2.1.1.1
“Supported by Microsoft BAA (Business Associates Agreement) on FERPA and HIPAA compliance;” – Does this mean it is approved as a location (OneDrive) or transfer tool (email) for FERPA and HIPAA data?

I’m not sure why this is part of the e-mail SLA: “Ensure participation in IT Agents ”

2.1.1.2

It seems like the description of support resources would be better in a support section than an “End User Requirements” section.

Similarly, granting access to the calendar, seems more like a feature than an end user requirement.

2.1.2
“For security reasons, messages with certain file types attached will not be delivered. See this list for
more information;” It would be helpful if the user received a message of non-delivery. I had some issues a while back with an HR form that quietly failed to deliver whenever I sent a message with it as an attachment.

“Integration with systems and applications are not covered by this service SLA.” Especially if this SLA also includes OneDrive and possibly Sharepoint, it would be helpful to know where to look/start for conversations about integration.

8 Unless the plan is to start billing for e-mail and calendaring, this section may not be that relevant to this SLA.

I see a few asterisks at the end of sentences that suggest there is a footnote or disclaimer, but I can’t find what they are referencing.

Under 2.1, would it make sense to include storage and tablespace monitoring? What about performance monitoring?

2.1.2 – is migration of data from production to integration or some other from of data refresh on integration systems part of “Data recovery” portion of the service, or should that be spelled out separately?

Is application of special configuration changes for the database(s) limited to vendor-recommended changes, or are other departmentally determined specialized configurations covered? e.g. a peer or industry recommendation not specifically endorsed by the vendor?

I’m assuming more tuning is possible as a paid consultation?

2.2.2 – When recommending the amount of CPU, RAM, storage etc. needed to right size a database, is there a process for resolving that or evidence collection practices that would help departments analyze the need?

3.1 – add bullet “Plan database upgrades with the contracting department” ?

Would it be good to add in there somewhere that database availability and hosting can be purchased to comply with any of the data center tiers defined in the Data Center standard?

1. It might be a good idea to specify in the General Overview what kinds of machines may take advantage of this.

It says in 2.1 that it is “Available for data stored on servers connected on the campus network;” Does that mean any fixed computer in any location on the campus network, or do the servers have to live in the data center?

Can the number of backups/duration of retention be extended?

How far away from the data center is the offsite backup? Is it far enough away to safely assume data continuity in the face of a major regional disaster?

How is the integrity of backups monitored/measured? Is that a UNM IT function or an End User one?

Are on-demand snapshots possible?

2.1.1 – “Maintain and ensure devices have up-to-date virus/malware and protection and operating system
(critical) updates installed within one week of vendor distribution;” This is not always possible for major systems.

2.1.2 – “Customers must purchase additional storage prior to exceeding capacity;” is there monitoring that notifies end users when limits are being approached?

2.2.2 – same question as I have on other SLAs regarding selection of 99.9% uptime for this service, how it is measured, etc. Are new backups triggered automatically when they fail due to backup service downtime?

Is there a proposed timeline for compliance, and when would the Office of the CIO like any variations from the standard to be filed? Is there a standard template for filing an exception? I’m also wondering what manner of communication is preferred for confirming data center standard tier.

Under Process for Review or Update of the Standard, I’m not clear about this language:

Process documentation development

Each site will have policies defining roles, responsibilities, and performance standards

Each site change will require a review and update of all documentation

Site Books will be developed for each site covering all tasks and responsibilities required to support that site. This will include all policies, site standards, and procedures”

Does site refer to a Server Room or Department? This would make sense to me, but I couldn’t tell if it was referring to a service owner responsibility or a process for refining this document.

• This reply was modified 8 years, 3 months ago by elisha.

Do we have a list of Enterprise IT Vendors somewhere? How does a vendor get added or removed from this list? What happens to departmental agreements when/if new Enterprise Vendors are defined?

Does this SLA apply to anyone other than the “Central IT” unit?

2.1: How is redundancy determined and how is it eliminated? What is the process for stakeholder involvement in that decision? “<span style=”line-height: 1.5;”>Reduce and eliminate redundant Enterprise IT contracts;”</span>

2.2 Service Level Performance is left blank. My understanding of an SLA is that it should have measurements, metrics and consequences for not meeting target service standards.

Perhaps this is hard to define because it is more of an operational function of the central IT department than a customer facing service. If that is the case, I’m not sure why it’s being defined with an SLA.

