User:Shawndouglas/sandbox/sublevel26 - Revision history

Shawndouglas: Replaced content with "
TOC
{{ombox | type = notice | style = width: 960px; | text = This is sublevel26 of my sandbox, where I play with features and..."

2023-08-16T20:24:24Z

Replaced content with "<div class="nonumtoc">__TOC__</div> {{ombox | type = notice | style = width: 960px; | text = This is sublevel26 of my sandbox, where I play with features and..."

← Older revision		Revision as of 20:24, 16 August 2023
Line 1:		Line 1:
	~~===5.3 Choosing a provider for managed security services===~~		<div class="nonumtoc">__TOC__</div>
	[[File:NSOC-2012.jpg\|right\|400px]]Many MSSP options exist for labs seeking MSS. (Appendix 2 of this guide provides a list of profiles for top MSSPs to consider.) In some cases, if the lab is already using a public or hybrid cloud provider, that provider may already offer MSS to its customers, providing a certain level of convenience and familiarity to the lab. (For example, both IBM and Cisco, which offer public and hybrid cloud services, are ranked among the top 70 MSSPs in several publications.<~~ref name~~="~~MSSPCyber20~~">{{~~cite web~~ \|~~url~~=~~https://www.msspalert.com/top250/list-2022/19/~~ \|~~title~~=~~Top 250 MSSPs for 2022~~: ~~Companies 70 to 61~~ \|~~work~~=~~Top 250 MSSPs: Cybersecurity Company List~~ and ~~Research~~ for ~~2020~~ \|~~publisher=MSSP Alert \|date=September 2022 \|accessdate=01 August 2023}}~~<~~/ref~~><ref name="CDMMSSPs21">{{cite web \|url=https://www.cyberdefensemagazine.com/top-100-managed-security-service-providers-mssps/ \|title=Top 100 Managed Security Service Providers (MSSPs) \|work=Cyber Defense Magazine \|publisher=Cyber Defense Media Group \|date=18 February 2021 \|accessdate=01 August 2023}}</~~ref~~><ref name="STHTop15_21">{{cite web \|url=https://www.softwaretestinghelp.com/managed-security-service-providers/ \|title=Top 15 Best Managed Security Service Providers (MSSPs) In 2023 \|publisher=Software Testing Help \|date=14 July 2023 \|accessdate=28 July 2023}}~~</ref>) However, in some cases it may make sense for the lab to look beyond their cloud provider, particularly if their cloud provider doesn't supply MSS to its clients.~~		{{ombox
			\| type = notice
			\| style = width: 960px;
			\| text = This is sublevel26 of my sandbox, where I play with features and test MediaWiki code. If you wish to leave a comment for me, please see [[User_talk:Shawndouglas\|my discussion page]] instead.<p></p>
			}}

	As discussed prior, a knowledgeable and well-run MSSP can provide many benefits to the cloud-based lab, but what should stand out about the MSSP you select? When choosing a provider of comprehensive cloud-based MSS, you'll be looking for not only years of experience managing cloud installations, but also that the provider is able to<ref name=~~"TrianzHowMana21">{{cite web \|url~~=~~https://www.trianz.com/insights/managed-cloud-security-services-how-and-why-it-works \|title~~=~~How Managed Cloud Security Works, and Why You Might Want It \|publisher~~=Trianz \|date=29 March 2021 \|accessdate=28 July 2023}}</ref><ref name="RSIHowMuch20">{{cite web \|url=https://blog.rsisecurity.com/how-much-does-managed-security-services-cost/ \|title=How Much Does Managed Security Services Cost? \|publisher=RSI Security \|date=20 August 2020 \|accessdate=28 July 2023}}</ref><ref name="Russell10Tips21">{{cite web \|url=https://www.harmony-tech.com/10-tips-for-selecting-a-managed-security-services-provider-mssp/ \|title=10 Tips for selecting a Managed Security Services Provider (MSSP) \|author=Russell, J. \|work=HarmonyTech Blog \|date=10 January 2022 \|accessdate=28 July 2023}}</ref><ref name="NTTHowToChoose16">{{cite web \|url=https://www.nttsecurity.com/docs/librariesprovider3/resources/us_data_sheet_how_to_choose_an_mssp_uea_v1 \|archiveurl=https://web.archive.org/web/20210508224537/https://www.nttsecurity.com/docs/librariesprovider3/resources/us_data_sheet_how_to_choose_an_mssp_uea_v1 \|format=PDF \|title=How to Choose an MSSP \|\|publisher=NTT Security \|date=November 2016 \|archivedate=08 May 2021 \|accessdate=28 July 2023}}</ref>:		==Sandbox begins below==

	* demonstrate deep knowledge of cloud-agnostic, industry-relevant best practices and approaches to security frameworks and their implementation;
	* demonstrate deep knowledge of regulatory mechanisms affecting your data and how to approach cloud security based upon those regulatory requirements;
	* describe what certifications, training, and continuing education requirements are met by staff;
	* leverage existing and emerging cloud security tools (e.g., security information and event management [SIEM] software) for automating security processes in a scalable future-proof fashion;
	* validate how their cloud security tools accomplish what they're intended to do, as well as how gathered information is analyzed both automatically and by the provider's analysts;
	* demonstrate how their approaches to security management can fit into or further mold your current IT and risk management strategies;
	* provide transparent pricing (e.g., is it tiered or bundled, based on number of users, something else) and make clear what the service covers;
	* provide examples of existing and past customers willing to give feedback about their experience with the provider;
	* provide a single point of contact to act as a security advocate to you during the entirety of your contract; and
	* support not only open-source security management tools, but also be flexible enough to integrate your own proprietary solutions and their associated licenses into the managed service.

	Of course, cost will also be of concern. However, a blanket "how much does it cost" question isn't going to produce a simple answer; there will be many variables (e.g., business needs, current solutions, current IT staffing, regulatory requirements, etc.) within your organization that make it difficult for an MSSP to provide a canned response. They will need to respond to your lab’s needs, which may be different from another lab's.<ref name="DosalIsMan19">{{cite web \|url=https://www.compuquip.com/blog/is-managed-security-worth-the-cost \|title=Is Managed Security Worth the Cost? \|author=Dosal, E. \|work=Compuquip Blog \|date=02 May 2019 \|accessdate=28 July 2023}}</ref> Additionally, costs associated with MSS can vary, not only from provider to provider but also based upon each provider's pricing model. Will they charge your lab based upon number of users, number of devices, or some other mechanism? Does the MSSP provide a flat rate for protecting your cloud resources, or do they offer different tiers or bundles of services? And will the MSSP providing cloud-based MMS also manage your non-cloud resources? A "per user" or "per device" approach to pricing may make sense for small labs, but larger organizations may balk at such inflated costs, preferring a flat rate or tiered package of services. Those tiered services may be based on either a user number range or based on a set of offered services.<ref name="RSIHowMuch20" />

	Ultimately, before approaching an MSSP, your lab will have needed to go through multiple steps internally, stating IT goals, identifying technology and education gaps, and determining a budget to support those goals and gaps. If your lab doesn't have a clear picture of what it has, where it wants to be, and what it will need to get there, it will make selection process even more difficult. As such, your lab may want to consider the request for information (RFI) process as part of your selection process.

	~~====5.3.1 Using a request for information (RFI) process====~~
	In some cases—particularly if your organization is of significant size—it may make sense to issue a formal RFI or request for proposal (RFP) and have major cloud MSSPs approach your lab with how they can meet its needs. The RFI and RFP are traditional means towards soliciting bidding interest in an organization's project, typically containing the organization's specific requirements and vital questions that the bidder should be able to effectively answer. However, even if your organization chooses to do most of the investigative work of researching and approaching cloud MSSPs, turning to a key set of questions typically found in an RFI is extremely valuable for "fact finding."

	An RFI is an ideal means for learning more about a potential solution and how it can solve your problems, or for when you're not even sure how to solve your problem yet. However, the RFI should not be unduly long and tedious to complete for prospective vendors; it should be concise, direct, and honest. This means not only presenting a clear and humble vision of your own organization and its goals, but also asking just the right amount of questions to allow potential vendors to demonstrate their expertise and provide a clearer picture of who they are. Some take a technical approach to an RFI, using dense language and complicated spreadsheets for fact finding. However, vendors appreciate a slightly more inviting approach, with practical questions or requests that are carefully chosen because they matter to you.<ref name="HolmesItsAMatch">{{cite web \|url=https://allcloud.io/blog/its-a-match-how-to-run-a-good-rfi-rfp-or-rfq-and-find-the-right-partner/ \|title=It's a Match: How to Run a Good RFI, RFP, or RFQ and Find the Right Partner \|author=Holmes, T. \|work=AllCloud Blog \|accessdate=28 July 2023}}</ref> Remember, however, that an RFI is not meant to answer all of your questions. The RFI is meant as a means to help narrow down your search to a few quality candidates while learning more about each other.<ref name="HolmesItsAMatch" /> Once the pool of potential MSSPs is narrowed down, more pointed questions can be asked to ensure those providers meet your needs.

