With respect to the “UNM IT Administrative Technologies Advisory Board” charter, is it intended to read as “Customer Relationship Management (CRM) report development” or are CRM and report development 2 separate technologies that the board will provide guidance on?

Should the Collaboration Tools Standard and Inquiry Tools and Analysis Standard be rolled up into a standard that encompasses the purchase of tools and products in general? Rather than write multiple standards for classes of tools, would it make sense to have this standard apply to software/service purchases in general and encourage departments/decision makers to take a look around and scan the environment before making purchases for tools that may already exist on campus.

To ease the search process, is there a catalog of software/tool purchases made on campus that includes the product, a description, cost, a point-of-contact at the department making the purchase, UNM IT security approvals, etc.?

Thanks,
Rooney

– The statement that “[t]he standard addresses the following Enterprise and Supplemental Services named by the IT Strategic Advisory Committee” refers to those items in the KSA Final Report and Recommendations (http://president.unm.edu/campus-community-engagement/information-technology-strategic-advisory-committee/ksa-final-report-and-recommendations.pdf), correct?

– Is this service for standing up a Microsoft SQL Server 20xx instance on a VM or is the service the provisioning of a database on in an existing SQL Server cluster/environment maintained by UNM IT?
– If this service is for using an existing SQL Server cluster/environment, should the SLA define how the database can be remotely accessed or managed?
– If this service is for the provisioning of a VM with a DBMS, will the user have remote access to the server?
– Can database backups be set for more granular levels of recovery should the application owners request it?
– It seems as if this SLA is blending SLAs for database hosting and the application that uses the database that UNM IT may not have any control over or may live on a different server? Is it assumed that the application and database live on the same VM?
– Should service catalog specify the versions of Oracle and SQL Server?
– Does there need to be a statement that this SLA excludes MySQL databases used by departmental web sites?
– Is there a time-to-restore that can be included in the SLA?
– The colocation SLA had a clause requiring users to disclose storage of certain types of data to UNM IT. Should that apply in this case? Should the Data Owner and/or Custodian also be notified if this hosted database will be used to store sensitive information?

– How does this apply to “shared” facilities/spaces or the different tiers of data centers defined in the proposed Data Center and Server Room Standard? What tier, as defined in proposed the Data Center Standard, does this SLA apply? Is this intended to cover collocation in UNM IT’s Tier 4 facility only?

2.1.1:
– Is it possible to provide the Colocation Facility Access Agreement as an attachment?
– Bullet items 2 and 3 need some clarification. If a department has signed the Colocation Facility Access Agreement do they still need to submit a Help.UNM ticket for access > 24 hours in advance? In cases where a department needs emergency access <24 hours, what is that process?
– Is unescorted access available 24/7 or only during business hours?
– There is text about having to “refrain from bypassing firewall rules”. This passage sounds like a requirement and should use MUST, REQUIRED or SHALL to indicate that this is absolute as defined in RFC 2119.

2.2.2:
– What specific things does this walkthrough observe? Are results of walkthrough documented and available to the customer for review?

3.2:
– For sensitive data, should Data Custodian/Owner be made aware? Is UNM IT the data custodian in these colocation instances or is the department with the server?
– If a department has less than a full rack of equip, and is located with other colocated servers, do other departments have access to our equip in the same rack or is access locked down to the unit? Do you have racks that are specific to the kinds of data being stored on them in instances a department purchases existing rack space?
– Is department access to servers escorted and only during business hours or do dept staff have access 24/7 unescorted in cases of emergencies or unplanned outages where we have failures?
– Bullet 7 reads “Contact UNM IT Service Manager for additions or changes in established service levels;”. However, section 4.3 indicates that exception go through the CIO’s Office.
– Bullet 9: Are “special data types” those listed in the Data Classification Standard? If so, reword to specifically indicate that storing any E-Class or C-Class data requires department notify UNM IT and Data Owner or Steward?

Eugene

Along those same lines, are there any discussions about what the Enterprise service offerings should be rather than just wrapping an SLA around existing services that may or may not meet campus needs? There were a couple of responses that dismissed SLA feedback as “not an SLA question” (not in the Web Hosting SLA thread), but if there are gaps or fundamental problems with the service offering this is an opportune time to engage an already-engaged community.

2.1:
HTTPS should be a standard by which ALL UNM content is served. The service should include HTTPS by default.

2.1.1 bullet 2:
Ensuring that the hosted web sites are secure and updated is a shared responsibility with end users responsible for things like secure code and keeping WordPress installations up-to-date and web infrastructure security a responsibility of the hosting provider.

2.2.2: The calculation for availability is vague. There should be specifics on the exact calculation used when determining availability.

Are network outages or degradation, as an example, part of the service and accounted for in the calculation? Are those outages part of the web service or excluded from the calculation.

Example:
YEARLY UPTIME CALCULATION = [(hours service up) / ((365.25*24) – (hours down for scheduled updates and maintenance[1]) – (hours down for emergency security updates[2]))] * 100

[1] Schedule updates and maintenance are posted at least 7 days prior to the update or occur during UNM IT’s scheduled maintenance windows described here: http://it.unm.edu/availability/index.html

[2] Patches and updates that are flagged as “critical” or higher by the vendor may be installed outside of the scheduled maintenance windows.

3.2 bullet 8: This provision risks deleting code or work product that a department may have on cPanel servers if their backup was performed prior to the cPanel snapshot reversion. A customer could be performing backups at reasonable intervals and still be harmed by this provision of the SLA. Will UNM IT notify users when a snapshot reversion will take place allowing users to make backups?

3.3 bullet 5: A department could store or host sensitive info on a non-UNM IT hosted service through a UNM IT hosted web site that would violate the spirit of this item.

I think that we are missing a bigger opportunity here where we could leverage enterprise web infrastructure, services and data (including existing institutional data assets) to allow departments to more securely collect and store sensitive information that may exist elsewhere on campus (Banner, ODS, etc.). It seems like a UNM enterprise service web service should strive to provide this environment where the end-goal is less duplication, better security, and a better understanding by the enterprise about where we are housing and storing, potentially, sensitive data.

Thanks,

Eugene