Information Security Service Level Agreement 2016-2017
- General Overview
- Service Description
- Roles and Responsibilities
- Requesting Service
- Hours of Coverage, Response Times and Complaint Resolution
- Maintenance and Service Changes
- Review and Reporting
1 General Overview
This is a Service Level Agreement (SLA) between the campus community and the Division of Information Technology to document:
- Technology Security Services
- The general levels of response, availability, and maintenance associated with these services.
- The responsibilities of the Division of Information Technology as a provider of these services
- The responsibilities of the clients receiving these service
- Deviations from the standard processes documented in the IT and Campus SLA.
This Agreement is valid from April 2016. Review is every two years, or as otherwise needed.
2 Service Description
The description of the Security Services can be found in the catalog: https://doit.creighton.edu/services-provided-doit/service-catalog
2.1 Service Scope
The Information Security team provides support, administration, and record-keeping, from on-boarding to closure for any data source, network, system or tool.
The Information Security Team also provides the following services:
- Information Security Consultation
- Information security architecture consulting and guidance on security best practices
- Security Awareness Training
- The development and administering of a security awareness training program
- Log collection management
- Security Incident Response, Investigations & Forensics Reviews
- Security incident handling for the University
- Investigation of reported and discovered information security incidents
- Communications about information security problems, events, incidents, and other matters with affected parties
- Security Vulnerability Monitoring
- Vulnerability management solutions to help system owners identify missing patches and other vulnerabilities
- Services administered through Proofpoint:
- Secure Email
- Email Firewall
- End User Digest/Quarantine
- CUAlert enables Creighton University to quickly and efficiently communicate with members of the community when there is any kind of adverse event affecting campus.
- CUAlert delivers personalized messaging simultaneously via text, multiple phone numbers, and e-mail.
- Change Advisory Board
- The change advisory board (CAB) helps to ensure that changes to IT systems are managed in a rational and predictable manner.
- CAB is responsible for enforcing change management policies within IT and for overseeing and approving request for changes (RFCs).
- The security team manages the operations, policies, and procedures of the change advisory board. The CISO acts as the meeting chair, and a member of the security team serves as a voting member.
- Whole Disk Encryption
- For computers/laptops that contain confidential or otherwise sensitive data, we provide PGP whole disk encryption.
- SSL Certificates
- SSL Certificates offer the ability for a web site or application to validate its identity as well as encrypt traffic sent to/from it across the internet.
- Any system at Creighton that has a logon page or provides/accepts sensitive or confidential data MUST use SSL to ensure the security of data transmitted across the network.
- Account Management
- AMI is Creighton’s address book where you can view faculty, student, and staff phone numbers, email addresses, and departments.
- Guest/Administrative/Service Account creation/maintenance
- Account termination
- Web SSO/Identity Management
- Web Single Sign-On provides an easy to use and secure authentication environment for users.
- The standard platform for accomplishing this objective uses Shibboleth software and SAML (security assertion markup language) developed by Internet2.
Some Security Service tasks can be accomplished by clients themselves, and these services are available 24 hours a day, seven days a week except during planned maintenance events. Services requiring staff assistance are available during regular university business hours, 8AM to 5PM, Monday through Friday, excluding campus holidays. An example would be initiating a password change.
2.1.1 User Requirements
- Clients are strongly advised to set a password recovery email address for systems which offer self-service password reset methods.
- Support varies depending on a client’s affiliation. Clients establish their affiliation by positively identifying themselves.
- Clients must have setup security questions and answers in AMI in order to reset their blue password themselves.
2.1.2 Boundaries of Service Features and Functions
- Except where indicated, the service focuses on access (usernames and passwords) and not authorization to IT systems. In most cases, once given access to an application, other services manage how the client may use the system.
- The Security team works in tandem with the Desktop and other global services and refers support once authentication is successful.
2.2 Service Level Performance
2.2.1 General Service Levels
- Requests are processed in the order they are received.
- The Division places a medium priority on resolving incidents related to accounts.
