User:Shawndouglas/sandbox/sublevel20 - Revision history

Shawndouglas at 20:14, 16 August 2023

2023-08-16T20:14:06Z

← Older revision	Revision as of 20:14, 16 August 2023
Line 1:	Line 1:
		<div class="nonumtoc">__TOC__</div>
		{{ombox
		\| type = notice
		\| style = width: 960px;
		\| text = This is sublevel20 of my sandbox, where I play with features and test MediaWiki code. If you wish to leave a comment for me, please see [[User_talk:Shawndouglas\|my discussion page]] instead.<p></p>
		}}

		==Sandbox begins below==

Shawndouglas: Blanked the page

2023-08-16T20:13:19Z

Blanked the page

← Older revision		Revision as of 20:13, 16 August 2023
Line 1:		Line 1:
	~~===3.3 A brief note on cloud-inclusive cybersecurity insurance===~~
	[[File:Calculator-385506 1280.jpg\|right\|400px]]In January 2020, law firm Woodruf Sawyer indicated that among its business clients, the percentage of those organizations acquiring cybersecurity insurance coverage increased from 22 percent in 2016 to 39 percent in 2019, with that number expected to rise.<ref name="FlorescaBuying20">{{cite web \|url=https://woodruffsawyer.com/cyber-liability/is-buying-cyber-insurance-worth-it/ \|title=Buying Cyber Insurance: It May Be Required, But Is It Worth It? \|author=Floresca, L. \|work=Insights \|publisher=Woodruff Sawyer \|date=23 January 2020 \|accessdate=28 July 2023}}</ref> In 2023, Network Assured found the percentage of organizations with some form of cybersecurity insurance had gone up to 55 percent, with cybersecurity insurance claims increasing 100 percent since 2020.<ref name="Cole23_23">{{cite web \|url=https://networkassured.com/security/cybersecurity-insurance-statistics/ \|title=23 Eye-Opening Cybersecurity Insurance Statistics (2023) \|author=Cole, N. \|Publisher=Network Assured \|date=02 May 2023 \|accessdate=15 August 2023}}</ref> Though the concept of cyber insurance has been around for several decades, it certainly has gained traction as a more popular offering in recent years. Initial adoption has often been hampered by the perception that issuers of such policies will rarely pay. But as companies like Merck, Equifax, and Marriott demonstrate that payment under cyber insurance policies is possible<ref name="FlorescaBuying20" />, questions remain about the value and availability of cybersecurity insurance, particularly when cloud computing is involved.

	In their 2020 paper for the Carnegie Endowment, Levite and Kalwani shared their educated opinion on the cybersecurity insurance market as it relates to cloud computing<ref name="LeviteCloud20">{{cite web \|url=https://carnegieendowment.org/2020/11/09/cloud-governance-challenges-survey-of-policy-and-regulatory-issues-pub-83124 \|title=Cloud Governance Challenges: A Survey of Policy and Regulatory Issues \|author=Levite, A.; Kalwani, G. \|publisher=Carnegie Endowment for International Peace \|date=09 November 2020 \|accessdate=28 July 2023}}</ref>:

	<blockquote>Another important regulatory priority in the category of resilience is insurance as a risk channeling mechanism, to offset physical or financial damages resulting from cloud failures ... At present, little recourse is available to CSPs or the consumer to address such serious and likely scenarios. The nascent cloud insurance market does not currently offer extensive solutions to this predicament, in part because of serious concern for the systemic risk that accumulates as a result of the cloud’s market concentration and the potential for cascading effects. System failures could potentially affect many different parties at once, trickling upward, downward, and sideways, and resulting in a mass of claims that could prove excessive for insurers and reinsurers to cover. Regulators’ concerns over the solvency of (re)insurers that underwrite cloud services in these domains are bound to further slow down expansion of insurance for cloud service business interruptions, especially as they pertain to coverage of damages to third parties.</blockquote>

	Levite and Kalwani touch upon the increasingly concentrated nature of cloud services, as mentioned in Chapter 2. The topic is also tangentially discussed by Woodruff Sawyer's Lauri Floresca, but from the perspective of the multitenant nature of public cloud. "If an insurer writes 10,000 policies for customers of one cloud vendor, and every single one of them makes a claim because of a breach, that’s an aggregation problem for the insurer," they note in a July 2020 Insights post.<ref name="FlorescaCloud20">{{cite web \|url=https://woodruffsawyer.com/cyber-liability/cloud-computing/ \|title=Cloud Computing Risk and Cyber Liability Insurance \|author=Floresca, L. \|work=Insights \|publisher=Woodruff Sawyer \|date=09 July 2020 \|accessdate=28 July 2023}}</ref> These and other considerations bring about questions concerning how insurers will tighten policies and what insurers may or may not cover going forward in the 2020s. As such, this topic of what existing cybersecurity insurance policy writers will and will not cover, and how much—if any—of the policy addresses third-party cloud providers, deserves a brief but closer look.

	When approaching an insurer about cybersecurity (cyber) insurance, one of the first questions asked should be how cloud computing affects their policies. A quality insurer will make clear in its policy definitions and other documentation what actually constitutes being in the cloud, stating that the "computer system" of an insured organization extends to third-party networks. However, it's important to note that not only does the idea of shared responsibility between the organization and the CSP still stand, but also the concept of who the "data owner" or originator of any affected data is: your organization. In regulated environments where protected health information (PHI) is created and managed, that ownership may be extended to the CSP via, e.g., the [[Health Insurance Portability and Accountability Act]]'s (HIPAA's) requirement for business associate agreements. Ultimately your organization is still the primary data owner and holds much of the liability.<ref name="FlorescaCloud20" /> This is a primary reason to consider the value of cyber insurance that extends to the cloud.

