Major Incident SLAs

The Office of Information Security proposes that the following changes be made to the existing documents under the Investigation, Mitigation, and Recovery sections. These Service Level Agreements (SLAs) were determined by internal discussion and historical evidence of average times for response and resolution for the specific incident types outlined. **NOTE: The proposed SLA times increase based on the breadth of affected systems and users. The SLAs listed below are for individual systems and end-users. Each increase in affected users will increase the SLA time.**

Incident Response Plan (IRP)

The Incident Acknowledgement SLA applied as the IRP is applicable to High and Critical incident types for which there is considerable variance in terms of the complexity of required investigative and remediation activity. The Major Incident Process may also supersede the IRP for critical incidents which meet the criteria for invoking the Major Incident Process, which has its own associated processes and SLAs.

ServiceNow Incident SLAs

The incidents that have been taken in by the Office of Information Security fall under University business hours, 8 a.m. to 5 p.m. ET, Monday through Friday, and exclude University-recognized holidays. Once a remediation or resolution action has taken place, an additional 48-hour hold will be placed on the ticket, pausing all SLAs for confirmation of resolution by the end user.

Security Awareness

This Business Service is mainly used to assist users with issues with Security Awareness and Training, whether it is regarding access or a general inquiry.

After investigating the tickets within ServiceNow for those labeled with these Application Services, the following SLA has been determined:

• Overall SLA of 12 hours for investigation and remediation.

Security Governance

This Business Service is mainly used to investigate policy violations and initiate consulting. The Application Services are as follows: Policy Violation and Other.

These tickets are quite rare, and the Office of Information Security may see only a few policy violation tickets per month. After investigating the tickets within ServiceNow for those labeled with these Application Services, the following SLAs have been determined:

• Other: 7-Day SLA to determine the scope of consultation and to recategorize incident ticket (INC).
• Policy Violation: 4-Day overall SLA with 48 hours for investigation procedures and 48 hours for remediation actions and OGC escalation.

Security Incident Analysis

This Business Service is mainly used to handle security operations INCs. The Application Services are as follows: Compromised Accounts, Compromised Machines, Investigation, Malware, and Phishing/Spam.

After investigating the tickets within ServiceNow for those labeled with these Application Services, the following SLAs have been determined:

• Compromised Accounts: Overall SLA set for 48 hours, with initial intake and investigation procedures set to 12 hours of acknowledgment. The remaining 36 hours are for remediation and systems sync confirmation.
• Compromised Machines: Overall SLA set for 48 hours, with initial intake and investigation procedures set to 24 hours of acknowledgment. The remaining 24 hours are for remediation and systems sync confirmation.
• Investigation: Set SLA of 6 hours, as the incident must go through an initial investigation to determine the type of attack or security exposure.
• Malware: Overall SLA of 24 hours, with 6 hours for investigation and the remaining 18 hours for remediation and systems recovery.
• Phishing/Spam: Overall SLA of 6 hours, with 2 hours of investigation and remediation with 4 hours of end-user response and confirmation.