2 Service Description – I note that the service catalog has the standard $150/hour rate for security services, including Purchasing Review. Given that security review is a requirement for most IT purchases, is there a way for departments to estimate these costs and/or centrally provision the IT Security office appropriate budget to perform this required service?

Is there a link to “<span style=”line-height: 1.5;”>Information Security Incident Response MOU”, and does that MOU describe the consequences of </span>something<span style=”line-height: 1.5;”> being listed as an information security incident? How is the process for resolution described? Perhaps this would be better defined as part of the SLA itself?</span>

I don’t see a description of IT security in Regent Policy 7.3. Is that the correct policy?

Under 2.1: are the IT Security features described part of a centrally funded base service, or are those delivered individually, and on request?

It would be helpful to have a basic security SLA or standard that would be collaboratively developed and others could reference. I would see this including security expectations for anyone managing or overseeing IT assets at UNM. This could cover things like IT and information security practices for servers and workstations, software patches, responses to UNM announced 0 day exploits, etc.

This relates to 2.1.1 and 2.1.2 – It seems to me that UNM should have a stake in requiring certain levels of security. Are units that do not request services exempt from this SLA? I wouldn’t think that would be preferable.

Is seems like this bullet is misplaced in 3.2 Customer responsibilities:

“<span style=”line-height: 1.5;”>IT Strategic Advisory Committee to collaborate with UNM IT on the service framework to satisfy the University of New Mexico business requirements.”</span>

Related to that bullet though, shouldn’t there be some IT governance body on campus that includes IT staff who are actually affected by decisions and SLAs that can help to vet, develop and discuss them? Short of that, shouldn’t there be a defined path for escalating issues and communicating needs from IT personnel to the Strategic Advisory Committee?

“<span style=”line-height: 1.5;”>Maintain appropriate staff expertise in the support of any Customer equipment and/or applications;” – </span><span style=”line-height: 1.5;”>Perhaps this statement could be collaboratively expanded into a working set of security expectations for IT providers and consumers on campus.</span>

Some of these definitions could also set up the conditions for fast track reviews and assessments along the lines of requests meeting certain information requirements could have a quicker security response.

Can this document start with a definition of telephone services? Does it include mobile? internet telephony? Where is the line between a Skype call and a Skype video call? Are usage of internet VOIP systems, voicemail, call forwarders, etc. allowed or excluded under this SLA?

2.1.3 – are services and devices purchased from areas other than UNM IT prohibited, or just not supported? The distinction is important. This gets to the question about whether the SLA is describing an exclusive service or a service being offered by one department with choice if the service doesn’t meet the department need.

2.2.2 – 99.9% up time seems very low for a phone service. Is an outage of 1.5 minutes/day or almost 9 hours/year acceptable? Is planned maintenance included in that calculation?

2.2 – Can the SLA define service levels associated with maintenance and installation in addition to up-time? What for example are the roles and response times related to moving /installing phone lines, etc.? What is the response for incidents affecting a single phone or building vs. the system as a whole?

3.2 – What is GNAV? who needs to pay for licensing and training?

“<span style=”line-height: 1.5;”>Provide thirty day notice for special events and moves that involve more than six phones;” – this is not always possible. Is there an emergency request process?</span>

5.2 – Now I see that you have defined some service levels for service requests. Is there any escalation process for phone moves when they cannot wait 10-13 days?

6.1 – How is culpability determined for incidents? how are disputes managed?

7 – What is the process for notification and negotiation related to changes in the maintenance window?

If I understand correctly then, “UNM IT” in this document refers exclusively to the “Central UNM IT department”, and not to UNM IT services in general. My concern related to the lack of specificity in this document has to do with the definition of “Enterprise services” as defined by KSA – a service offered exclusively by a central entity. By extension “Exclusive” would suggest that other departments do not offer this service.

As it relates to provisioning of IT service by contract to external entities, “UNM Central IT” is not an exclusive provider in the current state. There are many contracts and grants at UNM that are providing IT Consulting and Professional services to other areas. UNM Extended Learning, for instance, has multimillion dollar contracts with the state of NM to run programs for PED and CYFD, and a portion of those contracts has IT services provided at the department level specified. The definition of this gets even muddier when research funded projects are considered.

This SLA seems fine if it is defining the services offered by one UNM department. If it is defining an enterprise process for anyone engaged in providing IT services to external agencies, it needs more work.