	~~However, as Floresca notes, the onus isn't exclusively placed on the organization to acquire insurance<ref name="FlorescaCloud20" />:~~

	<blockquote>Even if you carry your own cyber insurance, however, it’s a good idea to require the cloud service provider to carry cyber coverage as well to help fund a loss. They might be more willing to indemnify you if the costs are not coming out of their pocket, and their contribution can help fund your deductible or pay excess costs if your cyber insurance limits are insufficient.</blockquote>

	But what does cyber insurance in 2023 actually look like? What does it cover? From our five risk categories described earlier, we find that data security and regulatory risk, as well as operational risk, are where most cyber risks will be found. Those categories of risk are addressed in some fashion by cyber insurance through a number of insuring agreements: network security, privacy liability, network business interruption, media liability, and errors and omissions (E&O). These are explained further below<ref name="BurkeCyber20">{{cite web \|url=https://woodruffsawyer.com/cyber-liability/cyber-101-liability-insurance/ \|title=Cyber 101: Understand the Basics of Cyber Liability Insurance \|author=Burke, D. \|work=Insights \|publisher=Woodruff Sawyer \|date=10 October 2022 \|accessdate=28 July 2023}}</ref>:

	* ''Network security coverage grant'': This covers your organization should a data breach, malware infection, cyber extortion effort, ransomware attack, or email phishing scam compromise your network security or cause it to fail. Coverage can expand to both first- and third-party costs, including legal expenses, digital forensics (also mention in Chapter 2), data restoration, customer notification, public relations consulting, and more.
	* ''Privacy liability coverage'': This covers your organization should government regulatory investigations, law enforcement investigations, legal contract obligations, or other such circumstances surrounding a cyber-incident or regulatory breach incur costs upon the organization. Coverage can expand to both first- and third-party costs, including costs from litigation defense, settlements, fines, and penalties.
	* ''Network business interruption coverage'': This covers your organization should third-party hacks, failed software patches, human error, or other such circumstances cause security failures. Organizations can recover lost profits, fixed expenses, and other additional costs, depending on the policy.
	* ''Media liability coverage'': This covers you organization should someone infringe upon your intellectual property. Though not directly related to security, this form of legal protection is often a part of cyber insurance, providing coverage for losses associated with non-patent infringement losses from both online and print advertising of your services.
	* ''Errors and omissions (E&O)'': This covers your organizations from, essentially, breach of contractual obligation. In the case of cloud, this would mean the CSP failed in the performance of their services by, e.g., allowing a breach of the organization's cloud data.<ref name="FlorescaCloud20" /> Coverage includes legal defense costs or other indemnification as a result of a dispute with not only a CSP but also one of your customers.

	However, as the number of claims have risen into 2023, insurers are upping the requirements they place on the insured. Of key importance is noting the close positive correlation between the insured having poor cloud security policies and misconfigured cloud systems, and the fact that cyber insurance claims are increasing. As AgileIT notes, "businesses seeking cyber insurance will be mandated to strengthen their cloud security postures and particularly show how they will minimize misconfigurations" before qualifying for insurance.<ref name="AgileITChanges23">{{cite web \|url=https://www.agileit.com/news/changes-to-cybersecurity-insurance-in-2023/ \|title=Changes to Cybersecurity Insurance in 2023 \|publisher=AgileIT \|date=24 March 2023 \|accessdate=15 August 2023}}</ref> Other additional considerations insurers may make include whether or not your lab has an extended detection and response (XDR) plan, robust vulnerability prioritization strategies, and incident response service provider utilization.<ref name="AgileITChanges23" />

	Ultimately, it's up to you, the organization, to decide how to approach cloud-inclusive cyber insurance. Does your organization consider acquiring this type of insurance? Can your organization supply all the information a potential cyber insurance underwriter may ask for as part of the process? Can your lab meet the growing list of requirements from insurers? Do your potential CSP candidates have their own cyber insurance, and what does that insurance address? In the end, despite applying significant effort to your organization's approaches to risk management and security controls, the organization will need to look at costly risks as a matter of "when," not "if." If the potential consequences would be too detrimental to the organization, cyber insurance for your cloud expansion may be due. Just know that acquiring that insurance won't necessarily be straightforward.

Shawndouglas at 19:34, 15 August 2023

2023-08-15T19:34:04Z

← Older revision		Revision as of 19:34, 15 August 2023
Line 1:		Line 1:
	===3.3 A brief note on cloud-inclusive cybersecurity insurance===		===3.3 A brief note on cloud-inclusive cybersecurity insurance===
	[[File:Calculator-385506 1280.jpg\|right\|400px]]In January 2020, law firm Woodruf Sawyer indicated that among its business clients, the percentage of those organizations acquiring cybersecurity insurance coverage increased from 22 percent in 2016 to 39 percent in 2019, with that number expected to rise.<ref name="FlorescaBuying20">{{cite web \|url=https://woodruffsawyer.com/cyber-liability/is-buying-cyber-insurance-worth-it/ \|title=Buying Cyber Insurance: It May Be Required, But Is It Worth It? \|author=Floresca, L. \|work=Insights \|publisher=Woodruff Sawyer \|date=23 January 2020 \|accessdate=28 July 2023}}</ref> ~~The~~ concept of cyber insurance has been around for several decades, ~~but~~ it has gained traction as a more popular offering in recent years. Initial adoption has often been hampered by the perception that issuers of such policies will rarely pay. But as companies like Merck, Equifax, and Marriott demonstrate that payment under cyber insurance policies is possible<ref name="FlorescaBuying20" />, questions remain about the value and availability of cybersecurity insurance, particularly when cloud computing is involved.		[[File:Calculator-385506 1280.jpg\|right\|400px]]In January 2020, law firm Woodruf Sawyer indicated that among its business clients, the percentage of those organizations acquiring cybersecurity insurance coverage increased from 22 percent in 2016 to 39 percent in 2019, with that number expected to rise.<ref name="FlorescaBuying20">{{cite web \|url=https://woodruffsawyer.com/cyber-liability/is-buying-cyber-insurance-worth-it/ \|title=Buying Cyber Insurance: It May Be Required, But Is It Worth It? \|author=Floresca, L. \|work=Insights \|publisher=Woodruff Sawyer \|date=23 January 2020 \|accessdate=28 July 2023}}</ref> In 2023, Network Assured found the percentage of organizations with some form of cybersecurity insurance had gone up to 55 percent, with cybersecurity insurance claims increasing 100 percent since 2020.<ref name="Cole23_23">{{cite web \|url=https://networkassured.com/security/cybersecurity-insurance-statistics/ \|title=23 Eye-Opening Cybersecurity Insurance Statistics (2023) \|author=Cole, N. \|Publisher=Network Assured \|date=02 May 2023 \|accessdate=15 August 2023}}</ref> Though the concept of cyber insurance has been around for several decades, it certainly has gained traction as a more popular offering in recent years. Initial adoption has often been hampered by the perception that issuers of such policies will rarely pay. But as companies like Merck, Equifax, and Marriott demonstrate that payment under cyber insurance policies is possible<ref name="FlorescaBuying20" />, questions remain about the value and availability of cybersecurity insurance, particularly when cloud computing is involved.

