service uptime guaranteed by Vendor at 99.90%, subject to scheduled updates and maintenance, to be monitored by UNM IT;”</span>
Is this boilerplate, or actual? Do we want more 9s for an emergency notification system?
3.1 Billing – again boilerplate language that may not apply to this service, or should be reworded to specify who is being billed?
elishaParticipantDo we have a list of Enterprise IT Vendors somewhere? How does a vendor get added or removed from this list? What happens to departmental agreements when/if new Enterprise Vendors are defined?
Does this SLA apply to anyone other than the “Central IT” unit?
2.1: How is redundancy determined and how is it eliminated? What is the process for stakeholder involvement in that decision? “<span style=”line-height: 1.5;”>Reduce and eliminate redundant Enterprise IT contracts;”</span>
2.2 Service Level Performance is left blank. My understanding of an SLA is that it should have measurements, metrics and consequences for not meeting target service standards.
Perhaps this is hard to define because it is more of an operational function of the central IT department than a customer facing service. If that is the case, I’m not sure why it’s being defined with an SLA.
elishaParticipantGeneral question, will the process for providing input into which software titles are needed be put into this SLA?
2.1.1 – This seems fine, but it would be helpful to have compatibility and known issues listed with the software at the time of download/purchase
“<span style=”line-height: 1.5;”>Assumes sole responsibility for the compatibility of software with other applications and any other integrated devices.”</span>
2.1.2 – Would it save you time to list what support is available from where with the software titles on the download page?
3.2 I guess this is boiler plate language since I’ve seen it in other drafts, but this doesn’t seem like a customer responsibility: “<span style=”line-height: 1.5;”>IT Strategic Advisory Committee to collaborate with UNM IT on the service framework to satisfy the University of New Mexico business requirements;”</span>
9.1 – Will the process for requesting new software on pod and lab machines be put into this SLA or a different one for Pods?
elishaParticipant2 Service Description – I note that the service catalog has the standard $150/hour rate for security services, including Purchasing Review. Given that security review is a requirement for most IT purchases, is there a way for departments to estimate these costs and/or centrally provision the IT Security office appropriate budget to perform this required service?
Is there a link to “<span style=”line-height: 1.5;”>Information Security Incident Response MOU”, and does that MOU describe the consequences of </span>something<span style=”line-height: 1.5;”> being listed as an information security incident? How is the process for resolution described? Perhaps this would be better defined as part of the SLA itself?</span>
I don’t see a description of IT security in Regent Policy 7.3. Is that the correct policy?
Under 2.1: are the IT Security features described part of a centrally funded base service, or are those delivered individually, and on request?
It would be helpful to have a basic security SLA or standard that would be collaboratively developed and others could reference. I would see this including security expectations for anyone managing or overseeing IT assets at UNM. This could cover things like IT and information security practices for servers and workstations, software patches, responses to UNM announced 0 day exploits, etc.
This relates to 2.1.1 and 2.1.2 – It seems to me that UNM should have a stake in requiring certain levels of security. Are units that do not request services exempt from this SLA? I wouldn’t think that would be preferable.
Is seems like this bullet is misplaced in 3.2 Customer responsibilities:
“<span style=”line-height: 1.5;”>IT Strategic Advisory Committee to collaborate with UNM IT on the service framework to satisfy the University of New Mexico business requirements.”</span>
Related to that bullet though, shouldn’t there be some IT governance body on campus that includes IT staff who are actually affected by decisions and SLAs that can help to vet, develop and discuss them? Short of that, shouldn’t there be a defined path for escalating issues and communicating needs from IT personnel to the Strategic Advisory Committee?
“<span style=”line-height: 1.5;”>Maintain appropriate staff expertise in the support of any Customer equipment and/or applications;” – </span><span style=”line-height: 1.5;”>Perhaps this statement could be collaboratively expanded into a working set of security expectations for IT providers and consumers on campus.</span>
Some of these definitions could also set up the conditions for fast track reviews and assessments along the lines of requests meeting certain information requirements could have a quicker security response.
elishaParticipantI have the same question. My understanding was that everything posted had to be reviewed and commented on by today?
elishaParticipantCan this document start with a definition of telephone services? Does it include mobile? internet telephony? Where is the line between a Skype call and a Skype video call? Are usage of internet VOIP systems, voicemail, call forwarders, etc. allowed or excluded under this SLA?
2.1.3 – are services and devices purchased from areas other than UNM IT prohibited, or just not supported? The distinction is important. This gets to the question about whether the SLA is describing an exclusive service or a service being offered by one department with choice if the service doesn’t meet the department need.
2.2.2 – 99.9% up time seems very low for a phone service. Is an outage of 1.5 minutes/day or almost 9 hours/year acceptable? Is planned maintenance included in that calculation?
