Home » Data Protection » Network Security

Sevice Level Agreements: Tying the Knot

Service-level agreements are at the heart of most managed information security contracts. But they don't guarantee that buyer and seller are pulling in the same direction.

It's a reflection, he says, of the imbalance that exists between managed security services providers and their customers when it comes to constructing SLAs. "Typically, you're doing it for probably the first time, while the supplier has done it many times over," he says. "The supplier uses words that make what they are going to do for you sound grand and glorious, but there's no way you can use those words to prove that they aren't doing a good job."Better Language, PleaseLook no further than the sort of phraseology used to describe the supplier's obligations regarding software updates and antivirus patches. "Remember," Ayers says, "that a prime cause of hacks is poor software maintenance and late application of antivirus software. And what do we find? Phrases like, 'The supplier will install and maintain an intrusion detection system and keep it current.'"

A much better way of describing that critical obligation, he says, would be to pin down much more precisely what has to be done. So instead of the previous vague phraseology, Ayers prefers words like these: "The supplier will install an intrusion detection system approved jointly by the supplier and the client, and will apply all vendor product updates within 30 minutes of them becoming available."

It's just an example, but Ayers is resolute on the need to comb through SLAs looking forand excisingwooliness. He's also in favor of building into the contract a stipulation that the client will periodically attack their own systems in order to assess the capability of the managed security services provider to detect and respond to those attacks. "It's my experience that most companies fail to make such stipulations within their contracts," he observes. But how practical are such tough-sounding words? Even excepting the periodic targeting of a company's systems by its own personnel, some people have reservations about linking security issues to such tightly written metrics.

For public sector CSOs such as Jeff Ritter, director of IT for the division of employment and training for the commonwealth of Massachusetts, there's a legal hurdle to crossone that the private sector may not need to face. "Public sector contracts are worded very generally, and security is a very specific issue," says Ritter, who serves on the commonwealth's Enterprise Security Board. "A general contract at law can't possibly address the specifics of an engagement of this nature, in terms of particular releases and updates." Public sector contracts tend to be "blanket" contracts, he explainsgeneral in nature, lasting over time, and covering a basket of goods and services.