	In their 2020 paper for the Carnegie Endowment, Levite and Kalwani shared their educated opinion on the cybersecurity insurance market as it relates to cloud computing<ref name="LeviteCloud20">{{cite web \|url=https://carnegieendowment.org/2020/11/09/cloud-governance-challenges-survey-of-policy-and-regulatory-issues-pub-83124 \|title=Cloud Governance Challenges: A Survey of Policy and Regulatory Issues \|author=Levite, A.; Kalwani, G. \|publisher=Carnegie Endowment for International Peace \|date=09 November 2020 \|accessdate=28 July 2023}}</ref>:		In their 2020 paper for the Carnegie Endowment, Levite and Kalwani shared their educated opinion on the cybersecurity insurance market as it relates to cloud computing<ref name="LeviteCloud20">{{cite web \|url=https://carnegieendowment.org/2020/11/09/cloud-governance-challenges-survey-of-policy-and-regulatory-issues-pub-83124 \|title=Cloud Governance Challenges: A Survey of Policy and Regulatory Issues \|author=Levite, A.; Kalwani, G. \|publisher=Carnegie Endowment for International Peace \|date=09 November 2020 \|accessdate=28 July 2023}}</ref>:
Line 8:		Line 8:
	Levite and Kalwani touch upon the increasingly concentrated nature of cloud services, as mentioned in Chapter 2. The topic is also tangentially discussed by Woodruff Sawyer's Lauri Floresca, but from the perspective of the multitenant nature of public cloud. "If an insurer writes 10,000 policies for customers of one cloud vendor, and every single one of them makes a claim because of a breach, that’s an aggregation problem for the insurer," they note in a July 2020 Insights post.<ref name="FlorescaCloud20">{{cite web \|url=https://woodruffsawyer.com/cyber-liability/cloud-computing/ \|title=Cloud Computing Risk and Cyber Liability Insurance \|author=Floresca, L. \|work=Insights \|publisher=Woodruff Sawyer \|date=09 July 2020 \|accessdate=28 July 2023}}</ref> These and other considerations bring about questions concerning how insurers will tighten policies and what insurers may or may not cover going forward in the 2020s. As such, this topic of what existing cybersecurity insurance policy writers will and will not cover, and how much—if any—of the policy addresses third-party cloud providers, deserves a brief but closer look.		Levite and Kalwani touch upon the increasingly concentrated nature of cloud services, as mentioned in Chapter 2. The topic is also tangentially discussed by Woodruff Sawyer's Lauri Floresca, but from the perspective of the multitenant nature of public cloud. "If an insurer writes 10,000 policies for customers of one cloud vendor, and every single one of them makes a claim because of a breach, that’s an aggregation problem for the insurer," they note in a July 2020 Insights post.<ref name="FlorescaCloud20">{{cite web \|url=https://woodruffsawyer.com/cyber-liability/cloud-computing/ \|title=Cloud Computing Risk and Cyber Liability Insurance \|author=Floresca, L. \|work=Insights \|publisher=Woodruff Sawyer \|date=09 July 2020 \|accessdate=28 July 2023}}</ref> These and other considerations bring about questions concerning how insurers will tighten policies and what insurers may or may not cover going forward in the 2020s. As such, this topic of what existing cybersecurity insurance policy writers will and will not cover, and how much—if any—of the policy addresses third-party cloud providers, deserves a brief but closer look.

	When approaching an insurer about cybersecurity (cyber) insurance, one of the first questions asked should be how cloud computing affects their policies. A quality insurer will make clear in its policy definitions and other documentation what actually constitutes being in the cloud, stating that the "computer system" of an insured organization extends to third-party networks. However, it's important to note that not only does the idea of shared responsibility between the organization and the CSP still stand, but also the concept of who the "data owner" or originator of any affected data is: your organization. In regulated environments where protected health information (PHI) is created and managed, that ownership may be extended to the CSP via, e.g., the [[Health Insurance Portability and Accountability Act]]'s (HIPAA's) requirement for business associate agreements. ~~But ultimately~~ your organization is still the primary data owner and holds much of the liability.<ref name="FlorescaCloud20" /> This is a primary reason to consider the value of cyber insurance that extends to the cloud.		When approaching an insurer about cybersecurity (cyber) insurance, one of the first questions asked should be how cloud computing affects their policies. A quality insurer will make clear in its policy definitions and other documentation what actually constitutes being in the cloud, stating that the "computer system" of an insured organization extends to third-party networks. However, it's important to note that not only does the idea of shared responsibility between the organization and the CSP still stand, but also the concept of who the "data owner" or originator of any affected data is: your organization. In regulated environments where protected health information (PHI) is created and managed, that ownership may be extended to the CSP via, e.g., the [[Health Insurance Portability and Accountability Act]]'s (HIPAA's) requirement for business associate agreements. Ultimately your organization is still the primary data owner and holds much of the liability.<ref name="FlorescaCloud20" /> This is a primary reason to consider the value of cyber insurance that extends to the cloud.

	However, as Floresca notes, the onus isn't exclusively placed on the organization to acquire insurance<ref name="FlorescaCloud20" />:		However, as Floresca notes, the onus isn't exclusively placed on the organization to acquire insurance<ref name="FlorescaCloud20" />:
Line 14:		Line 14:
	<blockquote>Even if you carry your own cyber insurance, however, it’s a good idea to require the cloud service provider to carry cyber coverage as well to help fund a loss. They might be more willing to indemnify you if the costs are not coming out of their pocket, and their contribution can help fund your deductible or pay excess costs if your cyber insurance limits are insufficient.</blockquote>		<blockquote>Even if you carry your own cyber insurance, however, it’s a good idea to require the cloud service provider to carry cyber coverage as well to help fund a loss. They might be more willing to indemnify you if the costs are not coming out of their pocket, and their contribution can help fund your deductible or pay excess costs if your cyber insurance limits are insufficient.</blockquote>