	Be cognizant, however, that just like CSPs, there may be no MSSP that can meet each and every need of your lab. Your lab will have to make important decisions about which requirements are non-negotiable and which are more flexible. The MSSPs you engage with may be able to provide realistic advice in this regard, based upon your lab's requirements and their past experience with labs. As such, those MSSPs with real-world experience protecting the information systems of laboratories may have a strong leg up on other MSSPs, as they can make informed comments about your lab’s requirements based on their past experiences.

	For your convenience, Appendix 3 of this guide includes a comprehensive list of RFI questions to ask of MSSPs, as well as cloud providers. If you have zero experience developing an RFI, you may want to first seek out various example RFIs on the internet, as well as some basic advice articles on the topic. Some websites may provide templates to examine for further details. However, the templates in Appendix 3 attempt to provide basic background about the RFI process as well. This includes addressing important questions related to your business so providers responding to your RFI better understand your lab's goals and requirements.

	Now that we've addressed MSSPs, it's time to move on and take a look at the considerations required when choosing and implementing a cloud solution. The next chapter will look at the various characteristics of an average cloud provider, what you should look for in a cloud provider, the questions your organization should ask of itself, and the questions your organization should be asking cloud providers.

Shawndouglas at 23:31, 15 August 2023

2023-08-15T23:31:49Z

← Older revision		Revision as of 23:31, 15 August 2023
Line 1:		Line 1:
	===5.3 Choosing a provider for managed security services===		===5.3 Choosing a provider for managed security services===
	[[File:NSOC-2012.jpg\|right\|400px]]Many MSSP options exist for labs seeking MSS. (Appendix 2 of this guide provides a list of profiles for top MSSPs to consider.) In some cases, if the lab is already using a public or hybrid cloud provider, that provider may already offer MSS to its customers, providing a certain level of convenience and familiarity to the lab. (For example, both IBM and Cisco, which offer public and hybrid cloud services, are ranked among the top 30 MSSPs in several publications.<ref name="MSSPCyber20">{{cite web \|url=https://www.msspalert.com/top250/list-~~2020~~/25/ \|title=Top 250 MSSPs for ~~2020~~: Companies 10 to 01 \|work=Top 250 MSSPs: Cybersecurity Company List and Research for 2020 \|publisher=MSSP Alert \|date=September ~~2020~~ \|accessdate=~~28 July~~ 2023}}</ref><ref name="~~MSSPCyber-30to21_20~~">{{cite web \|url=https://www.~~msspalert~~.com/~~top250/list~~-~~2020/23~~/ \|title=Top ~~250~~ MSSPs ~~for 2020: Companies 30 to 21~~ \|work=~~Top 250 MSSPs: Cybersecurity Company List and Research for 2020~~ \|publisher=~~MSSP Alert~~ \|date=~~September 2020~~ \|accessdate=~~28 July~~ 2023}}</ref><ref name="STHTop15_21">{{cite web \|url=https://www.softwaretestinghelp.com/managed-security-service-providers/ \|title=Top 15 Best Managed Security Service Providers (MSSPs) In 2023 \|publisher=Software Testing Help \|date=14 July 2023 \|accessdate=28 July 2023}}</ref><ref name="CDMMSSPs21">{{cite web \|url=https://www.cyberdefensemagazine.com/top-100-managed-security-service-providers-mssps/ \|title=Top 100 Managed Security Service Providers (MSSPs) \|work=Cyber Defense Magazine \|publisher=Cyber Defense Media Group \|date=18 February 2021 \|accessdate=28 July 2023}}</ref>) However, in some cases it may make sense for the lab to look beyond their cloud provider, particularly if their cloud provider doesn't supply MSS to its clients.		[[File:NSOC-2012.jpg\|right\|400px]]Many MSSP options exist for labs seeking MSS. (Appendix 2 of this guide provides a list of profiles for top MSSPs to consider.) In some cases, if the lab is already using a public or hybrid cloud provider, that provider may already offer MSS to its customers, providing a certain level of convenience and familiarity to the lab. (For example, both IBM and Cisco, which offer public and hybrid cloud services, are ranked among the top 70 MSSPs in several publications.<ref name="MSSPCyber20">{{cite web \|url=https://www.msspalert.com/top250/list-2022/19/ \|title=Top 250 MSSPs for 2022: Companies 70 to 61 \|work=Top 250 MSSPs: Cybersecurity Company List and Research for 2020 \|publisher=MSSP Alert \|date=September 2022 \|accessdate=01 August 2023}}</ref><ref name="CDMMSSPs21">{{cite web \|url=https://www.cyberdefensemagazine.com/top-100-managed-security-service-providers-mssps/ \|title=Top 100 Managed Security Service Providers (MSSPs) \|work=Cyber Defense Magazine \|publisher=Cyber Defense Media Group \|date=18 February 2021 \|accessdate=01 August 2023}}</ref><ref name="STHTop15_21">{{cite web \|url=https://www.softwaretestinghelp.com/managed-security-service-providers/ \|title=Top 15 Best Managed Security Service Providers (MSSPs) In 2023 \|publisher=Software Testing Help \|date=14 July 2023 \|accessdate=28 July 2023}}</ref>) However, in some cases it may make sense for the lab to look beyond their cloud provider, particularly if their cloud provider doesn't supply MSS to its clients.

	As discussed prior, a knowledgeable and well-run MSSP can provide many benefits to the cloud-based lab, but what should stand out about the MSSP you select? When choosing a provider of comprehensive cloud-based MSS, you'll be looking for not only years of experience managing cloud installations, but also that the provider is able to<ref name="TrianzHowMana21">{{cite web \|url=https://www.trianz.com/insights/managed-cloud-security-services-how-and-why-it-works \|title=How Managed Cloud Security Works, and Why You Might Want It \|publisher=Trianz \|date=29 March 2021 \|accessdate=28 July 2023}}</ref><ref name="RSIHowMuch20">{{cite web \|url=https://blog.rsisecurity.com/how-much-does-managed-security-services-cost/ \|title=How Much Does Managed Security Services Cost? \|publisher=RSI Security \|date=20 August 2020 \|accessdate=28 July 2023}}</ref><ref name="Russell10Tips21">{{cite web \|url=https://www.harmony-tech.com/10-tips-for-selecting-a-managed-security-services-provider-mssp/ \|title=10 Tips for selecting a Managed Security Services Provider (MSSP) \|author=Russell, J. \|work=HarmonyTech Blog \|date=10 January 2022 \|accessdate=28 July 2023}}</ref><ref name="NTTHowToChoose16">{{cite web \|url=https://www.nttsecurity.com/docs/librariesprovider3/resources/us_data_sheet_how_to_choose_an_mssp_uea_v1 \|archiveurl=https://web.archive.org/web/20210508224537/https://www.nttsecurity.com/docs/librariesprovider3/resources/us_data_sheet_how_to_choose_an_mssp_uea_v1 \|format=PDF \|title=How to Choose an MSSP \|\|publisher=NTT Security \|date=November 2016 \|archivedate=08 May 2021 \|accessdate=28 July 2023}}</ref>:		As discussed prior, a knowledgeable and well-run MSSP can provide many benefits to the cloud-based lab, but what should stand out about the MSSP you select? When choosing a provider of comprehensive cloud-based MSS, you'll be looking for not only years of experience managing cloud installations, but also that the provider is able to<ref name="TrianzHowMana21">{{cite web \|url=https://www.trianz.com/insights/managed-cloud-security-services-how-and-why-it-works \|title=How Managed Cloud Security Works, and Why You Might Want It \|publisher=Trianz \|date=29 March 2021 \|accessdate=28 July 2023}}</ref><ref name="RSIHowMuch20">{{cite web \|url=https://blog.rsisecurity.com/how-much-does-managed-security-services-cost/ \|title=How Much Does Managed Security Services Cost? \|publisher=RSI Security \|date=20 August 2020 \|accessdate=28 July 2023}}</ref><ref name="Russell10Tips21">{{cite web \|url=https://www.harmony-tech.com/10-tips-for-selecting-a-managed-security-services-provider-mssp/ \|title=10 Tips for selecting a Managed Security Services Provider (MSSP) \|author=Russell, J. \|work=HarmonyTech Blog \|date=10 January 2022 \|accessdate=28 July 2023}}</ref><ref name="NTTHowToChoose16">{{cite web \|url=https://www.nttsecurity.com/docs/librariesprovider3/resources/us_data_sheet_how_to_choose_an_mssp_uea_v1 \|archiveurl=https://web.archive.org/web/20210508224537/https://www.nttsecurity.com/docs/librariesprovider3/resources/us_data_sheet_how_to_choose_an_mssp_uea_v1 \|format=PDF \|title=How to Choose an MSSP \|\|publisher=NTT Security \|date=November 2016 \|archivedate=08 May 2021 \|accessdate=28 July 2023}}</ref>:
Line 12:		Line 12:
	* provide transparent pricing (e.g., is it tiered or bundled, based on number of users, something else) and make clear what the service covers;		* provide transparent pricing (e.g., is it tiered or bundled, based on number of users, something else) and make clear what the service covers;
	* provide examples of existing and past customers willing to give feedback about their experience with the provider;		* provide examples of existing and past customers willing to give feedback about their experience with the provider;
	* provide a single point of contact to act as a security advocate to you during the entirety of your contract;		* provide a single point of contact to act as a security advocate to you during the entirety of your contract; and
	* support not only open-source security management tools, but also be flexible enough to integrate your own proprietary solutions and their associated licenses into the managed service.		* support not only open-source security management tools, but also be flexible enough to integrate your own proprietary solutions and their associated licenses into the managed service.

