Cybersecurity service level agreements: understanding government data confidentiality requirements

Abstract

Abstract Cybersecurity requirements, such as data security, are often used as evidence for the Government's relationship with external service providers to process, store and transmit sensitive government data. However, cybersecurity researchers have not profoundly studied the practical application of government data security requirements (e.g. data confidentiality) in service level agreements (SLAs) in the context of an outsourced scenario. The relationships with external service providers are usually established through SLAs as trust-enhancing instruments. However, there is a concern that existing SLAs mainly focus on the system availability and performance aspects but overlook cybersecurity requirements (e.g. data security) in SLAs. Such an understanding is essential to develop government SLA data confidentiality requirements into the formulation of security-related SLAs. We seek to provide insights by developing and conducting a grounded adaptive Delphi method (GADM) with 35 government participants through group discussions and individual sessions. The work on the Indonesian Government's data confidentiality requirements was used as a case study. This paper provides insights into three understandings of the increasing considerations of the Government's data confidentiality requirements in SLA definitions. The three perceptions of security-related SLAs are the target of protection, the data confidentiality risks and the government SLA data confidentiality requirements. Our findings play important implications for a better understanding of how to incorporate data confidentiality requirements according to perceived threats for government data classification in security-SLAs. Based on these findings, we recommend that the Government and service providers improve existing security-related SLAs and future research lines.