	But what does cyber insurance in ~~2021~~ actually look like? What does it cover? From our five risk categories described earlier, we find that data security and regulatory risk, as well as operational risk, are where most cyber risks will be found. Those categories of risk are addressed in some fashion by cyber insurance through a number of insuring agreements: network security, privacy liability, network business interruption, media liability, and errors and omissions (E&O). These are explained further below<ref name="BurkeCyber20">{{cite web \|url=https://woodruffsawyer.com/cyber-liability/cyber-101-liability-insurance/ \|title=Cyber 101: Understand the Basics of Cyber Liability Insurance \|author=Burke, D. \|work=Insights \|publisher=Woodruff Sawyer \|date=10 October 2022 \|accessdate=28 July 2023}}</ref>:		But what does cyber insurance in 2023 actually look like? What does it cover? From our five risk categories described earlier, we find that data security and regulatory risk, as well as operational risk, are where most cyber risks will be found. Those categories of risk are addressed in some fashion by cyber insurance through a number of insuring agreements: network security, privacy liability, network business interruption, media liability, and errors and omissions (E&O). These are explained further below<ref name="BurkeCyber20">{{cite web \|url=https://woodruffsawyer.com/cyber-liability/cyber-101-liability-insurance/ \|title=Cyber 101: Understand the Basics of Cyber Liability Insurance \|author=Burke, D. \|work=Insights \|publisher=Woodruff Sawyer \|date=10 October 2022 \|accessdate=28 July 2023}}</ref>:

	* ''Network security coverage grant'': This covers your organization should a data breach, malware infection, cyber extortion effort, ransomware attack, or email phishing scam compromise your network security or cause it to fail. Coverage can expand to both first- and third-party costs, including legal expenses, digital forensics (also mention in Chapter 2), data restoration, customer notification, public relations consulting, and more.		* ''Network security coverage grant'': This covers your organization should a data breach, malware infection, cyber extortion effort, ransomware attack, or email phishing scam compromise your network security or cause it to fail. Coverage can expand to both first- and third-party costs, including legal expenses, digital forensics (also mention in Chapter 2), data restoration, customer notification, public relations consulting, and more.
Line 22:		Line 22:
	* ''Errors and omissions (E&O)'': This covers your organizations from, essentially, breach of contractual obligation. In the case of cloud, this would mean the CSP failed in the performance of their services by, e.g., allowing a breach of the organization's cloud data.<ref name="FlorescaCloud20" /> Coverage includes legal defense costs or other indemnification as a result of a dispute with not only a CSP but also one of your customers.		* ''Errors and omissions (E&O)'': This covers your organizations from, essentially, breach of contractual obligation. In the case of cloud, this would mean the CSP failed in the performance of their services by, e.g., allowing a breach of the organization's cloud data.<ref name="FlorescaCloud20" /> Coverage includes legal defense costs or other indemnification as a result of a dispute with not only a CSP but also one of your customers.

	Ultimately, it's up to you, the organization, to decide how to approach cloud-inclusive cyber insurance. Does your organization consider acquiring this type of insurance? Can your organization supply all the information a potential cyber insurance underwriter may ask for as part of the process? Do your potential CSP candidates have their own cyber insurance, and what does that insurance address? In the end, despite applying significant effort to your organization's approaches to risk management and security controls, the organization will need to look at costly risks as a matter of "when," not "if." If the potential consequences would be too detrimental to the organization, cyber insurance for your cloud expansion may be due. Just know that acquiring that insurance won't necessarily be straightforward.		However, as the number of claims have risen into 2023, insurers are upping the requirements they place on the insured. Of key importance is noting the close positive correlation between the insured having poor cloud security policies and misconfigured cloud systems, and the fact that cyber insurance claims are increasing. As AgileIT notes, "businesses seeking cyber insurance will be mandated to strengthen their cloud security postures and particularly show how they will minimize misconfigurations" before qualifying for insurance.<ref name="AgileITChanges23">{{cite web \|url=https://www.agileit.com/news/changes-to-cybersecurity-insurance-in-2023/ \|title=Changes to Cybersecurity Insurance in 2023 \|publisher=AgileIT \|date=24 March 2023 \|accessdate=15 August 2023}}</ref> Other additional considerations insurers may make include whether or not your lab has an extended detection and response (XDR) plan, robust vulnerability prioritization strategies, and incident response service provider utilization.<ref name="AgileITChanges23" />

			Ultimately, it's up to you, the organization, to decide how to approach cloud-inclusive cyber insurance. Does your organization consider acquiring this type of insurance? Can your organization supply all the information a potential cyber insurance underwriter may ask for as part of the process? Can your lab meet the growing list of requirements from insurers? Do your potential CSP candidates have their own cyber insurance, and what does that insurance address? In the end, despite applying significant effort to your organization's approaches to risk management and security controls, the organization will need to look at costly risks as a matter of "when," not "if." If the potential consequences would be too detrimental to the organization, cyber insurance for your cloud expansion may be due. Just know that acquiring that insurance won't necessarily be straightforward.

Shawndouglas at 17:47, 26 July 2023

2023-07-26T17:47:49Z

← Older revision	Revision as of 17:47, 26 July 2023
Line 1:	Line 1:
		===3.3 A brief note on cloud-inclusive cybersecurity insurance===
		[[File:Calculator-385506 1280.jpg\|right\|400px]]In January 2020, law firm Woodruf Sawyer indicated that among its business clients, the percentage of those organizations acquiring cybersecurity insurance coverage increased from 22 percent in 2016 to 39 percent in 2019, with that number expected to rise.<ref name="FlorescaBuying20">{{cite web \|url=https://woodruffsawyer.com/cyber-liability/is-buying-cyber-insurance-worth-it/ \|title=Buying Cyber Insurance: It May Be Required, But Is It Worth It? \|author=Floresca, L. \|work=Insights \|publisher=Woodruff Sawyer \|date=23 January 2020 \|accessdate=28 July 2023}}</ref> The concept of cyber insurance has been around for several decades, but it has gained traction as a more popular offering in recent years. Initial adoption has often been hampered by the perception that issuers of such policies will rarely pay. But as companies like Merck, Equifax, and Marriott demonstrate that payment under cyber insurance policies is possible<ref name="FlorescaBuying20" />, questions remain about the value and availability of cybersecurity insurance, particularly when cloud computing is involved.