Shawndouglas at 22:42, 27 July 2023

2023-07-27T22:42:42Z

← Older revision	Revision as of 22:42, 27 July 2023
Line 1:	Line 1:
		===5.3 Choosing a provider for managed security services===
		[[File:NSOC-2012.jpg\|right\|400px]]Many MSSP options exist for labs seeking MSS. (Appendix 2 of this guide provides a list of profiles for top MSSPs to consider.) In some cases, if the lab is already using a public or hybrid cloud provider, that provider may already offer MSS to its customers, providing a certain level of convenience and familiarity to the lab. (For example, both IBM and Cisco, which offer public and hybrid cloud services, are ranked among the top 30 MSSPs in several publications.<ref name="MSSPCyber20">{{cite web \|url=https://www.msspalert.com/top250/list-2020/25/ \|title=Top 250 MSSPs for 2020: Companies 10 to 01 \|work=Top 250 MSSPs: Cybersecurity Company List and Research for 2020 \|publisher=MSSP Alert \|date=September 2020 \|accessdate=28 July 2023}}</ref><ref name="MSSPCyber-30to21_20">{{cite web \|url=https://www.msspalert.com/top250/list-2020/23/ \|title=Top 250 MSSPs for 2020: Companies 30 to 21 \|work=Top 250 MSSPs: Cybersecurity Company List and Research for 2020 \|publisher=MSSP Alert \|date=September 2020 \|accessdate=28 July 2023}}</ref><ref name="STHTop15_21">{{cite web \|url=https://www.softwaretestinghelp.com/managed-security-service-providers/ \|title=Top 15 Best Managed Security Service Providers (MSSPs) In 2023 \|publisher=Software Testing Help \|date=14 July 2023 \|accessdate=28 July 2023}}</ref><ref name="CDMMSSPs21">{{cite web \|url=https://www.cyberdefensemagazine.com/top-100-managed-security-service-providers-mssps/ \|title=Top 100 Managed Security Service Providers (MSSPs) \|work=Cyber Defense Magazine \|publisher=Cyber Defense Media Group \|date=18 February 2021 \|accessdate=28 July 2023}}</ref>) However, in some cases it may make sense for the lab to look beyond their cloud provider, particularly if their cloud provider doesn't supply MSS to its clients.

		As discussed prior, a knowledgeable and well-run MSSP can provide many benefits to the cloud-based lab, but what should stand out about the MSSP you select? When choosing a provider of comprehensive cloud-based MSS, you'll be looking for not only years of experience managing cloud installations, but also that the provider is able to<ref name="TrianzHowMana21">{{cite web \|url=https://www.trianz.com/insights/managed-cloud-security-services-how-and-why-it-works \|title=How Managed Cloud Security Works, and Why You Might Want It \|publisher=Trianz \|date=29 March 2021 \|accessdate=28 July 2023}}</ref><ref name="RSIHowMuch20">{{cite web \|url=https://blog.rsisecurity.com/how-much-does-managed-security-services-cost/ \|title=How Much Does Managed Security Services Cost? \|publisher=RSI Security \|date=20 August 2020 \|accessdate=28 July 2023}}</ref><ref name="Russell10Tips21">{{cite web \|url=https://www.harmony-tech.com/10-tips-for-selecting-a-managed-security-services-provider-mssp/ \|title=10 Tips for selecting a Managed Security Services Provider (MSSP) \|author=Russell, J. \|work=HarmonyTech Blog \|date=10 January 2022 \|accessdate=28 July 2023}}</ref><ref name="NTTHowToChoose16">{{cite web \|url=https://www.nttsecurity.com/docs/librariesprovider3/resources/us_data_sheet_how_to_choose_an_mssp_uea_v1 \|archiveurl=https://web.archive.org/web/20210508224537/https://www.nttsecurity.com/docs/librariesprovider3/resources/us_data_sheet_how_to_choose_an_mssp_uea_v1 \|format=PDF \|title=How to Choose an MSSP \|\|publisher=NTT Security \|date=November 2016 \|archivedate=08 May 2021 \|accessdate=28 July 2023}}</ref>:

		* demonstrate deep knowledge of cloud-agnostic, industry-relevant best practices and approaches to security frameworks and their implementation;
		* demonstrate deep knowledge of regulatory mechanisms affecting your data and how to approach cloud security based upon those regulatory requirements;
		* describe what certifications, training, and continuing education requirements are met by staff;
		* leverage existing and emerging cloud security tools (e.g., security information and event management [SIEM] software) for automating security processes in a scalable future-proof fashion;
		* validate how their cloud security tools accomplish what they're intended to do, as well as how gathered information is analyzed both automatically and by the provider's analysts;
		* demonstrate how their approaches to security management can fit into or further mold your current IT and risk management strategies;
		* provide transparent pricing (e.g., is it tiered or bundled, based on number of users, something else) and make clear what the service covers;
		* provide examples of existing and past customers willing to give feedback about their experience with the provider;
		* provide a single point of contact to act as a security advocate to you during the entirety of your contract;
		* support not only open-source security management tools, but also be flexible enough to integrate your own proprietary solutions and their associated licenses into the managed service.

		Of course, cost will also be of concern. However, a blanket "how much does it cost" question isn't going to produce a simple answer; there will be many variables (e.g., business needs, current solutions, current IT staffing, regulatory requirements, etc.) within your organization that make it difficult for an MSSP to provide a canned response. They will need to respond to your lab’s needs, which may be different from another lab's.<ref name="DosalIsMan19">{{cite web \|url=https://www.compuquip.com/blog/is-managed-security-worth-the-cost \|title=Is Managed Security Worth the Cost? \|author=Dosal, E. \|work=Compuquip Blog \|date=02 May 2019 \|accessdate=28 July 2023}}</ref> Additionally, costs associated with MSS can vary, not only from provider to provider but also based upon each provider's pricing model. Will they charge your lab based upon number of users, number of devices, or some other mechanism? Does the MSSP provide a flat rate for protecting your cloud resources, or do they offer different tiers or bundles of services? And will the MSSP providing cloud-based MMS also manage your non-cloud resources? A "per user" or "per device" approach to pricing may make sense for small labs, but larger organizations may balk at such inflated costs, preferring a flat rate or tiered package of services. Those tiered services may be based on either a user number range or based on a set of offered services.<ref name="RSIHowMuch20" />

		Ultimately, before approaching an MSSP, your lab will have needed to go through multiple steps internally, stating IT goals, identifying technology and education gaps, and determining a budget to support those goals and gaps. If your lab doesn't have a clear picture of what it has, where it wants to be, and what it will need to get there, it will make selection process even more difficult. As such, your lab may want to consider the request for information (RFI) process as part of your selection process.

		====5.3.1 Using a request for information (RFI) process====
		In some cases—particularly if your organization is of significant size—it may make sense to issue a formal RFI or request for proposal (RFP) and have major cloud MSSPs approach your lab with how they can meet its needs. The RFI and RFP are traditional means towards soliciting bidding interest in an organization's project, typically containing the organization's specific requirements and vital questions that the bidder should be able to effectively answer. However, even if your organization chooses to do most of the investigative work of researching and approaching cloud MSSPs, turning to a key set of questions typically found in an RFI is extremely valuable for "fact finding."

