Hi,
We are currently developing the teaching materials for the
Certificate of Cloud Auditing Knowledge (CCAK). One of the topics we are seeking views on is "what happens in case of an SLA violation by your CSP?".
In my experience at large enterprises, SLA violations are (generally) manually tracked and then discussed in calls with CSP account managers as a standing agenda item. The urgency of handling the violation would determine the pace and force of resolution with the CSP (i.e. "P1 rocket"). In most cases the violation is ultimately resolved. But in some cases - where deeper issues are discovered as a result of the SLA violation - we may have decided to implement alternative stop gap measure(s) to buy more time until the issue with the CSP can be resolved. In the final reckoning, either the provider compensates as per the contract (assuming its their fault!) or the legal button is pressed (last resort). In may ways, this isn't any really any different from non-CSP technology arrangements...
So I'm curious to read how your SLA violation process differs with CSPs than it does your traditional IT outsourcing arrangements. No need to name CSPs, more interested in your process and if/how it has evolved from the "old days".
Thank you,
Craig
------------------------------
Craig Balding
CSA Enterprise Security Specialist
Owner at Resilient Security Ltd
------------------------------