Re: SLA for Non IT Managed Server?

["Bates, Cathy C - (cbates)" <cbates () EMAIL ARIZONA EDU>]

Kris,

We do not have an SLA, but we are in the midst of working with our first college on this very issue.  Researchers who 
want to manage their own servers in the Engineering College will need to meet with the Dean and me (UISO) to make their 
case in terms of need and competency AND will have to have their server subject to periodic Qualys vulnerability scans 
to determine if they are maintaining a secure server.

Cathy

Cathy Bates
University Information Security Officer 
Information Security Office | CC207
University of Arizona
(520) 626-2399
cbates () email arizona edu
http://security.arizona.edu


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kris 
Monroe
Sent: Tuesday, April 12, 2011 5:01 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] SLA for Non IT Managed Server?

Anyone have something like an SLA that they require by signed by a non 
IT owner of a server?
For example, a Faculty member that wants to host a web server and a 
database server to support their research project. I could see the SLA 
outlining the faculty member is responsible for patching (OS, web 
server, database), hardening, limiting the database to the one they have 
discussed (that has no PII), is responsible for user accounts (including 
provisioning/deprovisioning), etc. And that changing of the agreed upon 
use requires a new or revised SLA.
Thanks in advance!
-Kris

-- 
Stay Safe Online!
Visit ithaca.edu/ICinfosec for the latest cyber security tips.
-- 
Kris Monroe, CISSP, CISA
Information Security Officer
Ithaca College

email: kmonroe () ithaca edu
P: 607.274.1997