		In their 2020 paper for the Carnegie Endowment, Levite and Kalwani shared their educated opinion on the cybersecurity insurance market as it relates to cloud computing<ref name="LeviteCloud20">{{cite web \|url=https://carnegieendowment.org/2020/11/09/cloud-governance-challenges-survey-of-policy-and-regulatory-issues-pub-83124 \|title=Cloud Governance Challenges: A Survey of Policy and Regulatory Issues \|author=Levite, A.; Kalwani, G. \|publisher=Carnegie Endowment for International Peace \|date=09 November 2020 \|accessdate=28 July 2023}}</ref>:

		<blockquote>Another important regulatory priority in the category of resilience is insurance as a risk channeling mechanism, to offset physical or financial damages resulting from cloud failures ... At present, little recourse is available to CSPs or the consumer to address such serious and likely scenarios. The nascent cloud insurance market does not currently offer extensive solutions to this predicament, in part because of serious concern for the systemic risk that accumulates as a result of the cloud’s market concentration and the potential for cascading effects. System failures could potentially affect many different parties at once, trickling upward, downward, and sideways, and resulting in a mass of claims that could prove excessive for insurers and reinsurers to cover. Regulators’ concerns over the solvency of (re)insurers that underwrite cloud services in these domains are bound to further slow down expansion of insurance for cloud service business interruptions, especially as they pertain to coverage of damages to third parties.</blockquote>

		Levite and Kalwani touch upon the increasingly concentrated nature of cloud services, as mentioned in Chapter 2. The topic is also tangentially discussed by Woodruff Sawyer's Lauri Floresca, but from the perspective of the multitenant nature of public cloud. "If an insurer writes 10,000 policies for customers of one cloud vendor, and every single one of them makes a claim because of a breach, that’s an aggregation problem for the insurer," they note in a July 2020 Insights post.<ref name="FlorescaCloud20">{{cite web \|url=https://woodruffsawyer.com/cyber-liability/cloud-computing/ \|title=Cloud Computing Risk and Cyber Liability Insurance \|author=Floresca, L. \|work=Insights \|publisher=Woodruff Sawyer \|date=09 July 2020 \|accessdate=28 July 2023}}</ref> These and other considerations bring about questions concerning how insurers will tighten policies and what insurers may or may not cover going forward in the 2020s. As such, this topic of what existing cybersecurity insurance policy writers will and will not cover, and how much—if any—of the policy addresses third-party cloud providers, deserves a brief but closer look.

		When approaching an insurer about cybersecurity (cyber) insurance, one of the first questions asked should be how cloud computing affects their policies. A quality insurer will make clear in its policy definitions and other documentation what actually constitutes being in the cloud, stating that the "computer system" of an insured organization extends to third-party networks. However, it's important to note that not only does the idea of shared responsibility between the organization and the CSP still stand, but also the concept of who the "data owner" or originator of any affected data is: your organization. In regulated environments where protected health information (PHI) is created and managed, that ownership may be extended to the CSP via, e.g., the [[Health Insurance Portability and Accountability Act]]'s (HIPAA's) requirement for business associate agreements. But ultimately your organization is still the primary data owner and holds much of the liability.<ref name="FlorescaCloud20" /> This is a primary reason to consider the value of cyber insurance that extends to the cloud.

		However, as Floresca notes, the onus isn't exclusively placed on the organization to acquire insurance<ref name="FlorescaCloud20" />:

		<blockquote>Even if you carry your own cyber insurance, however, it’s a good idea to require the cloud service provider to carry cyber coverage as well to help fund a loss. They might be more willing to indemnify you if the costs are not coming out of their pocket, and their contribution can help fund your deductible or pay excess costs if your cyber insurance limits are insufficient.</blockquote>

		But what does cyber insurance in 2021 actually look like? What does it cover? From our five risk categories described earlier, we find that data security and regulatory risk, as well as operational risk, are where most cyber risks will be found. Those categories of risk are addressed in some fashion by cyber insurance through a number of insuring agreements: network security, privacy liability, network business interruption, media liability, and errors and omissions (E&O). These are explained further below<ref name="BurkeCyber20">{{cite web \|url=https://woodruffsawyer.com/cyber-liability/cyber-101-liability-insurance/ \|title=Cyber 101: Understand the Basics of Cyber Liability Insurance \|author=Burke, D. \|work=Insights \|publisher=Woodruff Sawyer \|date=10 October 2022 \|accessdate=28 July 2023}}</ref>:

		* ''Network security coverage grant'': This covers your organization should a data breach, malware infection, cyber extortion effort, ransomware attack, or email phishing scam compromise your network security or cause it to fail. Coverage can expand to both first- and third-party costs, including legal expenses, digital forensics (also mention in Chapter 2), data restoration, customer notification, public relations consulting, and more.
		* ''Privacy liability coverage'': This covers your organization should government regulatory investigations, law enforcement investigations, legal contract obligations, or other such circumstances surrounding a cyber-incident or regulatory breach incur costs upon the organization. Coverage can expand to both first- and third-party costs, including costs from litigation defense, settlements, fines, and penalties.
		* ''Network business interruption coverage'': This covers your organization should third-party hacks, failed software patches, human error, or other such circumstances cause security failures. Organizations can recover lost profits, fixed expenses, and other additional costs, depending on the policy.
		* ''Media liability coverage'': This covers you organization should someone infringe upon your intellectual property. Though not directly related to security, this form of legal protection is often a part of cyber insurance, providing coverage for losses associated with non-patent infringement losses from both online and print advertising of your services.
		* ''Errors and omissions (E&O)'': This covers your organizations from, essentially, breach of contractual obligation. In the case of cloud, this would mean the CSP failed in the performance of their services by, e.g., allowing a breach of the organization's cloud data.<ref name="FlorescaCloud20" /> Coverage includes legal defense costs or other indemnification as a result of a dispute with not only a CSP but also one of your customers.

		Ultimately, it's up to you, the organization, to decide how to approach cloud-inclusive cyber insurance. Does your organization consider acquiring this type of insurance? Can your organization supply all the information a potential cyber insurance underwriter may ask for as part of the process? Do your potential CSP candidates have their own cyber insurance, and what does that insurance address? In the end, despite applying significant effort to your organization's approaches to risk management and security controls, the organization will need to look at costly risks as a matter of "when," not "if." If the potential consequences would be too detrimental to the organization, cyber insurance for your cloud expansion may be due. Just know that acquiring that insurance won't necessarily be straightforward.

