Service Level Agreements: Coming to Terms
Service-Level Agreements are a point of control in the relationship between the customer and Web-hosting service provider. It is ultimately what both parties agree to in principal and in fact. Your legal counsel should review the document, but more is required to create a satisfactory SLA. A team made up of the CIO, an attorney, security and risk executives, and the chief marketing officer should write these agreements. And remember: While a good SLA will aid security, the purpose of the hosted Web site is not to be a paragon of security, but an effective channel for developing your company's business. The SLA should set forth the following:
Security and operational procedures: How often are the backup generators tested, and how frequently is the fuel recycled? What are the actual procedures used in the event of a power failure?
Performance-level statistics: What is the average downtime? What was the longest downtime?
Incident reporting: If there is an attack on the Web host, what information is the host obligated to disclose and when? This can include what damage occurred, how the attack was carried out, what security holes were exploited and whether they were closed, and how quickly the host detected and responded to the attack.
Financial reporting: What is the credit rating of the host? Is the host obligated to advise customers of changes in its credit rating? What is the host's source of funding? If funded through venture capital, when will it close on its next round of capital, and what must it do to ensure successful closure of the next investment round? Does the host have a financial line of credit, and how much of the credit is available?
Human resources policies: What are the backgrounds of the security personnel? Are background investigations completed on all employees? Are convicted felons hired? Are third-party guard services used? Are those guards trained on host security policies and procedures? How much training is provided?