Re: ISP Security SLA's

["steve" <securityfocus () delahunty com>]

I have negotiated secure managed hosting environments and also gotten
specific in the contract to detail what services they are providing.  For
instance including: firewall (dedicated or shared), packet level filtering,
network and host intrusion detection, periodic penetration testing and
vulnerability scanning, configuration and patch management.

I have seen a Master Services Agreement (MSA) with detailed information on
what was to be provided for Managed Firewall Services, Managed Intrusion
Detection Services, Vulnerability Assessment Services, and Penetration
Testing Services.  I can't freely send details of that MSA though.  There
was about a paragraph on each detailing exactly what was to be provided.

I have seen a security specific SLA from another vendor but it dealt more
with uptime of their security management customer portal and notifications
required to customers as well as policy changes.




----- Original Message ----- 
From: "Spencer Hall" <SHALL () stvincentshealth com>
To: <security-basics () securityfocus com>
Sent: Tuesday, March 16, 2004 3:40 AM
Subject: ISP Security SLA's


I am looking at incorporating security language in a contract with vendors
that will be providing us with Internet access/

Has anyone any idea's, thoughts or suggestions about incorporating some
security requirements in addition to performance SLA's within the contract.


Spencer D. Hall
Sr. Network Analyst/HISO
St. Vincent's Medical Center
shall () jaxhealth com

-----------------------------------------
NOTICE:  This message is confidential, intended for the named
recipient(s) and may contain information that is (i) proprietary
to the sender, and/or, (ii) privileged, confidential and/or
otherwise exempt from disclosure under applicable Florida and
federal law, including, but not limited to, privacy standards
imposed pursuant to the federal Health Insurance Portability
and Accountability Act of 1996 ("HIPAA").  Receipt by anyone
other than the named recipients(s) is not a waiver of any
applicable privilege.  If you are not the intended recipient,
please contact the sender by reply e-mail and destroy all copies
of the original message.  Thank you in advance for your compliance
wtih this notice.


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------