SLA 102: The Service Summary

Our SLA series focuses on the terms of the contract you're signing

In my last column, I walked through the basic areas that a service provider’s service-level agreement should cover: the service summary, security and design reviews, hardware, software, service availability, service requests, and monitoring and reporting.

In this article, I’ll focus on the service summary. In most SLAs, this section describes the service you will be receiving in general terms. Here are some of the areas you should keep in mind as you negotiate your contract with your service provider.

Service provider name

Most people will probably skim this section, because they assume that the service provider handing them the SLA will be responsible for providing the service. However, as with any contract, it’s critical to make sure the SLA identifies your service provider by name and lists any doing-business-as, or DBA, names. This will remove any obstacles or confusion later should issues occur.

Support level

Many security providers offer different levels of support based on your contract, such as basic, gold or platinum. The support level generally determines the number of service requests or tickets you are allowed per month or per week. It may also determine the level of support staff you can contact directly. Be sure you understand the support level you've bought, and make sure that the SLA spells out the terms of that support. (I will go into more detail about service requests or tickets in later articles.)

Exclusions

Most service providers build into the SLA a list of exclusions or exceptions that they do not consider service outages. This list essentially lets your provider off the hook for that service under the circumstances stated. For example, upgrades necessitating off-line time generally aren't considered outages.

Every service provider will have a list of exclusions or exceptions. If the SLA contains no exclusions, be sure to check with the service provider, since it’s best to include a full list of exclusions or exceptions upfront to avoid future disputes. Make sure you review the list carefully and negotiate for the removal of any exclusion or exceptions you consider unreasonable.

Customer requirements

Generally, the service provider will require you, as the customer, to provide all necessary information about contacts, escalation procedures and maintenance windows for your network.

These requirements often cover not only the hardware and software you deploy but the personnel and even your maintenance plans. Many providers will ask you for a copy of your latest network topology, assurance of adequate protection for your equipment, and a list of the hardware and software you use for network management. Some of this information will be used to configure the security policies, such as those for firewalls and IDSs.

The service provider will also require that you provide contact information for the administrators who will be dealing with the service provider. This allows the service provider to verify the identity of anyone making service requests and to contact the appropriate administrators in case of an emergency. It’s a good idea to stipulate that the service provider accept service requests from only these authorized administrators.

Another area that your service provider will require you to specify is the escalation procedure to be used in case of trouble. When incidents happen, whether it’s a security attack or equipment down, the service provider needs to have a way to contact the appropriate administrators. If the primary contact is not available, the secondary contact needs to be accessible. If a service provider can't contact anyone, it may execute its default action, such as shutting down a network port. The default action may not be the most desirable option, so it’s a good idea to provide multiple backups.

It is your obligation to update the service provider on any changes to the list of authorized administrators or to your preferred escalation procedures.

Service providers may require you to fulfill certain obligations in addition to providing information. They often stipulate advance notice (generally 48 to 72 business hours) if any work is performed on your infrastructure that could affect the service provider’s security setup. This is necessary in order to minimize the number of false alarms.

In cases where the managed security service is offered outside of the service provider’s hosting facility, the service provider may require that you enable secure remote access to the equipment installed at your site. For example, VPN access to the equipment may be required so the service provider can remotely install firewall or IDS policies, monitor the health of the equipment or troubleshoot service problems.

Additionally, some service providers may require a method of accessing the customer's equipment console during network outages. For example, the customer may have to provide an analog phone line that’s connected to the equipment console. In this case, the service provider should supply all the necessary equipment for access, such as a modem.

If appropriate, a service provider may also spell out additional customer requirements, such as making available the necessary power, rack space and bandwidth.

You need to abide by all the items listed under the requirements section of your SLA to avoid disputes. Should you fail to meet one of these requirements, your security provider may refuse you a refund or service credit for poorly performed work.

SLA changes

Service providers will make changes to their standard SLAs from time to time. Some will honor a previously signed SLA until the customer renews its contract; others apply changes immediately, for both existing and new customers. That policy should be described in the contract you sign. Make sure you understand your service provider's policy before committing to it.

Provider changes to the standard SLA may include the number of service tickets included in your package, monthly recurring charges, changes in hardware or software, or refund policy changes. Ensure that the service provider states how it will notify you when it changes its SLA. Some service providers are very proactive about informing customers of specifics changes, and sometimes an account manager will even walk you through the differences. Others, however, will simply send you an e-mail indicating that there have been changes to the SLA and expect you to identify the differences yourself.

It is your responsibility to keep up to date on your SLA. Be sure to check in with your service provider from time to time to see if there are any SLA changes, and make sure that all responsible parties are in the loop about relevant correspondence with the service provider.

Almost all service providers will give you a warning period when it comes to SLA changes. However, the length of time differs. Some service providers give 7-14 days’ warning, while others give 30 days’ warning. Ask for a warning period of at least 30 days. You never know how the SLA will affect your organization, after all; sometimes it may require a review of the new SLA to see if the changes will make this service provider less desirable. A one- or two-week window may not give you sufficient time to evaluate the new terms.

Provision for review of new SLA terms should be part of your contract, but very few service providers allow you to end your contract outright, even if the SLA changes are significant. Be sure to understand how this will play out for your environment.

In next week's article, I'll look at the portions of your SLA covering security design and posture reviews. Some service providers, as part of a security-services installation, include free reviews when you use their managed security service. These reviews are beneficial to both the service provider and to you as the customer.

Jian Zhen, CISM, CISSP, is director of product management at LogLogic, a log management and intelligence vendor in Sunnyvale, Calif. He has been in the information security industry for 10 years. He can be reached at zhenjl@gmail.com or his blog at Operational Intelligence.

Copyright © 2006 IDG Communications, Inc.

  
Shop Tech Products at Amazon