CARC Systems comment: 2.1.1 seems to indicate that the end user (UNM unit?) is responsible for monitoring log files for failures: This seems like it should be a part of the service provided. It should not be the user’s responsibility to monitor this and report errors in backups— it should be the other way around.

CARC Systems comment: There should be some verbiage to cover cases where (for security and other reasons), a unit is not using these services (e.g. email or calendaring); no charges should be incurred.

• Recommend replacing “Department” with the more general “academic unit” throughout.
• $75/hour charge should be a link to a separate schedule that will be updated periodically, rather than being hardwired into the SLA.

• Section 2.1.  Define “security posture.”
• Section 2.1.  To whom will the “prioritized list of vulnerabilities” be provided?
• Section 2.1.  “…. A security evaluation will contain recommendations to mitigate risks and formally transfer ownership of that risk to management. “    Which management?   Of the unit requesting the scan?  Central IT management?  Clarify.    Also, what does “formally transfer ownership” mean?
• Section 2.1.  Are security scans/assessments conducted only following a (service) request by a  unit, or can IT initiate a scan/assessment and then bill the scanned unit?
• Sections 2.1.2, 3.1, 6.3, etc. “Department” should be replaced by “Unit” or “Academic Unit” where applicable. A Center or a School is not a ‘department’, for example. However, Centers,  Schools, and Departments are all ‘units.’
• Describe the process that the security teams will follow when contacting unit-level support to inform them a breach has occurred.
• Section 6.1.  What is the hourly rate for using UNM IT consulting services to investigate a  security breach?    Provide a pointer for current costs associated with this specific level of service.
• If a machine is breached within a unit, and the unit reports the incident to UNM C-IT, will the unit get billed in response?  This would seem to discourage (‘punitive’) rather than encourage such voluntary reporting.
• Section 6.1.  “Time spent on resolving incidents that are end-user caused will be billed to the appropriate party at current hourly rate, including travel time. Material will be billed along with any associated expenses incurred to remedy the Incident.”   How will cases where there is joint  (cross-unit) or no obvious ‘end-user’ responsibility be handled/adjudicated?    Two use cases:  (i)  a server that is current on all OS security patches is nevertheless hacked; or  (ii) a departmental  server that is not current on current OS security patches is hacked, but concurrently, it is  determined that the network configurations interfacing to that server were improperly set up  by another unit at the time of building construction.