You are on page 1of 5

SLA Security Risk Assessment Checklist 2010-05-01.

doc Page 1 of 5
S ST TA AT TE E O OF F F FL LO OR RI ID DA A
A AG GE EN NC CY Y/ /P PR RI IM MA AR RY Y D DA AT TA A C CE EN NT TE ER R
S SE ER RV VI IC CE E L LE EV VE EL L A AG GR RE EE EM ME EN NT T
I IN NF FO OR RM MA AT TI IO ON N A AS SS SU UR RA AN NC CE E A AS SS SE ES SS SM ME EN NT T G GU UI ID DE E
P PU UR RP PO OS SE E O OF F T TH HI IS S E EF FF FO OR RT T
This effort is intended to help agency individuals responsible for development of the
Service Level Agreements (SLAs) address information assurance/security
requirements.
Further, this checklist is intended to facilitate the SLA development process to ensure
that necessary information security requirements are considered. The appropriate
agency technology staff and the agency Information Security Manager (ISM) should
be included in drafting the SLA information security requirements.
Note: This document addresses the issue of security concerns from the agency’s
perspective. It is assumed the data centers have addressed these issues at some
level. It is hoped that this document can bridge any gaps that may exist between
what is offered by the data center and what is needed by the agency to meet the
agency’s needed security requirements.
S SC CO OP PE E O OF F T TH HI IS S E EF FF FO OR RT T
In scope: To create a high level document (checklist) to help identify information
assurance/security issues that may need to be addressed in the SLA between the
agency and the data center.
Out of scope: This document is not intended to create specific language addressing
information security concerns to be included in an SLA between the agency and the
data center.
E EX XI IS ST TI IN NG G P PO OL LI IC CY Y A AN ND D S SL LA A P PR RO OV VI IS SI IO ON NS S
Agencies should request a copy of the data centers existing security standards and
practices. Additionally, the agency should obtain existing IT Security policies
governing the data center and staff, and inspect existing SLA provisions the data
center has regarding IT security?
G GO OV VE ER RN NA AN NC CE E
Determine the boundaries of responsibility for each of the following:
 Operating System (OS)
 Applications
 Databases
 Problem/Incident Resolution
 Contact information
SLA Security Risk Assessment Checklist 2010-05-01.doc Page 2 of 5
 Hardware
E.g. in the event of loss of connectivity or remote access—does agency staff have
physical access to the systems housing the agency’s data?)
Define the responsibilities and accountabilities that belong to the agency, the data
center, or both. For example, define who is responsible for hardware or who can
physically access hardware.
Define guidelines for arbitration in the event of disputes.
D DE EF FI IN NI IT TI IO ON NS S
Confidential Information and/or Confidential Data – Information not subject to
inspection by the public that may be released only to those persons and entities
designated in statute; information designated as confidential under provisions of
federal law or rule.

Confidentiality - The principle that information is accessible only to those
authorized.

Data Center - means agency space containing 10 or more physical or logical servers
any of which supports a strategic or nonstrategic information technology service, as
described in budget instructions developed pursuant to s. 216.023. F.S. 282.0041

State agency or agency - means any official, officer, commission, board, authority,
council, committee, or department of the executive branch of state government. F.S.
216.011. Agency, as the context requires, means an official, officer, commission,
authority, council, committee, department, division, bureau, board, section, or
another unit or entity of government. F.S. 20.03

SLA Security Risk Assessment Checklist 2010-05-01.doc Page 3 of 5
C CH HE EC CK KL LI IS ST T
C CO ON NT TI IN NU UI IT TY Y O OF F S SE ER RV VI IC CE E
Availability Requirements (the ability to deliver on the mission)
What requirements does the agency have for the availability of data (uptime,
downtime tolerance, etc)?
[ ] Disaster Recovery
What are the requirements for resumption of operation?
 Backup frequency
 Recovery time expectations
 Retention requirements
[ ] Redundancy
What are the requirements for fault tolerance?
[ ] Load Balancing
What are the requirements for volume traffic?
P PR RE EV VE EN NT TI IO ON N M ME EA AS SU UR RE ES S
Data Protection Requirements
[ ] Access Control requirements
 Physical
 Logical
 Identity and Authentication Requirements
 Separation of duties/functions
[ ] Logging and Monitoring Requirements
What information needs to be logged and monitored to ensure compliance of data
protection requirements?
 What will data center monitor?
 What will data center log?
 Agency access to monitoring and logs
 Storage timeframes for logs
[ ] Confidentiality Requirements
What controls are necessary to protect data classified as confidential?
 Handling Requirements (Protection of data)
 Data in transmission – encryption / isolated
 Data at rest / storage (file, folder, database) – encryption
 Backup media / mobile media – encryption
 Access controls – who can access data
 Confidentiality agreement – need to know
SLA Security Risk Assessment Checklist 2010-05-01.doc Page 4 of 5
Installation, Maintenance, and Change Management Requirements
[ ] Hardening Requirements
 Allowed protocols and ports
 Configuration settings
 Network/system isolation
Separation and alienation of domains (i.e. education versus law enforcement
CJnet)
[ ] Patching requirements
 Time frames
 Satellite offices
 Back out plans
[ ] Anti-malware protections
[ ] Vulnerability Assessment Requirements
(scans, design reviews, etc)
 New implementations
 PCI, etc.
[ ] Firewall / Intrusion Prevention Maintenance
Personnel
[ ] Background Screening Requirements
(E.g. level 2, IG review and approval, etc)
R RE ES SP PO ON NS SE E M ME EA AS SU UR RE ES S
Incident Response and Mitigation (Unplanned events)
[ ] Monitoring
When to alert agency—establish thresholds
[ ] Alerting
 Contact Information
 Incident status reporting (frequency, details, thresholds, etc.)
[ ] Event Escalation
 Contact Information
 Escalation Thresholds
 Escalation Timelines
[ ] Remediation
[ ] Documentation
C CO OM MP PL LI IA AN NC CE E
[ ] Audit Requirements
Identify audit requirements necessary for the agency?
 Federal (E.g. FDOL, IRS, SSA, OCSE, HIPAA, FERPA); State (E.g. AG,
OPPAGA); Agency; PCI; Other
 Staffing Availability (Data Center staff and Agency)
SLA Security Risk Assessment Checklist 2010-05-01.doc Page 5 of 5
 Remediation issues
 Frequency of audits
 Consolidating/Coordinating audit schedules
(? possible goal of the shared resource center ?)
 Physical access to systems by auditors
[ ] Compliance Requirements
Identify compliance requirements based on applicable federal and state laws,
statutes, policies, and regulations, etc. that apply to the agency. The list that
follows gives some examples:
 Applicable federal or state laws or statutes
 Payment Card Industry Data Security Standard
 Florida Administrative Code
 Data center policies and standards
 Agency policies and standards
 Others