		An RFI is an ideal means for learning more about a potential solution and how it can solve your problems, or for when you're not even sure how to solve your problem yet. However, the RFI should not be unduly long and tedious to complete for prospective vendors; it should be concise, direct, and honest. This means not only presenting a clear and humble vision of your own organization and its goals, but also asking just the right amount of questions to allow potential vendors to demonstrate their expertise and provide a clearer picture of who they are. Some take a technical approach to an RFI, using dense language and complicated spreadsheets for fact finding. However, vendors appreciate a slightly more inviting approach, with practical questions or requests that are carefully chosen because they matter to you.<ref name="HolmesItsAMatch">{{cite web \|url=https://allcloud.io/blog/its-a-match-how-to-run-a-good-rfi-rfp-or-rfq-and-find-the-right-partner/ \|title=It's a Match: How to Run a Good RFI, RFP, or RFQ and Find the Right Partner \|author=Holmes, T. \|work=AllCloud Blog \|accessdate=28 July 2023}}</ref> Remember, however, that an RFI is not meant to answer all of your questions. The RFI is meant as a means to help narrow down your search to a few quality candidates while learning more about each other.<ref name="HolmesItsAMatch" /> Once the pool of potential MSSPs is narrowed down, more pointed questions can be asked to ensure those providers meet your needs.

		Be cognizant, however, that just like CSPs, there may be no MSSP that can meet each and every need of your lab. Your lab will have to make important decisions about which requirements are non-negotiable and which are more flexible. The MSSPs you engage with may be able to provide realistic advice in this regard, based upon your lab's requirements and their past experience with labs. As such, those MSSPs with real-world experience protecting the information systems of laboratories may have a strong leg up on other MSSPs, as they can make informed comments about your lab’s requirements based on their past experiences.

		For your convenience, Appendix 3 of this guide includes a comprehensive list of RFI questions to ask of MSSPs, as well as cloud providers. If you have zero experience developing an RFI, you may want to first seek out various example RFIs on the internet, as well as some basic advice articles on the topic. Some websites may provide templates to examine for further details. However, the templates in Appendix 3 attempt to provide basic background about the RFI process as well. This includes addressing important questions related to your business so providers responding to your RFI better understand your lab's goals and requirements.

		Now that we've addressed MSSPs, it's time to move on and take a look at the considerations required when choosing and implementing a cloud solution. The next chapter will look at the various characteristics of an average cloud provider, what you should look for in a cloud provider, the questions your organization should ask of itself, and the questions your organization should be asking cloud providers.

Shawndouglas: Blanked the page

2022-05-05T21:28:25Z

Blanked the page

← Older revision		Revision as of 21:28, 5 May 2022
Line 1:		Line 1:

	[[File:Requirements Allocation Sheet.jpg\|600px\|right]]The LIMSpec covered [[laboratory informatics]] requirements organized into five broad categories, which are heavily influenced by the functional requirements checklist and Figure 3 of [[ASTM E1578\|ASTM E1578-18]] ''Standard Guide for Laboratory Informatics''. However, the requirements listed prior are all based on not just the ASTM E1578 standard but also a wide variety of other standards, regulations, guidance documents, and standardized procedures (hereon out referred to as "sources"). That ultimately means a foundational reasoning is provided for each requirement, not necessarily a "just because I want it" reasoning. As foundational requirements, this LIMSpec should thus operate as an excellent starting point for building your own software requirements specification or for researching the best laboratory informatics solution for your [[laboratory]].

	~~===Software developer considerations===~~
	What does that mean for you? How can you best use this document? If you're a software developer for the laboratory industry, many of the sources referenced in these requirements should already be familiar to you. However, some of them may not be, and you'll probably want to at least familiarize yourself with them. Additionally, if you're developing a generic [[laboratory information management system]] (LIMS) or some other informatics solution, not tailored to a particular industry, most everything in chapters two, three, five, and six should largely be applicable to what you're doing with your commercial off-the-shelf (COTS) software solution. Definitely review the requirements items listed there and make sure the most important ones are part of your own software requirements specification. If the software solution you're developing is tailored to a particular industry (e.g., clinical or public health, pharmaceutical development, or heavy metals testing), you'll also want to examine chapter four. If you don't see many requirements for your industry listed (see the "Caveats" section later), you'll probably have additional research to conduct to see what additional sources will affect how you develop the functional and, particularly, non-functional requirements.

	~~===Buyer considerations===~~
	If you're a potential buyer of a laboratory informatics solution, this LIMSpec is also useful to you. Perhaps you know a bit about your laboratory's workflow and a few of the regulations and standards that influence how that workflow is conducted, but you're not entirely informed. Reviewing the five broad categories of requirements may be necessary to help further inform you regarding what's vital in regards to what a laboratory informatics solution should be capable of. Additionally, you can then use these requirements as a base for your laboratory's own requirements list. Using the categories and their subdivisions, you can then add those requirements that are unique to your laboratory and industry that are not sufficiently covered by the LIMSpec requirements. As you review the various options available to you and narrow down your search, your own list of requirements can be used as both as a personal checklist and as a requirements list you hand over to the vendor you query.

	~~====Software vendor selection====~~
	That said, the requirements you hand off to the vendor should be discussed a bit more. Software vendor selection can at times be a tedious yet necessary process, one which requires careful planning and best practices. This topic has been written about by both software developers and end users alike, and their experiences should play a role in how you select a vendor. What follows is bullet-pointed advice as offered by some of those developers and end users.<ref name="PearceSoftware16">{{cite web \|url=https://blog.montrium.com/blog/software-vendor-selection-defining-your-requirements \|title=Software Vendor Selection: How to Define Your Requirements \|work=Montrium Blog \|author=Pearce, O. \|publisher=Montrium, Inc \|date=21 June 2016 \|accessdate=27 April 2022}}</ref><ref name="PearceSoftware16-2">{{cite web \|url=https://blog.montrium.com/blog/software-vendor-selection-finding-the-right-vendor \|title=Software Vendor Selection: Finding the Right Vendor \|work=Montrium Blog \|author=Pearce, O. \|publisher=Montrium, Inc \|date=23 June 2016 \|accessdate=27 April 2022}}</ref><ref name="PearceSoftware16-3">{{cite web \|url=https://blog.montrium.com/blog/software-vendor-selection-conducting-demonstrations \|title=Software Vendor Selection: The Pitfalls and Successes of Vendor Demos \|work=Montrium Blog \|author=Pearce, O. \|publisher=Montrium, Inc \|date=28 June 2016 \|accessdate=27 April 2022}}</ref><ref name="PearceSoftware16-4">{{cite web \|url=https://blog.montrium.com/blog/software-vendor-selection-requesting-proposals-quotes \|title=Software Vendor Selection: Requesting Proposals & Quotes \|work=Montrium Blog \|author=Pearce, O. \|publisher=Montrium, Inc \|date=05 July 2016 \|accessdate=27 April 2022}}</ref><ref name="PersaudBusiness16">{{cite web \|url=https://www.selecthub.com/miscellaneous/technology-selection/business-requirements-gathering-enterprise-software-selection/ \|title=Business Requirements Gathering for Enterprise Software Selection \|author=Persaud, D. \|work=SelectHub Blog \|publisher=Abuyo, Inc \|date=04 February 2016 \|accessdate=27 April 2022}}</ref><ref name="LichtenbergerSix12">{{cite web \|url=https://blog.itil.org/2012/07/six-steps-for-a-successful-vendor-selection/ \|title=Six Steps for a Successful Vendor Selection \|author=Lichtenberger, A. \|work=ITIL.org \|date=23 July 2012 \|accessdate=27 April 2022}}</ref><ref name="PoonInsider15">{{cite web \|url=https://www.genologics.com/blog/insiders-guide-to-lims-selection/ \|title=Insider’s Guide to LIMS Selection \|author=Poon, L. \|work=Genologics Blog \|publisher=GenoLogics Life Sciences Software Inc \|date=29 May 2015 \|accessdate=20 September 2019}}{{Dead link\|date=April 2022}}</ref><ref name="BenchlingHowTo">{{cite web \|url=https://benchling.com/static/docs/resources/eln-for-biology-rnd.pdf \|title=How to Select an ELN for Biology R&D \|publisher=Benchling, Inc \|accessdate=27 April 2022}}</ref>

	* Have a clear business case and build your business needs into your laboratory's requirements.
	* Be mindful of how detailed you get with your own business-based requirements and what you initially hand off to a vendor. If you're too specific with too many requirements, you may have trouble finding a vendor that matches up. Start with the essentials that involve your laboratory's processes, regulations, integrations, reporting, service needs, etc. As this LIMSpec is foundation-based, you have a good starting point in that regard. You can always get more detailed with requirements as you narrow down vendors.
	* As discussed briefly in the introduction, you'll need to prioritize your needs somewhere between "critical" and "nice to have." The LIMSpec's requirements are largely critical for most purposes and can be marked as such. The requirements you add will have to be prioritized more carefully.
	* You'll also want to perform some informal third-party information gathering about the vendors. Are reviews of the vendors trustworthy? Have peers had any interactions and success with the vendor? Does the vendor have the ability to scale to meet your needs?
	* Schedule demonstrations of programs that seem like strong initial candidates. Make sure there is a question and answer session afterwards, and perform a post-demo evaluation.
	* A formal request for proposal (RFP) may or may not be necessary, depending on the level of information you acquire prior. However, formally requesting pricing and clarification of maintenance and additional service costs is useful. Just don't let price be the only thing that guides you.
	* Consider some of the intangibles. Does the vendor genuinely seem interested in your business and its needs? Do they communicate well and promptly? Do they seem flexible and able to accommodate a few special case requirements?
	* Be sure to consider future needs as you anticipate potential laboratory expansion.
	* Don't be afraid to choose a consultant to help you with the vendor selection process.

