?
Solved

security SLA examples

Posted on 2014-08-15
2
Medium Priority
?
801 Views
Last Modified: 2014-08-26
When defining SLA’s for a contract whereby a 3rd party SaaS provider will manage your application and data, what types of security SLA’s do you build into this, can you give perhaps a set of example security SLA’s just so I can get my head around the types of thing built into such contracts. I understand SLA’s from a performance and availability (i.e. uptime standpoint), but not so much from a security angle, so some examples would be most useful.
0
Comment
Question by:pma111
2 Comments
 
LVL 65

Accepted Solution

by:
btan earned 1000 total points
ID: 40264717
Availability, responsiveness, quality and communication are important elements to consider for any service provider SLA

One of the most critical service-level guarantees is uptime percentage.
-e.g 99.5% uptime means that your site can potentially be down for 216 minutes per month without any penalty for the service provider. It is critical to understand what the service provider considers to be downtime.
how fast the service provider will respond to your service requests,
-how long upgrades will take,
-how fast service providers will detect and report problems

how the service provider will be penalized if the service-level guarantee is not met.  
-In most cases it simply means the service provider won’t bill you for that period of time.

provide for a number of standard service requests per month
-a number of emergency service requests per month
-reports to customers on bandwidth utilization, uptime analysis and log management
-offer the most up-to-date configuration online for your review  
-receive daily, weekly or monthly reports based on your firewall, IDS or VPN logs
-ad hoc or custom reports so you can perform troubleshooting or forensic analysis
-assured of backups of all configurations

can check out some article on meaningful SLA metric (which I think can be quite uniform for SaaS as well)
http://www.hpl.hp.com/techreports/2005/HPL-2005-218R1.pdf
http://www.sans.org/reading-room/whitepapers/standards/internal-sla-service-level-agreements-information-security-548

but do focus on the data ownership (privacy/confidentiality/insurance) and breach handling (liability of provider, punitive acts, corrective act/compensation)
0
 
LVL 25

Assisted Solution

by:madunix
madunix earned 1000 total points
ID: 40266084
Notice, public clouds are controlled by a 3rd party and resources/services on them are essentially
rented to you, so be careful with the legal documents, up-time is very important, good support is vital and Backup plan
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question