Using Service Level Agreements for IT

In following up with several security managers and IT systems managers to discuss the roles and responsibilities relating to security system technology on corporate networks, the subject of Service Level Agreements (SLAs) came up. IT departments have been using SLAs for more than a decade (much longer

Initially, SLAs were used to define the responsibilities and requirements of external IT service providers. About five or six years ago, companies began using internal SLAs between the IT department and other departments to clearly define the levels of service needed, and to help IT direct its efforts and technology investments accordingly.

The security departments of a number of large corporations have SLAs with their IT departments to cover the services IT provides related to physical security systems it maintains on the corporate network. Of course, many corporate security systems are maintained by systems integrators. Some security departments have received guidance and assistance from their IT departments in crafting SLAs for systems maintained by integrators.

An IT department's internal (rather than external) SLAs often provide the best examples for security systems SLAs because they are written for the same situation: the system end-users in a department want to contract for an appropriate set of services. This month's answers contain advice on using SLAs with your IT department. The same principles apply to establishing an SLA with a systems integrator.

Q: What advice do you have for security departments who want to implement a Service Level Agreement with their IT department?

A: Make sure that IT understands which functions are most critical, and which are least critical. For example, if non-security personnel have access to the video system for supervisory or training or other business purposes, that's not as critical as the security workstations, which could be needed at any time for security incident response. Some managers and supervisors are on our incident response personnel list, because if there is an incident in one of their areas, we want them to have system access.

- Security director, water utility

A: Although our IT department has SLAs with outside firms that incorporate some very technical language, we don't have lots of technical specifications in our SLAs for the security systems. It is very important to understand the entirety of each agreement (we have separate ones for network, server and workstation support services). Also the full scope of what you require from IT must be documented, including, for example, IT personnel getting vendor training. Fortunately the IT manager we worked with initially realized we were new to this, and we were able to "tweak" our agreements without pushback as we learned going forward.

- Security specialist, food manufacturing company

If you have experience that relates to this question, or have other experience you want to share, e-mail your answer to me at ConvergenceQA@gorbcs.com or call me at 949-831-6788. If you have a question you would like answered, I'd like to see it. We don't need to reveal your name or company name in the column, but we'd be happy to credit you for your quotation. I look forward to hearing from you!