Appendix B. SLA Template
In this appendix, you will find a sample service level agreement (SLA) for supporting security event feeds from network devices. This sample SLA is arranged between the network support team (NetEng) and the team to whom security monitoring is assigned (InfoSec). Following the practice of this book, the scope belongs to our fictitious company, Blanco Wireless.
Service Level Agreement: Information Security and Network Engineering
Overview
This is a service level agreement (SLA) between Information Security (InfoSec) and Network Engineering (NetEng). The purpose of this document is to clarify support responsibilities and expectations. Specifically, it outlines:
Services provided by NetEng to support network security event recording for monitoring and incident response
General levels of response, availability, and maintenance associated with these services
Responsibilities of NetEng as a provider of these services
Responsibilities of InfoSec as the client and requester of these services
Processes for requesting and communicating status of services
This SLA shall remain valid until terminated. Approval and termination indications are noted by signatures in “8.1: Approvals.”
Service Description
This service includes configuration of network devices to support security monitoring. It specifically requires:
NetFlow configuration to InfoSec NetFlow collectors
Logging configuration to log appropriate syslog messages to InfoSec syslog collectors
SPAN configuration on routers to mirror traffic to network intrusion detection systems (NIDSs)
Scope
The scope of this agreement includes the following devices where registered in Blanco’s device management system, and operating within the bounds of Blanco’s global network:
All NetEng-supported distribution layer aggregation routers (choke points) including, but not limited to, the perimeters of the DMZ, production, extranet, and data center networks
All InfoSec-supported NIDSs
Roles and Responsibilities
The NetEng team will support the process in cooperation with InfoSec.
NetEng responsibilities
NetEng will maintain the following configuration on every Blanco choke point router:
Log NetFlow v5 to port 2055 of the InfoSec-designated NetFlow collection server.
Log
authanddaemonmessages to the InfoSec-designated syslog collection server.Configure one SPAN to mirror both Rx and Tx traffic to the NIDS. For routers in HSRP, RSPAN must be configured to mirror all traffic.
This configuration will be maintained during normal operations of all network devices. NetEng will coordinate configuration changes and downtime with InfoSec via Blanco’s change management process.
InfoSec responsibilities
InfoSec will maintain collection of security events in support of incident response, monitoring, and investigations on Blanco’s network. InfoSec will also:
Provide access to NetFlow and network device log messages stored on collection servers.
Monitor for security events on network infrastructure.
Provide incident response and investigations during security incidents involving network infrastructure.
Service Operations
This section details how service is requested, hours of operation, expected response times, and escalation paths.
Requesting service
Service requests and change management will use Blanco’s in-house tools to log and route information.
InfoSec will request service by logging cases to NetEng via the Blanco Service Request System (BSR). Urgent requests will be escalated via Global Operations.
NetEng will communicate all outages and configuration changes by adding the group “InfoSec” to the approval group on all change requests.
Hours of operation
Both InfoSec and NetEng will maintain 24/7 operations and support for the services noted in this SLA.
Response times
NetEng agrees to support the security event feeds as a P2 service, which allows for up to four hours of downtime to resolve problems.
Escalations
Should either party require urgent attention to a problem, Global Operations will conduct priority adjustments and coordination of response. Assistance with resolution of ongoing but nonurgent problems will be handled by engaging the management of each respective organization.
Maintenance and service changes
Routers supporting security event feeds will maintain 24/7 operations. There will be no regularly scheduled maintenance, but necessary service outages will be requested and communicated via the change management system.
Security event collectors supported by InfoSec will maintain 24/7 operations with scheduled downtime on Sundays from 1:00 a.m. to 2:30 a.m. PST.
Agreement Dates and Changes
This document has been placed into effect January 20, 2009 and will remain in perpetuity. This document will be reviewed for changes and new approvals every two years or when director-level management changes are made to either the NetEng or InfoSec organization, whichever comes first.
Supporting Policies and Templates
This document is in support of the following Blanco Wireless policies:
Device Logging Policy
Network Security Incident Response Policy
Network Security Monitoring Policy
This document requires that the following templates be applied to all devices within the scope of this SLA. These templates will support the configuration required by this document:
NetFlow Logging Template for Cisco IOS 12 Routers
Event Logging Template for Cisco IOS 12 Routers
Approvals, Terminations, and Reviews
This document must be electronically signed by a director in both the NetEng and InfoSec organizations.
Approvals
This section should note the approver, title, and effective date.
Approver | Title | Date |
John McCain | Director, Network Engineering | 1/20/09 |
Barack Obama | Director, Information Security | 1/20/09 |
Terminations
This section should note the terminating director’s name, title, and effective date. This section is left blank until this agreement is terminated.
Terminating director | Title | Date |