Shawndouglas: Blanked the page

2022-05-05T21:23:26Z

Blanked the page

Show changes

Shawndouglas: /* Methodology */

2022-05-04T22:52:23Z

Methodology

← Older revision		Revision as of 22:52, 4 May 2022
Line 338:		Line 338:
	\|-		\|-
	\| style="padding:10px; width:350px;" \|[https://www.wada-ama.org/en/resources/world-anti-doping-program/international-standard-laboratories-isl WADA International Standard for Laboratories (ISL)]<sup>*</sup>		\| style="padding:10px; width:350px;" \|[https://www.wada-ama.org/en/resources/world-anti-doping-program/international-standard-laboratories-isl WADA International Standard for Laboratories (ISL)]<sup>*</sup>
			\| style="padding:10px; background-color:white;" \|World Anti-Doping Agency
			\|-
			\| style="padding:10px; width:350px;" \|[https://www.wada-ama.org/en/resources/world-anti-doping-program/international-standard-protection-privacy-and-personal WADA International Standard for the Protection of Privacy and Personal Information (ISPPPI)]<sup>*</sup>
	\| style="padding:10px; background-color:white;" \|World Anti-Doping Agency		\| style="padding:10px; background-color:white;" \|World Anti-Doping Agency
	\|-		\|-

Shawndouglas at 23:58, 28 April 2022

2022-04-28T23:58:13Z

← Older revision		Revision as of 23:58, 28 April 2022
Line 55:		Line 55:
	\| style="padding:10px; background-color:white;" \|Animal and Plant Health Inspection Service, Department of Agriculture > Viruses, Serums, Toxins, and Analogous Products; Organisms and Vectors > Possession, Use, and Transfer of Select Agents and Toxins		\| style="padding:10px; background-color:white;" \|Animal and Plant Health Inspection Service, Department of Agriculture > Viruses, Serums, Toxins, and Analogous Products; Organisms and Vectors > Possession, Use, and Transfer of Select Agents and Toxins
	\|-		\|-
	\| style="padding:10px; width:350px;" \|[https://www.law.cornell.edu/cfr/text/10/part-20 10 CFR Part 20]		\| style="padding:10px; width:350px;" \|[https://www.law.cornell.edu/cfr/text/10/part-20 10 CFR Part 20]<sup>*</sup>
	\| style="padding:10px; background-color:white;" \|Nuclear Regulatory Commission > Standards for Protection Against Radiation		\| style="padding:10px; background-color:white;" \|Nuclear Regulatory Commission > Standards for Protection Against Radiation
	\|-		\|-

Shawndouglas at 21:46, 27 April 2022

2022-04-27T21:46:33Z

← Older revision		Revision as of 21:46, 27 April 2022
Line 235:		Line 235:
	\| style="padding:10px; background-color:white;" \|European Union, European Commission		\| style="padding:10px; background-color:white;" \|European Union, European Commission
	\|-		\|-
	\| style="padding:10px; width:350px;" \|[~~http~~://~~data~~.europa.eu/eli/dir/2003/94/oj E.U. Commission Directive 2003/94/EC]		\| style="padding:10px; width:350px;" \|[https://eur-lex.europa.eu/eli/dir/2003/94/oj E.U. Commission Directive 2003/94/EC]
	\| style="padding:10px; background-color:white;" \|European Union, European Commission		\| style="padding:10px; background-color:white;" \|European Union, European Commission
	\|-		\|-

Shawndouglas at 19:50, 27 April 2022

2022-04-27T19:50:55Z

← Older revision		Revision as of 19:50, 27 April 2022
Line 8:		Line 8:
	==Sandbox begins below==		==Sandbox begins below==
	===Introduction===		===Introduction===
	[[File:Systems Requirement Analysis.jpg\|700px\|right]]Merriam-Webster defines a "specification" as "a detailed precise presentation of something or of a plan or proposal for something."<ref name="MWSpec">{{cite web \|url=https://www.merriam-webster.com/dictionary/specification \|title=specification \|work=Merriam-Webster \|publisher=Merriam-Webster, Inc \|accessdate=~~20 September 2019~~}}</ref> In other words, an existing or theoretical product, concept, or idea is presented in detail for a particular audience. In a broad sense, detailing the specifics about a project, concept, or idea to others is just common sense. This applies just as well to the world of software development, where a software requirements specification is essential for preventing the second most commonly cited reason for project failure: poor requirements management.<ref name="BiegRequire14">{{cite web \|url=https://www.pmi.org/-/media/pmi/documents/public/pdf/learning/thought-leadership/pulse/requirements-management.pdf \|format=PDF \|title=Introduction \|work=Requirements Management: A Core Competency for Project and Program Success \|author=Bieg, D.P. \|publisher=Project Management Institute \|page=3 \|date=August 2014 \|accessdate=~~20 September 2019~~}}</ref>		[[File:Systems Requirement Analysis.jpg\|700px\|right]]Merriam-Webster defines a "specification" as "a detailed precise presentation of something or of a plan or proposal for something."<ref name="MWSpec">{{cite web \|url=https://www.merriam-webster.com/dictionary/specification \|title=specification \|work=Merriam-Webster \|publisher=Merriam-Webster, Inc \|accessdate=27 April 2022}}</ref> In other words, an existing or theoretical product, concept, or idea is presented in detail for a particular audience. In a broad sense, detailing the specifics about a project, concept, or idea to others is just common sense. This applies just as well to the world of software development, where a software requirements specification is essential for preventing the second most commonly cited reason for project failure: poor requirements management.<ref name="BiegRequire14">{{cite web \|url=https://www.pmi.org/-/media/pmi/documents/public/pdf/learning/thought-leadership/pulse/requirements-management.pdf \|format=PDF \|title=Introduction \|work=Requirements Management: A Core Competency for Project and Program Success \|author=Bieg, D.P. \|publisher=Project Management Institute \|page=3 \|date=August 2014 \|accessdate=27 April 2022}}</ref>

	In fact, the ISO/IEC/IEEE 29148:2018 standard (a conglomeration of what was formerly IEEE 830 and other standards) is in place to help specify "the required processes implemented in the engineering activities that result in requirements for systems and software products" and ~~provide~~ guidelines for how to apply those requirements.<ref name="ISO29148">{{cite web \|url=https://www.iso.org/standard/72089.html \|title=ISO/IEC/IEEE 29148:2018 \|publisher=International Organization for Standardization \|date=November 2018 \|accessdate=~~20 September 2019~~}}</ref> The standard describes the characteristics that make up quality software requirement development, including aspects such as<ref name="SeibertHowDoYou11">{{cite web \|url=https://hubtechinsider.wordpress.com/2011/07/28/how-do-you-write-software-requirements-what-are-software-requirements-what-is-a-software-requirement/ \|title=How do you write software requirements? What are software requirements? What is a software requirement? \|work=HubTechInsider \|author=Seibert, P. \|date=28 July 2011 \|accessdate=~~20 September 2019~~}}</ref>:		In fact, the ISO/IEC/IEEE 29148:2018 standard (a conglomeration of what was formerly IEEE 830 and other standards) is in place to help specify "the required processes implemented in the engineering activities that result in requirements for systems and software products" and provides guidelines for how to apply those requirements.<ref name="ISO29148">{{cite web \|url=https://www.iso.org/standard/72089.html \|title=ISO/IEC/IEEE 29148:2018 \|publisher=International Organization for Standardization \|date=November 2018 \|accessdate=27 April 2022}}</ref> The standard describes the characteristics that make up quality software requirement development, including aspects such as<ref name="SeibertHowDoYou11">{{cite web \|url=https://hubtechinsider.wordpress.com/2011/07/28/how-do-you-write-software-requirements-what-are-software-requirements-what-is-a-software-requirement/ \|title=How do you write software requirements? What are software requirements? What is a software requirement? \|work=HubTechInsider \|author=Seibert, P. \|date=28 July 2011 \|accessdate=27 April 2022}}</ref>:

