Home » Data Protection » Network Security

Sevice Level Agreements: Tying the Knot

Service-level agreements are at the heart of most managed information security contracts. But they don't guarantee that buyer and seller are pulling in the same direction.

Some businesses take a different view. Multinational petrochemicals giant BP, for example, is cautious about an overreliance on simple metrics. "Both hard and soft measures are important," argues Paul Dorey, director of global security for BP. "The usual service-level metricsspeed of response, events logged and managed, and so onform the basis of regular performance meetings, but we really look for a good relationship with knowledgeable security people. We're asking them to be part of our extended team, and in security it's more important to face up to any problems and deal with them than it is to decide whose fault it was," he says.

In other words, the metric-driven approach may simply boil down to counting the number of times that the horse has bolted through the open stable door. The obvious question: Might it not be better to close it first?

That is certainly a view strongly put forward by Raleigh, N.C.-based Al Decker, director of outsourcing giant EDS's security and privacy services division. "There's a perception that managed security equates to managed intrusion detection and a managed firewall," he notes. Metrics, like technologies, need to be tied to a firm business justification. "If [a particular measurement] doesn't serve a business need, you need to query why it's there," he says.

According to Decker, managed security should really start by sitting down with your provider and analyzing the network architecture for worm holes. "If you take too narrow a focus, there's a risk that you'll leave an opening for an attack," he warns. Likewise, time spent up-front figuring out the policies and procedures that should be in place is usually a good investment. In the event of an attack, he notes, "The policy is what should guide the action that is takenand if [your actions and those of the service provider] are not in concert, then there's a chance that you may be missing the mark."

Another strike against service-level agreements comes from Bob Ayers, an information security veteran who rounded out a career in U.S. Army Intelligence and the Defense Intelligence Agency with a period as director in charge of the Department of Defense Information Systems Security Program, establishing the first Department of Defense emergency response team. Curiously, Ayers, who these days is based in London as director of business risk services at security consultancy @Stake of Cambridge, Mass., gripes that SLAs don't contain enough metrics. Or at least enough of the metrics that really matter.