The Service Level Agreement
Not too long ago service level agreements (SLAs) were the exception, rather than the norm. Fortunately, however, most organizations are now aware of the importance of these documents and related contracts. However, it is equally clear that too many SLAs are woefully inadequate, both in terms of quality and supporting procedures. This can be a real Achilles heel and indeed, in some scenarios a significant security risk.
Most readers of this newsletter will be well aware of the the role of an SLA in terms of quality, but from the security angle, the issues can be even more stark.
Quite simply, in security terms, an SLA is essential to govern and define the receipt of all critical services. It should identify not only what security measures are in play, but matters such as what happens when there is a breach (for example, who is responsible for what actions).
The same applies to service availability. This is sometimes covered in its own specific schedule within the agreement, and is often the most difficult aspect to agree. However, from a business continuity viewpoint it is critical that it properly meets the needs of the service recipient.
Then there are changes to the SLA itself. How are these governed? The SLA is an important document, and controls must be applied to ensure that changes, and their implications, are formally and properly considered, and signed off at the correct level. Changes to the Agreement should be handled under agreed change control procedures. It is normally recommended, however, that the Client organization establishes some form of specific Steering Committee which will be responsible for controlling and monitoring the SLA and changes to the Services, service measurement criteria or the Agreement itself. The following process is fairly common in medium and large organizations:
- The nominated Client Representative should submit a Services Change Request on behalf of the user area to the Supplier for consideration and costing.
- The Supplier should review the feasibility of the Services Change Request and provide an estimate of the time/work required
- The Client Representative and the Supplier should jointly present the Services Change Request to the SLA Steering Committee
- Steering Committee is to approve or reject the Services Change Request.
- The Steering Committee should consider the impact on contracts and agreements between the two parties and the budgetary issues
- The Service Change Request, if approved, is then incorporated into the Service Level Agreement.
The ITIL and ISO 20000 Newsletter will be revisiting issues related to the SLA frequently in the future, and makes no apologies for doing so. Too often we see organizations applying significant effort and resources in other areas, but short-cutting on this key issue.
Service Level Agreement