	~~===Caveats===~~
	First, note that this LIMSpec is still an evolving entity. Standards change. Regulations change. Procedures also change with such standards and regulations. That means that as those foundational characteristics shift, this set of requirements will have to also evolve. As such, do your homework and don't take everything you see here as fixed law. If you're responsible for investigating and/or purchasing a laboratory informatics system, be sure you have at least some familiarity with the primary industry your laboratory serves, and by extension the regulations and standards that affect it.

	Second, the number of industry-specific applications of laboratory informatics software continues to grow, and with it also the regulations and standards that affect those specialty laboratories. As such, some industry-specific requirements may have been missed for lack of or too expensive public-facing sources. As mentioned with the first caveat, this version of LIMSpec is evolving, and as industry experts and researchers are able to provide additional feedback on this document, it will surely grow with more relevant sources. In other words, don't consider this complete, particularly if you're in a specialized laboratory industry. You may have to add more items based on you industry knowledge and insights.

Shawndouglas at 21:05, 5 May 2022

2022-05-05T21:05:41Z

← Older revision		Revision as of 21:05, 5 May 2022
Line 3:		Line 3:

	===Software developer considerations===		===Software developer considerations===
	What does that mean for you? How can you best use this document? If you're a software developer for the laboratory industry, many of the sources referenced in these requirements should already be familiar to you. However, some of them may not be, and you'll probably want to at least familiarize yourself with them. Additionally, if you're ~~making~~ a generic [[laboratory information management system]] (LIMS) or some other informatics solution, not tailored to a particular industry, most everything in chapters two, three, five, and six should largely be applicable to what you're doing with your commercial off-the-shelf (COTS) software solution. Definitely review the requirements items listed there and make sure the most important ones are part of your own software requirements specification. If the software solution you're developing ~~hits~~ a particular industry (e.g., clinical ~~diagnostics~~, pharmaceutical development, or heavy metals testing), you'll also want to examine chapter four. If you don't see many requirements for your industry listed (see the "Caveats" section later), you'll probably have additional research to conduct to see what additional sources will affect how you develop the functional and, particularly, non-functional requirements.		What does that mean for you? How can you best use this document? If you're a software developer for the laboratory industry, many of the sources referenced in these requirements should already be familiar to you. However, some of them may not be, and you'll probably want to at least familiarize yourself with them. Additionally, if you're developing a generic [[laboratory information management system]] (LIMS) or some other informatics solution, not tailored to a particular industry, most everything in chapters two, three, five, and six should largely be applicable to what you're doing with your commercial off-the-shelf (COTS) software solution. Definitely review the requirements items listed there and make sure the most important ones are part of your own software requirements specification. If the software solution you're developing is tailored to a particular industry (e.g., clinical or public health, pharmaceutical development, or heavy metals testing), you'll also want to examine chapter four. If you don't see many requirements for your industry listed (see the "Caveats" section later), you'll probably have additional research to conduct to see what additional sources will affect how you develop the functional and, particularly, non-functional requirements.

	===Buyer considerations===		===Buyer considerations===
Line 24:		Line 24:
	First, note that this LIMSpec is still an evolving entity. Standards change. Regulations change. Procedures also change with such standards and regulations. That means that as those foundational characteristics shift, this set of requirements will have to also evolve. As such, do your homework and don't take everything you see here as fixed law. If you're responsible for investigating and/or purchasing a laboratory informatics system, be sure you have at least some familiarity with the primary industry your laboratory serves, and by extension the regulations and standards that affect it.		First, note that this LIMSpec is still an evolving entity. Standards change. Regulations change. Procedures also change with such standards and regulations. That means that as those foundational characteristics shift, this set of requirements will have to also evolve. As such, do your homework and don't take everything you see here as fixed law. If you're responsible for investigating and/or purchasing a laboratory informatics system, be sure you have at least some familiarity with the primary industry your laboratory serves, and by extension the regulations and standards that affect it.

	Second, the number of industry-specific applications of laboratory informatics software continues to grow, and with it also the regulations and standards that affect those specialty laboratories. As such, some industry-specific requirements may have been missed for lack of public-facing sources. As mentioned with the first caveat, this version of LIMSpec is evolving, and as industry experts and researchers are able to provide additional feedback on this document, it will surely grow with more relevant sources. In other words, don't consider this complete, particularly if you're in a specialized laboratory industry. You may have to add more items based on you industry knowledge and insights.		Second, the number of industry-specific applications of laboratory informatics software continues to grow, and with it also the regulations and standards that affect those specialty laboratories. As such, some industry-specific requirements may have been missed for lack of or too expensive public-facing sources. As mentioned with the first caveat, this version of LIMSpec is evolving, and as industry experts and researchers are able to provide additional feedback on this document, it will surely grow with more relevant sources. In other words, don't consider this complete, particularly if you're in a specialized laboratory industry. You may have to add more items based on you industry knowledge and insights.

Shawndouglas at 20:47, 27 April 2022

2022-04-27T20:47:20Z

← Older revision	Revision as of 20:47, 27 April 2022
Line 1:	Line 1:

		[[File:Requirements Allocation Sheet.jpg\|600px\|right]]The LIMSpec covered [[laboratory informatics]] requirements organized into five broad categories, which are heavily influenced by the functional requirements checklist and Figure 3 of [[ASTM E1578\|ASTM E1578-18]] ''Standard Guide for Laboratory Informatics''. However, the requirements listed prior are all based on not just the ASTM E1578 standard but also a wide variety of other standards, regulations, guidance documents, and standardized procedures (hereon out referred to as "sources"). That ultimately means a foundational reasoning is provided for each requirement, not necessarily a "just because I want it" reasoning. As foundational requirements, this LIMSpec should thus operate as an excellent starting point for building your own software requirements specification or for researching the best laboratory informatics solution for your [[laboratory]].

		===Software developer considerations===
		What does that mean for you? How can you best use this document? If you're a software developer for the laboratory industry, many of the sources referenced in these requirements should already be familiar to you. However, some of them may not be, and you'll probably want to at least familiarize yourself with them. Additionally, if you're making a generic [[laboratory information management system]] (LIMS) or some other informatics solution, not tailored to a particular industry, most everything in chapters two, three, five, and six should largely be applicable to what you're doing with your commercial off-the-shelf (COTS) software solution. Definitely review the requirements items listed there and make sure the most important ones are part of your own software requirements specification. If the software solution you're developing hits a particular industry (e.g., clinical diagnostics, pharmaceutical development, or heavy metals testing), you'll also want to examine chapter four. If you don't see many requirements for your industry listed (see the "Caveats" section later), you'll probably have additional research to conduct to see what additional sources will affect how you develop the functional and, particularly, non-functional requirements.

		===Buyer considerations===
		If you're a potential buyer of a laboratory informatics solution, this LIMSpec is also useful to you. Perhaps you know a bit about your laboratory's workflow and a few of the regulations and standards that influence how that workflow is conducted, but you're not entirely informed. Reviewing the five broad categories of requirements may be necessary to help further inform you regarding what's vital in regards to what a laboratory informatics solution should be capable of. Additionally, you can then use these requirements as a base for your laboratory's own requirements list. Using the categories and their subdivisions, you can then add those requirements that are unique to your laboratory and industry that are not sufficiently covered by the LIMSpec requirements. As you review the various options available to you and narrow down your search, your own list of requirements can be used as both as a personal checklist and as a requirements list you hand over to the vendor you query.