	* correctly describing system behavior;		* correctly describing system behavior;
Line 18:		Line 18:
	* unequivocally ensuring the requirements are testable, modifiable, and traceable.		* unequivocally ensuring the requirements are testable, modifiable, and traceable.

	A requirement typically comes in the form of a statement that begins with "the system/user/vendor shall/should ..." and focuses on a provided service, reaction to input, or expected behavior in a given situation. The statement may be abstract (high-level) or specific and detailed to a precise function. The statement may also be of a functional nature, describing functionality or services in detail, or of a non-functional nature, describing the constraints of a given functionality or service and how it's rendered. An example of a functional software requirement could be "the user shall be able to query either all of the initial set of databases or select a subset from it." This statement describes specific functionality the system should have. On the other hand, a non-functional requirement, for example, may state "the system's query tool shall conform to the ABC 123-2014 standard." The statement describes a constraint placed upon the system's query functionality. Once compiled, a set of requirements can serve not only to strengthen the software requirements specification, but the requirements set can also be used for bidding on a contract or serve as the basis for a specific contract that is being finalized.<ref name="MemonSoftware10">{{cite web \|url=https://www.cs.umd.edu/~atif/Teaching/Spring2010/Slides/3.pdf \|format=PDF \|title=Software Requirements: Descriptions and specifications of a system \|author=Memon, A. \|publisher=University of Maryland \|date=Spring 2010 \|accessdate=~~20 September 2019~~}}</ref>		A requirement typically comes in the form of a statement that begins with "the system/user/vendor shall/should ..." and focuses on a provided service, reaction to input, or expected behavior in a given situation. The statement may be abstract (high-level) or specific and detailed to a precise function. The statement may also be of a functional nature, describing functionality or services in detail, or of a non-functional nature, describing the constraints of a given functionality or service and how it's rendered. An example of a functional software requirement could be "the user shall be able to query either all of the initial set of databases or select a subset from it." This statement describes specific functionality the system should have. On the other hand, a non-functional requirement, for example, may state "the system's query tool shall conform to the ABC 123-2014 standard." The statement describes a constraint placed upon the system's query functionality. Once compiled, a set of requirements can serve not only to strengthen the software requirements specification, but the requirements set can also be used for bidding on a contract or serve as the basis for a specific contract that is being finalized.<ref name="MemonSoftware10">{{cite web \|url=https://www.cs.umd.edu/~atif/Teaching/Spring2010/Slides/3.pdf \|format=PDF \|title=Software Requirements: Descriptions and specifications of a system \|author=Memon, A. \|publisher=University of Maryland \|date=Spring 2010 \|accessdate=27 April 2022}}</ref>

	Over the years, a wide variety of companies, consultants, and researchers have compiled public and private software requirements specifications for [[laboratory informatics]] systems. These compiled lists of requirements for how a given laboratory informatics solution should be developed, delivered, and maintained have changed as technology and user demand evolved. Often times, these requirements documents turn into a mix of "wishlist" requirements from potential and active clients, as well as regulation-mandated requirements. The wishlist items aren't necessarily ignored by developers, but they do in fact have to be prioritized as "nice to have" or "essential to system operation," or something in between.<ref name="AasemAnalysis10">{{cite journal \|title=Analysis and optimization of software requirements prioritization techniques \|author=Aasem, M.; Ramzan, M.; Jaffar, A. \|journal=Proceedings from the 2010 International Conference on Information and Emerging Technologies \|pages=1–6 \|year=2010 \|doi=10.1109/ICIET.2010.5625687}}</ref><ref name="Hirsch10Steps13">{{cite web \|url=https://www.phase2technology.com/blog/successful-requirements-gathering \|title=10 Steps To Successful Requirements Gathering \|author=Hirsch, J. \|publisher=Phase2 Technology, LLC \|date=22 November 2013 \|accessdate=~~20 September 2019~~}}</ref><ref name="BurrissSoftware07">{{cite web \|url=http://sce2.umkc.edu/BIT/burrise/pl/requirements/ \|archiveurl=https://web.archive.org/web/20190724173601/http://sce2.umkc.edu/BIT/burrise/pl/requirements/ \|title=Requirements Specification \|work=CS451R, University of Missouri–Kansas City \|author=Burris, E. \|publisher=University of Missouri–Kansas City \|date=2007 \|archivedate=24 July 2019 \|accessdate=~~02 February 2020~~}}</ref> While this reasonable mix of requirements has served informatics software developers well<ref name="HofmannRequire01">{{cite journal \|title=Requirements engineering as a success factor in software projects \|author=Hofmann, H.F.; Lehner, F. \|journal=IEEE Software \|volume=18 \|issue=4 \|pages=58–66 \|year=2001 \|doi=10.1109/MS.2001.936219}}</ref>, sometimes a fresh approach is required.		Over the years, a wide variety of companies, consultants, and researchers have compiled public and private software requirements specifications for [[laboratory informatics]] systems. These compiled lists of requirements for how a given laboratory informatics solution should be developed, delivered, and maintained have changed as technology and user demand have evolved. Often times, these requirements documents turn into a mix of "wishlist" requirements from potential and active clients, as well as regulation-mandated requirements. The wishlist items aren't necessarily ignored by developers, but they do in fact have to be prioritized as "nice to have" or "essential to system operation," or something in between.<ref name="AasemAnalysis10">{{cite journal \|title=Analysis and optimization of software requirements prioritization techniques \|author=Aasem, M.; Ramzan, M.; Jaffar, A. \|journal=Proceedings from the 2010 International Conference on Information and Emerging Technologies \|pages=1–6 \|year=2010 \|doi=10.1109/ICIET.2010.5625687}}</ref><ref name="Hirsch10Steps13">{{cite web \|url=https://www.phase2technology.com/blog/successful-requirements-gathering \|title=10 Steps To Successful Requirements Gathering \|author=Hirsch, J. \|publisher=Phase2 Technology, LLC \|date=22 November 2013 \|accessdate=27 April 2022}}</ref><ref name="BurrissSoftware07">{{cite web \|url=http://sce2.umkc.edu/BIT/burrise/pl/requirements/ \|archiveurl=https://web.archive.org/web/20190724173601/http://sce2.umkc.edu/BIT/burrise/pl/requirements/ \|title=Requirements Specification \|work=CS451R, University of Missouri–Kansas City \|author=Burris, E. \|publisher=University of Missouri–Kansas City \|date=2007 \|archivedate=24 July 2019 \|accessdate=27 April 2022}}</ref> While this reasonable mix of requirements has served informatics software developers well<ref name="HofmannRequire01">{{cite journal \|title=Requirements engineering as a success factor in software projects \|author=Hofmann, H.F.; Lehner, F. \|journal=IEEE Software \|volume=18 \|issue=4 \|pages=58–66 \|year=2001 \|doi=10.1109/MS.2001.936219}}</ref>, sometimes a fresh approach is required.