2.2 – Can the SLA define service levels associated with maintenance and installation in addition to up-time? What for example are the roles and response times related to moving /installing phone lines, etc.? What is the response for incidents affecting a single phone or building vs. the system as a whole?
3.2 – What is GNAV? who needs to pay for licensing and training?
“<span style=”line-height: 1.5;”>Provide thirty day notice for special events and moves that involve more than six phones;” – this is not always possible. Is there an emergency request process?</span>
5.2 – Now I see that you have defined some service levels for service requests. Is there any escalation process for phone moves when they cannot wait 10-13 days?
6.1 – How is culpability determined for incidents? how are disputes managed?
7 – What is the process for notification and negotiation related to changes in the maintenance window?
elishaParticipantThis is a general question related to all of the SLAs, but I’m especially interested in the answer as it pertains to this one. The KSA report defined “Enterprise” as something that is “Exclusively offered by a Central Entity.” Does adoption of this SLA, then, force adoption of Central IT hosting for all websites, or is this SLA an attempt to describe a service that is currently offered as an option for departments? Some definition of that in the scope would be helpful.
Under Metrics & Logs, I am not familiar enough with C-Panel to know specifically what they are referring to, although I can guess. It does raise the question, though should the SLA be describing features of the product (help documentation) or should it be more focused on what services are being provided and what level of service users should expect?
Under the section UNM IT provides:
I would specify that “<span style=”line-height: 1.5;”>Support services via UNM IT Service Desk” are limited to support of this as a service, and not applicable to support for end users of the department’s web sites or services, unless the intention is to triage those at the support desk.</span>
Is any level of “systems operations” a shared responsibility? What are the limitations of access and configuration available to end users?
Can we get more definition on “<span style=”line-height: 1.5;”>Basic system level backup processes and disaster recovery;” Does this include off site backups? With what frequency? How is Disaster recovery handled? Are on-demand snapshots possible?</span>
How are notifications handled for up/down monitoring?
2.1.1 – If a department does not want to adhere to the bullets listed (I don’t recommend it, but it happens), they should use a different service? I know this isn’t the intention of this SLA, but it seems like it would be more universally beneficial to have a collaborative group define what the branding, security, documentation, administration, etc. standard are for departments supporting web sites and services.
Is there a way for departmental admins to perform ad hoc snapshots and restores of their systems? This has been critical for some of our web applications.
Is there an effort to create web standards for anything other than the PHP/MySQL? If the intention is to move websites to an exclusive service, limiting the boundary to PHP/MySQL may just create incentives for people to use Ruby or ASP or something else.
24 hour notice of suspension of service is very short. I know there are emergencies, but the provision just says failure to comply with the agreement, which could mean anything from an egregious failure to a website using more than the allowable storage. It would be good to see something that outlined the levels of infraction and escalation response.
2.2.1 – can we be more specific than “a few days”?
3.2 – if the service features are documented in the service catalog, what are the terms for updating the service features and catalog under the SLA? Should the SLA be product specific to cPanel and Softaculous, or more descriptive of the services those programs provide?
Under “<span style=”line-height: 1.5;”>Bring to the Customers’ attention any situation in which extra time is required of UNM IT” what are the correlated responsibilities of IT when extra time is required due to lack of Central IT staff planning, knowledge, or implementation practices? How is fault determined? What happens when it is shared?</span>
4.3 Escalation – What recourses are available to the customer beyond contacting the service owner?
7 – How are changes to the maintenance window negotiated with customers?
Thanks, Tuan. Please don’t take any of these comments to be dismissive of the work that has already gone into this document. It just seems to me that an SLA should include more definition, especially if we are heading toward exclusive provision of services.
elishaParticipantIf I understand correctly then, “UNM IT” in this document refers exclusively to the “Central UNM IT department”, and not to UNM IT services in general. My concern related to the lack of specificity in this document has to do with the definition of “Enterprise services” as defined by KSA – a service offered exclusively by a central entity. By extension “Exclusive” would suggest that other departments do not offer this service.
As it relates to provisioning of IT service by contract to external entities, “UNM Central IT” is not an exclusive provider in the current state. There are many contracts and grants at UNM that are providing IT Consulting and Professional services to other areas. UNM Extended Learning, for instance, has multimillion dollar contracts with the state of NM to run programs for PED and CYFD, and a portion of those contracts has IT services provided at the department level specified. The definition of this gets even muddier when research funded projects are considered.
This SLA seems fine if it is defining the services offered by one UNM department. If it is defining an enterprise process for anyone engaged in providing IT services to external agencies, it needs more work.
-
AuthorPosts