Welcome to this, the seventh edition of The ISO17799 newsletter, designed to keep you abreast of updates and developments with respect to the ISO 17799 information security standard.
The information contained in this newsletter is free to our subscribers and provides guidance on practical issues, plus commentary on recent Information Security incidents.
Included in this issue are the following topics:
STILL MORE ON SERVICE LEVEL AGREEMENTS
A Service Level Agreement (the Agreement) is an agreement between two parties for the delivery of specified services by a “Supplier” or vendor to another party, the “Client”. It is effectively a proxy contract in that the two parties have negotiated and signed a comprehensive document specifying the terms and conditions under which the service delivery may be effected. Both parties must clearly understand their respective roles and responsibilities in respect of the delivery of the services and this information is usually included in this part of the Agreement.
In the SLA, the Supplier and the Client are identified together with a statement of expectations and abilities. The Client should also fully understand the cost of receiving these services and the basis for the calculation of those costs. The Supplier is accountable for the quality and performance levels of the services and also the service availability.
However, a major part of the SLA should in fact revolve around security. Responsibilities for this should be very clearly defined and assigned. This equally applies to continuity, and it is important that actions in the case of serious events are clearly identified.
The bottom line here is very much that the security manager or equivalent should have input to the SLA before it is signed. It is important that those responsible for agreeing an SLA are aware of this, and that the security manager (or equivalent) is factored into the process itself.
NOTE: A comprehensive and interactive electronic guide to simplify the preparation and understanding of SLAs is available from: http://www.service-level-agreement.net