Re: ISP Security SLA's

["Mitchell Rowton" <mrowton () bdo com>]

Its hard to tell without a better idea of what kind of services they
will provide, are they just an ISP?  

One thing I always ask for while doing security evaluations of vendors
is that they inform us of any possible security intrusions that could
affect us. You would be surprised by how many vendors are reluctant to
sign their name to this type of agreement.  Of course you won't need do
ask for this in California....

You could always throw in a bunch of sweeping generalities that are
impossible to enforce (they will practice reasonable due diligence to
maintain technical and administrative security controls to protect the
confidentiality, integrity, and availability, of your information.) 
That way if they do something VERY stupid then you may have a leg to
stand on.

> > > "Spencer Hall" <SHALL () stvincentshealth com> 03/16 3:40 AM >>>
I am looking at incorporating security language in a contract with
vendors that will be providing us with Internet access/

Has anyone any idea's, thoughts or suggestions about incorporating some
security requirements in addition to performance SLA's within the
contract.


Spencer D. Hall
Sr. Network Analyst/HISO
St. Vincent's Medical Center
shall () jaxhealth com 

-----------------------------------------
NOTICE:  This message is confidential, intended for the named
recipient(s) and may contain information that is (i) proprietary
to the sender, and/or, (ii) privileged, confidential and/or
otherwise exempt from disclosure under applicable Florida and
federal law, including, but not limited to, privacy standards
imposed pursuant to the federal Health Insurance Portability
and Accountability Act of 1996 ("HIPAA").  Receipt by anyone
other than the named recipients(s) is not a waiver of any 
applicable privilege.  If you are not the intended recipient,
please contact the sender by reply e-mail and destroy all copies
of the original message.  Thank you in advance for your compliance
wtih this notice.


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off
any course! All of our class sizes are guaranteed to be 10 students or
less
to facilitate one-on-one interaction with one of our expert
instructors.
Attend a course taught by an expert instructor with years of
in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your
organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html 
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------