		====Software vendor selection====
		That said, the requirements you hand off to the vendor should be discussed a bit more. Software vendor selection can at times be a tedious yet necessary process, one which requires careful planning and best practices. This topic has been written about by both software developers and end users alike, and their experiences should play a role in how you select a vendor. What follows is bullet-pointed advice as offered by some of those developers and end users.<ref name="PearceSoftware16">{{cite web \|url=https://blog.montrium.com/blog/software-vendor-selection-defining-your-requirements \|title=Software Vendor Selection: How to Define Your Requirements \|work=Montrium Blog \|author=Pearce, O. \|publisher=Montrium, Inc \|date=21 June 2016 \|accessdate=27 April 2022}}</ref><ref name="PearceSoftware16-2">{{cite web \|url=https://blog.montrium.com/blog/software-vendor-selection-finding-the-right-vendor \|title=Software Vendor Selection: Finding the Right Vendor \|work=Montrium Blog \|author=Pearce, O. \|publisher=Montrium, Inc \|date=23 June 2016 \|accessdate=27 April 2022}}</ref><ref name="PearceSoftware16-3">{{cite web \|url=https://blog.montrium.com/blog/software-vendor-selection-conducting-demonstrations \|title=Software Vendor Selection: The Pitfalls and Successes of Vendor Demos \|work=Montrium Blog \|author=Pearce, O. \|publisher=Montrium, Inc \|date=28 June 2016 \|accessdate=27 April 2022}}</ref><ref name="PearceSoftware16-4">{{cite web \|url=https://blog.montrium.com/blog/software-vendor-selection-requesting-proposals-quotes \|title=Software Vendor Selection: Requesting Proposals & Quotes \|work=Montrium Blog \|author=Pearce, O. \|publisher=Montrium, Inc \|date=05 July 2016 \|accessdate=27 April 2022}}</ref><ref name="PersaudBusiness16">{{cite web \|url=https://www.selecthub.com/miscellaneous/technology-selection/business-requirements-gathering-enterprise-software-selection/ \|title=Business Requirements Gathering for Enterprise Software Selection \|author=Persaud, D. \|work=SelectHub Blog \|publisher=Abuyo, Inc \|date=04 February 2016 \|accessdate=27 April 2022}}</ref><ref name="LichtenbergerSix12">{{cite web \|url=https://blog.itil.org/2012/07/six-steps-for-a-successful-vendor-selection/ \|title=Six Steps for a Successful Vendor Selection \|author=Lichtenberger, A. \|work=ITIL.org \|date=23 July 2012 \|accessdate=27 April 2022}}</ref><ref name="PoonInsider15">{{cite web \|url=https://www.genologics.com/blog/insiders-guide-to-lims-selection/ \|title=Insider’s Guide to LIMS Selection \|author=Poon, L. \|work=Genologics Blog \|publisher=GenoLogics Life Sciences Software Inc \|date=29 May 2015 \|accessdate=20 September 2019}}{{Dead link\|date=April 2022}}</ref><ref name="BenchlingHowTo">{{cite web \|url=https://benchling.com/static/docs/resources/eln-for-biology-rnd.pdf \|title=How to Select an ELN for Biology R&D \|publisher=Benchling, Inc \|accessdate=27 April 2022}}</ref>

		* Have a clear business case and build your business needs into your laboratory's requirements.
		* Be mindful of how detailed you get with your own business-based requirements and what you initially hand off to a vendor. If you're too specific with too many requirements, you may have trouble finding a vendor that matches up. Start with the essentials that involve your laboratory's processes, regulations, integrations, reporting, service needs, etc. As this LIMSpec is foundation-based, you have a good starting point in that regard. You can always get more detailed with requirements as you narrow down vendors.
		* As discussed briefly in the introduction, you'll need to prioritize your needs somewhere between "critical" and "nice to have." The LIMSpec's requirements are largely critical for most purposes and can be marked as such. The requirements you add will have to be prioritized more carefully.
		* You'll also want to perform some informal third-party information gathering about the vendors. Are reviews of the vendors trustworthy? Have peers had any interactions and success with the vendor? Does the vendor have the ability to scale to meet your needs?
		* Schedule demonstrations of programs that seem like strong initial candidates. Make sure there is a question and answer session afterwards, and perform a post-demo evaluation.
		* A formal request for proposal (RFP) may or may not be necessary, depending on the level of information you acquire prior. However, formally requesting pricing and clarification of maintenance and additional service costs is useful. Just don't let price be the only thing that guides you.
		* Consider some of the intangibles. Does the vendor genuinely seem interested in your business and its needs? Do they communicate well and promptly? Do they seem flexible and able to accommodate a few special case requirements?
		* Be sure to consider future needs as you anticipate potential laboratory expansion.
		* Don't be afraid to choose a consultant to help you with the vendor selection process.

		===Caveats===
		First, note that this LIMSpec is still an evolving entity. Standards change. Regulations change. Procedures also change with such standards and regulations. That means that as those foundational characteristics shift, this set of requirements will have to also evolve. As such, do your homework and don't take everything you see here as fixed law. If you're responsible for investigating and/or purchasing a laboratory informatics system, be sure you have at least some familiarity with the primary industry your laboratory serves, and by extension the regulations and standards that affect it.

		Second, the number of industry-specific applications of laboratory informatics software continues to grow, and with it also the regulations and standards that affect those specialty laboratories. As such, some industry-specific requirements may have been missed for lack of public-facing sources. As mentioned with the first caveat, this version of LIMSpec is evolving, and as industry experts and researchers are able to provide additional feedback on this document, it will surely grow with more relevant sources. In other words, don't consider this complete, particularly if you're in a specialized laboratory industry. You may have to add more items based on you industry knowledge and insights.

Shawndouglas: Blanked the page

2021-09-06T13:11:14Z

Blanked the page

← Older revision		Revision as of 13:11, 6 September 2021
Line 1:		Line 1:
	~~==3. Fitting a cybersecurity standards framework into a cybersecurity plan==~~
	[[File:Cybersecurity training (37345726182).jpg\|right\|450px]]In the introductory section, a cybersecurity plan was defined as a developed, distributed, reviewed, updated, and protected collection of policy and other types of components that shapes how an organization protects against and responds to cybersecurity threats. One of the more significant activities of plan development includes applying the security controls, program development, and risk management aspects of one or more cybersecurity standards frameworks for the identification of, protection from, detection of, response to, and recovery from cybersecurity threats and incidents.

	The National Institute of Standards and Technology (NIST) defines a security control as "a safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements."<ref name="NISTSecurity19">{{cite web \|url=https://csrc.nist.gov/glossary/term/security_control \|title=security control \|work=Computer Security Resource Center \|publisher=National Institute of Standards and Technology \|date=2019 \|accessdate=23 July 2020}}</ref> Many, but not all, cybersecurity frameworks include a catalog of such controls, which give the implementing organization a concrete set of configurable goals to apply to their overall cybersecurity strategy. However, as mentioned in the previous section, some frameworks exist to provide a more program-based or risk-based approach to plan development. Choosing the best frameworks will likely depend on multiple factors, including the organization's industry type, the amount of technical expertise within the organization, the budget, the organizational goals, the amount of buy-in from key organizational stakeholders, and those stakeholders' preferred approach.

	Let's take a look at one NIST control in particular, from their SP 800-53 framework, which will be discussed further in the next section. Their "PL-2 System security plan" control recommends the organization develop, distribute, review, update, and protect a cybersecurity plan for its information system. Its supplemental guidance reads as follows:

	<blockquote>Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended.</blockquote>

	This wording essentially indicates that when you make your plan, there should be a high-level connection between what the organization needs to implement in regards to cybersecurity and how to go about doing it using best practices (e.g., using framework controls and guidance). It also means that, if developed, implemented, and maintained correctly, the plan should empower the organization to have an information system that is clearly compliant with the intent and purpose of the organization's goals, operations, and risk determinations. In other words, the organization first needs a clear picture of what it wants to achieve and the risks associated with operating an information system to meet those goals before it can develop its cybersecurity plan; afterwards, cybersecurity standards frameworks and controls can assist with plan development.

	<blockquote>Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans.</blockquote>

	The rest of NIST's wording indicates that a plan isn't necessarily a single, comprehensive document that attacks everything. Rather, it will make reference to other important policies and procedures that will further drive the overall success of your cybersecurity plan. You may even choose to have a separate document dedicated to the security controls you select for your organization. (Note that in the actual plan development section of this guide, recommendations for creating the additional "policies, procedures, and additional documents" you'll need will be given. Despite those recommendations, NIST's guidance still holds true: your actual plan document should make reference to them and provide sufficient description of what those external plans intend to accomplish within the scope of the cybersecurity plan. In the end, though, this decision to have one lengthy document or branched documents linked to the overall plan is a matter of organizational choice.)

	The takeaway from this analysis of NIST's language is that the while any standards framework you use can guide the development of a cybersecurity plan, it can't be done in a vacuum that doesn't take into account organizational goals, system and data aspects, and risk assessments. Additionally, while driven by the framework, the cybersecurity plan also doesn't need to contain every detail recommended by the framework; sometimes it's easier to have policy external to but referenced within the plan.