2.2.1 Specific Service Levels
- There are no specific service levels beyond that of the campus SLA. We will make meaningful first-contact with-in 4 hours and we will resolve 80% of tickets by their due date. However, due dates can be set by agreement on individual requests to meet university business needs.
- Self-service password resets with password recovery email addresses available 24 hrs per day at ami.creighton.edu.
- The typical delivery time for CU NetIDs is 5 days after all paperwork has been complete and submitted. Password resets for all accounts is within 27 hours.
3 Roles and Responsibilities
The following Service Owner(s) will be used as the basis of the Agreement and represent the primary stakeholders associated with this SLA:
|Information Security Officer||Bryan McLaughlin||BryanMcLaughlin@creighton.edu|
|Information Security Engineer||Mark Baumgartner||MarkBaumgartner@creighton.edu|
|Information Security Analyst||Matt Fiscus||MattFiscus@creighton.edu|
3.2 IT Responsibilities
The Division will provide the infrastructure, technology, people, processes and monitoring tools necessary for Security Services and:
- Clearly documents services provided in IT Service Catalog.
- Meet response times associated with the priority assigned to incidents and service requests.
- Generate reports on service level performance
- Give appropriate notification to the customer for all scheduled maintenance via the Maintenance Calendar, Service Catalog web page and/or a communication to campus via the Strategic IT Communication Lead.
3.3 Customer Responsibilities
Customer responsibilities and/or requirements in support of this Agreement include:
- Clients are expected to follow the Creighton password strength guidelines.
- Contact the Service Desk for incidents.
- Contact the Service Desk for additions or changes in established service levels.
- Use the EasyVista ticket system for service requests for specific services as outlined in the IT Service Catalog.
- Compliance with university and campus IT policies and guidelines including (but not limited to):
- Fair responsible and acceptable use Policy
- Change Management Policy
- Configuration Standards Policy
- Log Management Policy
- Risk Management Policy
4 Requesting Service
See the IT and Campus SLA for standard methods of contacting the Division for service.
- Online / IT Request (doit.creighton.edu)
- Phone x1111
- Email (firstname.lastname@example.org)
- Walk-in support M-F 8AM to 5PM, Rienert Library
5 Hours of Coverage, Response Times & Escalation
For all requests, the Division's goal is to have a staff member assigned and acknowledge requests within 8 business hours of receipt. Campus priorities may require exceptions to this goal during certain times of the Academic year. See the IT and Campus SLA
5.1 Hours of Coverage
See the IT and Campus SLA
Self-service password changes for NetID Blue passwords via Security Services Interface (https://ami.creighton.edu) is available 24-7, except during scheduled maintenance events.
5.2.1 Incident Response
5.2.3 Service Request
5.5 Other Requests
Requests for service features and functions not yet implemented can be submitted to the Service Desk at email@example.com.
6 Maintenance and Service Changes
All technical maintenance occurs outside of the business hours. Systems offering 24-hour service for changing passwords, etc., vary according to system. All maintenance periods are announced. See the DoIT and Campus SLA for details of our standard maintenance and service process.
8 Reviewing and Reporting
8.1 Security incident and request Reporting
Service performance and availability reports will be published for review.
- Support response time for the Security Services service will be tracked and reported separately as part of the IT and Campus SLA.
8.2 SLA Reviews
The Designated Review Owner (“Document Owner”) is responsible for facilitating regular reviews of this document. Contents of this document may be amended as required, provided mutual agreement is obtained from the primary stakeholders and communicated to all affected parties. The Document Owner will incorporate all subsequent revisions and obtain mutual agreements / approvals as required.
Designated Review Owner: Matt Fiscus, Information Security Analyst
Previous Review Date: April 2016
Next Review Date: April 2017
9 Approvals and Signatures
The Divisional Liaisons and Senior Managers approve this document. This document is then published on the IT Service Catalog web site along with other service level agreements. Service level information is integrated into the service page in the IT Service Catalog.