SLA 101: What to look for in a service-level agreement
Before you sign, let our author walk you through the fine print
Computerworld - Many IT administrators aren't comfortable handing over control of the most critical security components of their infrastructure. But in recent years, security outsourcing has become a popular and viable means of lowering the cost of perimeter security management. More and more companies are outsourcing parts of their security infrastructure, including firewalls, intrusion-detection systems and virtual private networks, to managed security service providers (MSSP).
Anyone thinking about outsourcing such a mission-critical aspect of their network should understand in detail the potential implications to their IT security infrastructure and their company as a whole. One of the biggest differences among providers of security services is the service-level agreement (SLA). In this five-part series of articles, we will dive deep into the various aspects of the SLA and attempt to explain in details what the SLA should contain and why each of the items is necessary.
In general, an MSSP SLA should cover the following areas:
Service Summary or Description
The service summary section usually appears in the introductory section of the SLA. It should always state the name of the provider and the name of the customer.
This summary will enumerate the obligations that you, the customer, must fulfill in order to satisfy the SLA. For example, you may be asked to provide up-to-date contacts, network topologies and customer escalation paths.
This section will usually list the support level (e.g., gold or platinum) you have purchased. The support level determines how fast the service provider will respond to your service requests, how many service requests youre allowed per week or month, how often you will be notified during emergencies, and most important, what your general service availability guarantee is.
Service providers host security services in a variety of ways. Some will install dedicated hardware at your site. Some will provide you with dedicated hardware, but it will sit in the providers own network operations center. And others will provide the security service through virtual domains that share, with other customers, the same physical hardware located (again) at the service provider's site.
Regardless of the method used, the service provider should state clearly in the SLA how the service is to be provided. Once youre sure of the hardware in use, you will be able to ask intelligent questions about hardware specification, performance, throughput, size, upgrades and so forth.
Most service providers use products from name-brand companies such as Check Point, ISS, Cisco, and others. Other service providers will use open-source software such as Snort for IDS.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts