Home » Data Protection » Network Security

Sevice Level Agreements: Tying the Knot

Service-level agreements are at the heart of most managed information security contracts. But they don't guarantee that buyer and seller are pulling in the same direction.

February 01, 2003 — CSO — Richard Diamond is fully aware of the irony: Of all the 400 or so users on his company's nationwide network, he was the one who fatefully clicked open an e-mail attachment from a contact outside the company. And Diamond is the CIO.

"The moment it happened, I realized what I'd donebut it was too late," says Diamond, senior vice president and CIO of The Doctors Co. The physician-owned medical malpractice insurance company was infected by the Nimda virus, which busily began sending itself to everyone in Diamond's extensive companywide e-mail address book. Eradicating Nimda from The Doctors Co. took almost three days.

That unforgettable three days led Diamond's company to settle on an increasingly common solution: outsourcing its network security. The Doctors Co. contracted Symantec to keep watch over the network on a 24/7 basis, guarding against not just viruses but the full gamut of IT security threats. "On security issues, we felt we were always playing catch-up," says Diamond. No longer. "Suddenly, we find we're in the vanguard. It's a little surprising, but it seemed to be a very prudent thing to do."

There are many reasons for bringing in a managed security services provider. Some hope to lower costs. Some simply hope to hand someone else the trouble of finding and hiring information security expertise. And many CSOs say they sleep better at night with such a service in place. But the contracts that govern outsourced security relationships are tricky beasts. Most of them center around a service-level agreement (SLA), which spells out minimum performance standards that the provider must reach. In all too many cases, it's tempting to rely on the apparently tough-sounding SLA proffered by the vendor as the basis for managing and monitoring this new relationship. But that could be a mistake for a number of reasons, chief among them the fact that many of the measurements provided may prove hard to contest or simply irrelevant for what the CSO's business really needs. And negotiating a different agreement isn't as easy as it sounds.

All things considered, CSOs should scrutinize their service contracts carefully before letting a standard SLA lull them into a false sense of security.What's in an SLAIn a business such as managed security, most CSOs and CIOs figure that measuring a vendor's effectiveness shouldn't call for rocket science. Diamond, for his part, is very clear about the relationship with Symantec: "We know what it's going to cost us, and we know how we're going to measure its effectiveness," he says.