From Wikipedia:
"A service-level agreement (SLA) is a part of a service contract where a
service is formally defined. In practice, the term SLA is sometimes used to
refer to the contracted delivery time (of the service or performance)”.
Usually,
when you are speaking about SLA in a SOC, you mean how long (maximum) it will
take to do something. To be clear I will list the normal SLA used in a SOC for
every service usually provided. Some SLA will be normally provided to the
customers others are “internal” SLAs that you will normally not share with SOC customers.
I would be
happy to listen to your SLAs, so feel free to comment!
Common SLAs
These SLA
apply to every service but can vary from service to service
·
Maximum
days to activate a new customer
·
Maximum
days to deactivate a customer (internal)
·
Coverage
(h24, 5x8 Mon-Fri, etc)
·
Reporting
(on request, automatic, etc)
SDM (Security Device Management)
1) Change Management
·
Max
minutes to start to work a request from the customer
·
Max
minutes to apply a change requested by a customer
·
Max
minutes to apply a rollback (could be seen as a change)
2) Fault Management
·
Max
ninutes passed between the fault of the hardware and the ticket opened
·
Max
hours needed to substitute a hardware declared as damaged
DDoS Mitigation
·
Max
minutes passed between the start of the attack and the ticket opened
·
Max
minutes passed between the ticket opened and the customer contact (phone call,
email, etc)
·
Max
minutes passed between the request of the customer to apply a mitigation rule
and its activation
Note that
in this service there is no possibility of having a SLA for the problem to be
solved because there is no way you can be sure to stop an attack in a certain
period of time.
Log Management
This
service, in some way, could be seen as a device management (sometimes you have
to manage the log collectors, other times the virtual machine or virtual
appliance used to collect the data, etc) additional SLAs can be:
·
Max minutes
passed between the time you stopped receiving logs from a log source and the
time you open a ticket
·
Max minutes
passed between the time you opened the ticket and the time you start working
the ticket
·
Max minutes
passed between the time you started working the ticket and the time you solved the problem
Security Assessment (Vulnerability Assessment, Penetration
Test, etc)
It’s quiet difficult
to establish SLAs in these services but some ideas could be:
·
Max
days passed between the customer signed the contract and the time the company
is able to provide the service (sometime the group is busy with other activities,
has a fit schedule, etc) (internal)
·
Max
days passed between the finish of the activity and the delivery of the activity
report
Thank you so much for reading this post and remember that comments are really appreciated.