	What follows is an attempt to look less at the wishlists of laboratories and more directly at what requirements current regulatory schemes, industry standards, and organizational guidelines place on the ever-evolving array of laboratory informatics systems being developed today. What does the United States' [[21 CFR Part 11]] have to say about how your [[laboratory information management system]] (LIMS), [[laboratory information system]] (LIS), [[electronic laboratory notebook]] (ELN), and other systems operate? What does the European Union's Annex 11 dictate in those same regards? The following five chapters list those requirements, supported by one or more regulations, standards, and guidelines. The final chapter discusses how to best put this requirements specification to use.		What follows is an attempt to look less at the wishlists of laboratories and more directly at what requirements current regulatory schemes, industry standards, and organizational guidelines place on the ever-evolving array of laboratory informatics systems being developed today. What does the United States' [[21 CFR Part 11]] have to say about how your [[laboratory information management system]] (LIMS), [[laboratory information system]] (LIS), [[electronic laboratory notebook]] (ELN), and other systems operate? What does the European Union's Annex 11 dictate in those same regards? The following five chapters list those requirements, supported by one or more regulations, standards, and guidelines. The final chapter discusses how to best put this requirements specification to use.

	===Methodology===		===Methodology===
	At its core, this LIMSpec—which has seen several iterations over the years—is rooted in [[ASTM E1578\|ASTM E1578-18]] ''Standard Guide for Laboratory Informatics''. ~~With the~~ latest version released in 2018, an updated Laboratory Informatics Functional Requirements checklist ~~is included~~ in the appendix~~, which~~ "covers functionality common to the various laboratory informatics systems discussed throughout [the] guide as well as requirements recommended as part of [the] guide." It goes on to state that the checklist "is an example of typical requirements that can be used to guide the purchase, upgrade, or development of a laboratory informatics system," though it is certainly "not meant to be exhaustive."		At its core, this LIMSpec—which has seen several iterations over the years—is rooted in [[ASTM E1578\|ASTM E1578-18]] ''Standard Guide for Laboratory Informatics''. The latest version was released in 2018, which includes an updated Laboratory Informatics Functional Requirements checklist in the appendix. That list of requirements "covers functionality common to the various laboratory informatics systems discussed throughout [the] guide as well as requirements recommended as part of [the] guide." It goes on to state that the checklist "is an example of typical requirements that can be used to guide the purchase, upgrade, or development of a laboratory informatics system," though it is certainly "not meant to be exhaustive."

	This LIMSpec borrows from that requirements checklist and then adds more to it from a wide variety of sources. An attempt has been made to find the most relevant regulations, standards, and guidance that shape how a compliant laboratory informatics system is developed and maintained. However, this should definitely be considered a work in progress, with more to be added with additional public and private comment on missing sources.		This LIMSpec borrows from that requirements checklist and then adds more to it from a wide variety of sources. An attempt has been made to find the most relevant regulations, standards, and guidance that shape how a compliant laboratory informatics system is developed and maintained. However, this should definitely be considered a work in progress, with more to be added with additional public and private comment on missing sources.
Line 352:		Line 352:
	\|}		\|}

	Each requirement statement has at least one linked regulation, standard, or guidance item. In some cases, the standards covered are proprietary. In those cases, the standard was either purchased for review or heavily researched using supporting documentation, and the link goes to the acquisition page for the standard. In other cases, some sources have been intentionally omitted. For example, the AOAC International ''Official Methods of Analysis'' and ''Guidelines for Laboratories Performing Microbiological and Chemical Analyses of Food, Dietary Supplements, and Pharmaceuticals'' are both proprietary and more or less prohibitively expensive. In other cases such as the U.S. Food Emergency Response Network and Laboratory Response Network, they simply don't make their standardized procedures open to the public.		Each requirement statement has at least one linked regulation, standard, or guidance item. In some cases, the standards covered are proprietary. In those cases, the standard was either purchased for review or heavily researched using supporting documentation, and the link goes to the acquisition page for the standard. In other cases, some sources have been intentionally omitted. For example, the AOAC International ''Official Methods of Analysis'' and ''Guidelines for Laboratories Performing Microbiological and Chemical Analyses of Food, Dietary Supplements, and Pharmaceuticals'' are both proprietary and more or less prohibitively expensive. In other cases, such as with the U.S. Food Emergency Response Network and Laboratory Response Network, they simply don't make their standardized procedures open to the public and thus can't be included.

Shawndouglas at 19:35, 27 April 2022

2022-04-27T19:35:04Z

← Older revision		Revision as of 19:35, 27 April 2022
Line 29:		Line 29:
	This LIMSpec borrows from that requirements checklist and then adds more to it from a wide variety of sources. An attempt has been made to find the most relevant regulations, standards, and guidance that shape how a compliant laboratory informatics system is developed and maintained. However, this should definitely be considered a work in progress, with more to be added with additional public and private comment on missing sources.		This LIMSpec borrows from that requirements checklist and then adds more to it from a wide variety of sources. An attempt has been made to find the most relevant regulations, standards, and guidance that shape how a compliant laboratory informatics system is developed and maintained. However, this should definitely be considered a work in progress, with more to be added with additional public and private comment on missing sources.

	That said, this third revision taps into the following ~~sources~~:		That said, this third revision (2022) taps into more than 100 resources, including the following:

	{\|		{\|