Service Level Agreements (SLAs) directly involve continuous effort and improvement, significant technical investments and integration; and whether implied or explicit all business have them. Once an organization is consistently meeting their SLAs, the tolerance for change decreases and so goes the saying, "if it ain't broke, do not fix it".
Now we have a new, and far too often only implied Security SLA meaning "though shalt protect my data or you will not keep or earn my business". Being entrusted to protect one's own and others' data also means the new Security SLA must include direct and indirect data protection standards and compliance mandates, or accept the economic and legal consequences.
CSOs and staff will concur there is a challenge in addressing the Security Level Agreements while at the same time not impacting existing traditional SLAs. Customers demand certain levels of service and now also demand that their data is protected. CSOs, as such, are dedicating more time to respond answering the Information Security questions in RFPs that have a heavy focus on data security. Also, they are participating in meetings to explain their security programs and capabilities to the prospective customers' Risk and Compliance Officers (not IT Security people).
In parallel, CSOs and staff are in continual discussions with executive management, department heads and internal audit groups about reducing risk and meeting compliance mandates. However, part of those discussions is also addressing the predictable risk to internal and external Service Level Agreements when it becomes necessary to add new security components to tackle evolving or new Security Level Agreements.
Technical infrastructures have been built to be resistant and reliable but is there not concern and trepidation about adding another new security component to the finely tuned SLA engine? So one can offer up a new saying, "if it ain't broke, do not fix it; and if you need to better secure it, do not break it" (as maybe happened the last time).
It is fair statement that these new Security Level Agreements are requiring advanced security controls and safeguards for protecting data. In many cases, encrypting and controlling access to confidential and sensitive data wherever it may rest and in whatever form it is has become mandatory - a 'must have' to keep moving forward and avoiding significant exposure and risk.
Now that we've also entered the era of cloud computing, managed services and outsourcing, Security Level Agreements are a crucial tool for understanding the commitments from your vendors, and should be either included in your agreement, or be a separate element committed to by the service provider.
Here's what we found enterprises most wanted to see in this area to increase their use of Cloud environments.
Protecting data is like having a 'HazMat' suit; it can open the door to new customers and/or additional business opportunities. From Retail, HR, CRM, Financial, Supply Chain, Engineering, Legal, eComm, and Managed Services to the respective data being processed and stored.
Security SLAs are now a permanent fixture of doing business - If you are an enterprise, you should expect them from your vendors. If you are IT, you should be supplying them for every service.