IN THE process of selecting a managed security services (MSS) provider, service agreement content is a critical factor to consider. The provider with the best technology and infrastructure but without a clear agreement can be risky to the subscriber.
Therefore, it is imperative for the subscriber to understand what they need in the agreement.
In effect, it is a mutual agreement between the client and the provider quantifying the minimum acceptable service from the client and provider’s perspective.
The agreement is one of the most important documents in a MSS client/provider relationship. A properly written agreement is distinguished by clear, simple language and focusses on the needs and requirements of the client’s business.
Creating a sound, mutually agreeable document is a matter of due diligence by both parties.
Clients should go into the negotiation process with their own service agreements as the starting point, and the final document should be aligned with the following strategies, and defined to satisfy confidentiality, integrity and availability requirements:
- Service description and Scope
- Roles and responsibilities of both parties
- Asset ownership
- Escalation and reporting process v. Incident response and management process
- Standing instruction
- Change management (such as focal contact point, asset IP, firewall rules, etc)
- Contractual exceptions – penalties and rewards
- Exit strategies
- Contingency planning (BCP/DR for MSSP)
- Legal implication
- Miscellaneous points not covered in the preceding
Clients need to determine the most critical aspects of a service and then ensure that the agreement is defined and negotiated to address their particular requirements.
These are likely to include service security, service levels, service response times, infrastructure uptime/downtime, network performance, scalability, reporting, client and client customer satisfaction, overall end-to-end performance of service features, and escalation processes.
The service agreement defines the roles of both the client and the provider. As a result, the client understands exactly what it is expected to do and what the provider is agreeing to do on its behalf.
The agreement should be precise. It needs to define what client resources the provider will be accessing and what functions the provider may perform on these resources. It is critical to involve all client stakeholders who will be responsible for ensuring compliance with the agreement in the development process. This includes IT and security staff members.