Service-level agreement of a SOC

From Wikipedia: "A service-level agreement (SLA) is a part of a service contract where a service is formally defined. In practice, the term SLA is sometimes used to refer to the contracted delivery time (of the service or performance)”.

Usually, when you are speaking about SLA in a SOC, you mean how long (maximum) it will take to do something. To be clear I will list the normal SLA used in a SOC for every service usually provided. Some SLA will be normally provided to the customers others are “internal” SLAs that you will normally not share with SOC customers.

I would be happy to listen to your SLAs, so feel free to comment!

Common SLAs

These SLA apply to every service but can vary from service to service

·         Maximum days to activate a new customer

·         Maximum days to deactivate a customer (internal)

·         Coverage (h24, 5x8 Mon-Fri, etc)

·         Reporting (on request, automatic, etc)

SDM (Security Device Management)

1)      Change Management

·         Max minutes to start to work a request from the customer

·         Max minutes to apply a change requested by a customer

·         Max minutes to apply a rollback (could be seen as a change)

2)      Fault Management

·         Max ninutes passed between the fault of the hardware and the ticket opened

·         Max hours needed to substitute a hardware declared as damaged

DDoS Mitigation

·         Max minutes passed between the start of the attack and the ticket opened

·         Max minutes passed between the ticket opened and the customer contact (phone call, email, etc)

·         Max minutes passed between the request of the customer to apply a mitigation rule and its activation

Note that in this service there is no possibility of having a SLA for the problem to be solved because there is no way you can be sure to stop an attack in a certain period of time.

Log Management

This service, in some way, could be seen as a device management (sometimes you have to manage the log collectors, other times the virtual machine or virtual appliance used to collect the data, etc) additional SLAs can be:

·         Max minutes passed between the time you stopped receiving logs from a log source and the time you open a ticket

·         Max minutes passed between the time you opened the ticket and the time you start working the ticket

·         Max minutes passed between the time you started working  the ticket and the time you solved the problem

Security Assessment (Vulnerability Assessment, Penetration Test, etc)

It’s quiet difficult to establish SLAs in these services but some ideas could be:

·         Max days passed between the customer signed the contract and the time the company is able to provide the service (sometime the group is busy with other activities, has a fit schedule, etc) (internal)

·         Max days passed between the finish of the activity and the delivery of the activity report

Thank you so much for reading this post and remember that comments are really appreciated.