	Some additional considerations and tips concerning the blending of a cybersecurity standards framework with your organization's cybersecurity plan include<ref name="NiliUnderstand14">{{cite web \|url=https://corpgov.law.harvard.edu/2014/08/25/understanding-and-implementing-the-nist-cybersecurity-framework/ \|title=Understanding and Implementing the NIST Cybersecurity Framework \|author=Nili, T. \|work=Harvard Law School Forum on Corporate Governance and Financial Regulation \|publisher=Harvard \|date=25 August 2014 \|accessdate=23 July 2020}}</ref><ref name="NISTAnIntro19">{{cite web \|url=https://www.nist.gov/cyberframework/online-learning/components-framework \|title=An Introduction to the Components of the Framework \|publisher=National Institute of Standards and Technology \|date=08 October 2019 \|accessdate=23 July 2020}}</ref><ref name="MorganHowToUse18">{{cite web \|url=https://www.securitymagazine.com/blogs/14-security-blog/post/88890-how-to-use-the-nist-cybersecurity-framework \|title=How to Use the NIST Cybersecurity Framework: A Conversation with NIST’s Matthew Barrett \|author=Morgan, J. \|work=Security \|publisher=BNP Media \|date=04 April 2018 \|accessdate=23 July 2020}}</ref><ref name="CorneliusUnder18">{{cite web \|url=https://www.linkedin.com/pulse/understanding-cybersecurity-privacy-best-practices-tom-cornelius/ \|title=Understanding Cybersecurity & Privacy Best Practices \|author=Cornelius, T. \|work=LinkedIn Pulse \|date=31 July 2018 \|accessdate=23 July 2020}}</ref>:

	* After selecting one or more frameworks, ensure at a minimum that key stakeholders and related personnel are given a chance to become more familiar with the frameworks before continuing with extensive plan development.
	* Map cybersecurity requirements, organizational objectives, and planned process and procedure to security controls, and then compare the results to your current operating state to understand what gaps exist, if any.
	* Don't be afraid to customize controls and other framework elements in order for your organization to get the maximum benefit out of them. Do keep relevant regulations affecting your organization in mind, however, when customizing.
	* Think of the framework as the defining sauce or crust base of a pizza: it allows you to bake security and privacy principles into your overall cybersecurity strategy, with an end result of being more naturally prepared to address regulatory and contractual obligations.
	* Don't forget to look for additional implementation resources created by the developer of the framework, e.g., from [https://www.isa.org/technical-topics/cybersecurity/cybersecurity-resources/ ISA], [https://www.sans.org/critical-security-controls/ SANS], and [https://www.cisecurity.org/controls/cis-controls-list/ CIS].
	* If expertise isn't available in-house, you may want to turn to a cybersecurity services provider to assist with integrating a framework into your plan.

	~~==References==~~
	~~{{Reflist\|colwidth=30em}}~~

Shawndouglas: Updated citations

2020-07-23T16:45:12Z

Updated citations

← Older revision		Revision as of 16:45, 23 July 2020
Line 2:		Line 2:
	[[File:Cybersecurity training (37345726182).jpg\|right\|450px]]In the introductory section, a cybersecurity plan was defined as a developed, distributed, reviewed, updated, and protected collection of policy and other types of components that shapes how an organization protects against and responds to cybersecurity threats. One of the more significant activities of plan development includes applying the security controls, program development, and risk management aspects of one or more cybersecurity standards frameworks for the identification of, protection from, detection of, response to, and recovery from cybersecurity threats and incidents.		[[File:Cybersecurity training (37345726182).jpg\|right\|450px]]In the introductory section, a cybersecurity plan was defined as a developed, distributed, reviewed, updated, and protected collection of policy and other types of components that shapes how an organization protects against and responds to cybersecurity threats. One of the more significant activities of plan development includes applying the security controls, program development, and risk management aspects of one or more cybersecurity standards frameworks for the identification of, protection from, detection of, response to, and recovery from cybersecurity threats and incidents.

	The National Institute of Standards and Technology (NIST) defines a security control as "a safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements."<ref name="NISTSecurity19">{{cite web \|url=https://csrc.nist.gov/glossary/term/~~security-control~~ \|title=security control \|work=Computer Security Resource Center \|publisher=National Institute of Standards and Technology \|date=2019 \|accessdate=~~19 December 2019~~}}</ref> Many, but not all, cybersecurity frameworks include a catalog of such controls, which give the implementing organization a concrete set of configurable goals to apply to their overall cybersecurity strategy. However, as mentioned in the previous section, some frameworks exist to provide a more program-based or risk-based approach to plan development. Choosing the best frameworks will likely depend on multiple factors, including the organization's industry type, the amount of technical expertise within the organization, the budget, the organizational goals, the amount of buy-in from key organizational stakeholders, and those stakeholders' preferred approach.		The National Institute of Standards and Technology (NIST) defines a security control as "a safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements."<ref name="NISTSecurity19">{{cite web \|url=https://csrc.nist.gov/glossary/term/security_control \|title=security control \|work=Computer Security Resource Center \|publisher=National Institute of Standards and Technology \|date=2019 \|accessdate=23 July 2020}}</ref> Many, but not all, cybersecurity frameworks include a catalog of such controls, which give the implementing organization a concrete set of configurable goals to apply to their overall cybersecurity strategy. However, as mentioned in the previous section, some frameworks exist to provide a more program-based or risk-based approach to plan development. Choosing the best frameworks will likely depend on multiple factors, including the organization's industry type, the amount of technical expertise within the organization, the budget, the organizational goals, the amount of buy-in from key organizational stakeholders, and those stakeholders' preferred approach.

	Let's take a look at one NIST control in particular, from their SP 800-53 framework, which will be discussed further in the next section. Their "PL-2 System security plan" control recommends the organization develop, distribute, review, update, and protect a cybersecurity plan for its information system. Its supplemental guidance reads as follows:		Let's take a look at one NIST control in particular, from their SP 800-53 framework, which will be discussed further in the next section. Their "PL-2 System security plan" control recommends the organization develop, distribute, review, update, and protect a cybersecurity plan for its information system. Its supplemental guidance reads as follows:
Line 16:		Line 16:
	The takeaway from this analysis of NIST's language is that the while any standards framework you use can guide the development of a cybersecurity plan, it can't be done in a vacuum that doesn't take into account organizational goals, system and data aspects, and risk assessments. Additionally, while driven by the framework, the cybersecurity plan also doesn't need to contain every detail recommended by the framework; sometimes it's easier to have policy external to but referenced within the plan.		The takeaway from this analysis of NIST's language is that the while any standards framework you use can guide the development of a cybersecurity plan, it can't be done in a vacuum that doesn't take into account organizational goals, system and data aspects, and risk assessments. Additionally, while driven by the framework, the cybersecurity plan also doesn't need to contain every detail recommended by the framework; sometimes it's easier to have policy external to but referenced within the plan.

	Some additional considerations and tips concerning the blending of a cybersecurity standards framework with your organization's cybersecurity plan include<ref name="NiliUnderstand14">{{cite web \|url=https://corpgov.law.harvard.edu/2014/08/25/understanding-and-implementing-the-nist-cybersecurity-framework/ \|title=Understanding and Implementing the NIST Cybersecurity Framework \|author=Nili, T. \|work=Harvard Law School Forum on Corporate Governance and Financial Regulation \|publisher=Harvard \|date=25 August 2014 \|accessdate=~~19 December 2019~~}}</ref><ref name="NISTAnIntro19">{{cite web \|url=https://www.nist.gov/cyberframework/online-learning/components-framework \|title=An Introduction to the Components of the Framework \|publisher=National Institute of Standards and Technology \|date=08 October 2019 \|accessdate=~~19 December 2019~~}}</ref><ref name="MorganHowToUse18">{{cite web \|url=https://www.securitymagazine.com/blogs/14-security-blog/post/88890-how-to-use-the-nist-cybersecurity-framework \|title=How to Use the NIST Cybersecurity Framework: A Conversation with NIST’s Matthew Barrett \|author=Morgan, J. \|work=Security \|publisher=BNP Media \|date=04 April 2018 \|accessdate=~~19 December 2019~~}}</ref><ref name="CorneliusUnder18">{{cite web \|url=https://www.linkedin.com/pulse/understanding-cybersecurity-privacy-best-practices-tom-cornelius/ \|title=Understanding Cybersecurity & Privacy Best Practices \|author=Cornelius, T. \|work=LinkedIn Pulse \|date=31 July 2018 \|accessdate=~~19 December 2019~~}}</ref>:		Some additional considerations and tips concerning the blending of a cybersecurity standards framework with your organization's cybersecurity plan include<ref name="NiliUnderstand14">{{cite web \|url=https://corpgov.law.harvard.edu/2014/08/25/understanding-and-implementing-the-nist-cybersecurity-framework/ \|title=Understanding and Implementing the NIST Cybersecurity Framework \|author=Nili, T. \|work=Harvard Law School Forum on Corporate Governance and Financial Regulation \|publisher=Harvard \|date=25 August 2014 \|accessdate=23 July 2020}}</ref><ref name="NISTAnIntro19">{{cite web \|url=https://www.nist.gov/cyberframework/online-learning/components-framework \|title=An Introduction to the Components of the Framework \|publisher=National Institute of Standards and Technology \|date=08 October 2019 \|accessdate=23 July 2020}}</ref><ref name="MorganHowToUse18">{{cite web \|url=https://www.securitymagazine.com/blogs/14-security-blog/post/88890-how-to-use-the-nist-cybersecurity-framework \|title=How to Use the NIST Cybersecurity Framework: A Conversation with NIST’s Matthew Barrett \|author=Morgan, J. \|work=Security \|publisher=BNP Media \|date=04 April 2018 \|accessdate=23 July 2020}}</ref><ref name="CorneliusUnder18">{{cite web \|url=https://www.linkedin.com/pulse/understanding-cybersecurity-privacy-best-practices-tom-cornelius/ \|title=Understanding Cybersecurity & Privacy Best Practices \|author=Cornelius, T. \|work=LinkedIn Pulse \|date=31 July 2018 \|accessdate=23 July 2020}}</ref>:

	* After selecting one or more frameworks, ensure at a minimum that key stakeholders and related personnel are given a chance to become more familiar with the frameworks before continuing with extensive plan development.		* After selecting one or more frameworks, ensure at a minimum that key stakeholders and related personnel are given a chance to become more familiar with the frameworks before continuing with extensive plan development.

Shawndouglas: Grammar tweaks

2020-05-28T17:09:45Z

Grammar tweaks

← Older revision		Revision as of 17:09, 28 May 2020
Line 2:		Line 2:
	[[File:Cybersecurity training (37345726182).jpg\|right\|450px]]In the introductory section, a cybersecurity plan was defined as a developed, distributed, reviewed, updated, and protected collection of policy and other types of components that shapes how an organization protects against and responds to cybersecurity threats. One of the more significant activities of plan development includes applying the security controls, program development, and risk management aspects of one or more cybersecurity standards frameworks for the identification of, protection from, detection of, response to, and recovery from cybersecurity threats and incidents.		[[File:Cybersecurity training (37345726182).jpg\|right\|450px]]In the introductory section, a cybersecurity plan was defined as a developed, distributed, reviewed, updated, and protected collection of policy and other types of components that shapes how an organization protects against and responds to cybersecurity threats. One of the more significant activities of plan development includes applying the security controls, program development, and risk management aspects of one or more cybersecurity standards frameworks for the identification of, protection from, detection of, response to, and recovery from cybersecurity threats and incidents.

	The National Institute of Standards and Technology's (NIST) defines a security control as "a safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements."<ref name="NISTSecurity19">{{cite web \|url=https://csrc.nist.gov/glossary/term/security-control \|title=security control \|work=Computer Security Resource Center \|publisher=National Institute of Standards and Technology \|date=2019 \|accessdate=19 December 2019}}</ref> Many, but not all, cybersecurity frameworks include a catalog of such controls, which give the implementing organization a concrete set of configurable goals to apply to their overall cybersecurity strategy. However, as mentioned in the previous section, some frameworks exist to provide a more program-based or risk-based approach to plan development. Choosing the best frameworks will likely depend on multiple factors, including the organization's industry type, the amount of technical expertise within the organization, the budget, the organizational goals, the amount of buy-in from key organizational stakeholders, and those stakeholders' preferred approach.		The National Institute of Standards and Technology (NIST) defines a security control as "a safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements."<ref name="NISTSecurity19">{{cite web \|url=https://csrc.nist.gov/glossary/term/security-control \|title=security control \|work=Computer Security Resource Center \|publisher=National Institute of Standards and Technology \|date=2019 \|accessdate=19 December 2019}}</ref> Many, but not all, cybersecurity frameworks include a catalog of such controls, which give the implementing organization a concrete set of configurable goals to apply to their overall cybersecurity strategy. However, as mentioned in the previous section, some frameworks exist to provide a more program-based or risk-based approach to plan development. Choosing the best frameworks will likely depend on multiple factors, including the organization's industry type, the amount of technical expertise within the organization, the budget, the organizational goals, the amount of buy-in from key organizational stakeholders, and those stakeholders' preferred approach.

	Let's take a look at one NIST control in particular, from their SP 800-53 framework, which will be discussed further in the next section. Their "PL-2 System security plan" control recommends the organization develop, distribute, review, update, and protect a cybersecurity plan for its information system. Its supplemental guidance reads as follows:		Let's take a look at one NIST control in particular, from their SP 800-53 framework, which will be discussed further in the next section. Their "PL-2 System security plan" control recommends the organization develop, distribute, review, update, and protect a cybersecurity plan for its information system. Its supplemental guidance reads as follows:

Shawndouglas: Created page with "==3. Fitting a cybersecurity standards framework into a cybersecurity plan== 450pxIn the introductory section, a cybers..."

2019-12-20T18:40:07Z

Created page with "==3. Fitting a cybersecurity standards framework into a cybersecurity plan== right|450pxIn the introductory section, a cybers..."

New page

==3. Fitting a cybersecurity standards framework into a cybersecurity plan==
[[File:Cybersecurity training (37345726182).jpg|right|450px]]In the introductory section, a cybersecurity plan was defined as a developed, distributed, reviewed, updated, and protected collection of policy and other types of components that shapes how an organization protects against and responds to cybersecurity threats. One of the more significant activities of plan development includes applying the security controls, program development, and risk management aspects of one or more cybersecurity standards frameworks for the identification of, protection from, detection of, response to, and recovery from cybersecurity threats and incidents.

The National Institute of Standards and Technology's (NIST) defines a security control as "a safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements."<ref name="NISTSecurity19">{{cite web |url=https://csrc.nist.gov/glossary/term/security-control |title=security control |work=Computer Security Resource Center |publisher=National Institute of Standards and Technology |date=2019 |accessdate=19 December 2019}}</ref> Many, but not all, cybersecurity frameworks include a catalog of such controls, which give the implementing organization a concrete set of configurable goals to apply to their overall cybersecurity strategy. However, as mentioned in the previous section, some frameworks exist to provide a more program-based or risk-based approach to plan development. Choosing the best frameworks will likely depend on multiple factors, including the organization's industry type, the amount of technical expertise within the organization, the budget, the organizational goals, the amount of buy-in from key organizational stakeholders, and those stakeholders' preferred approach.

Let's take a look at one NIST control in particular, from their SP 800-53 framework, which will be discussed further in the next section. Their "PL-2 System security plan" control recommends the organization develop, distribute, review, update, and protect a cybersecurity plan for its information system. Its supplemental guidance reads as follows:

<blockquote>Security plans relate security requirements to a set of security controls and control enhancements. Security plans also describe, at a high level, how the security controls and control enhancements meet those security requirements, but do not provide detailed, technical descriptions of the specific design or implementation of the controls/enhancements. Security plans contain sufficient information (including the specification of parameter values for assignment and selection statements either explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented as intended.</blockquote>

This wording essentially indicates that when you make your plan, there should be a high-level connection between what the organization needs to implement in regards to cybersecurity and how to go about doing it using best practices (e.g., using framework controls and guidance). It also means that, if developed, implemented, and maintained correctly, the plan should empower the organization to have an information system that is clearly compliant with the intent and purpose of the organization's goals, operations, and risk determinations. In other words, the organization first needs a clear picture of what it wants to achieve and the risks associated with operating an information system to meet those goals before it can develop its cybersecurity plan; afterwards, cybersecurity standards frameworks and controls can assist with plan development.

<blockquote>Security plans need not be single documents; the plans can be a collection of various documents including documents that already exist. Effective security plans make extensive use of references to policies, procedures, and additional documents (e.g., design and implementation specifications) where more detailed information can be obtained. This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle, systems engineering, and acquisition. For example, security plans do not contain detailed contingency plan or incident response plan information but instead provide explicitly or by reference, sufficient information to define what needs to be accomplished by those plans.</blockquote>

The rest of NIST's wording indicates that a plan isn't necessarily a single, comprehensive document that attacks everything. Rather, it will make reference to other important policies and procedures that will further drive the overall success of your cybersecurity plan. You may even choose to have a separate document dedicated to the security controls you select for your organization. (Note that in the actual plan development section of this guide, recommendations for creating the additional "policies, procedures, and additional documents" you'll need will be given. Despite those recommendations, NIST's guidance still holds true: your actual plan document should make reference to them and provide sufficient description of what those external plans intend to accomplish within the scope of the cybersecurity plan. In the end, though, this decision to have one lengthy document or branched documents linked to the overall plan is a matter of organizational choice.)

The takeaway from this analysis of NIST's language is that the while any standards framework you use can guide the development of a cybersecurity plan, it can't be done in a vacuum that doesn't take into account organizational goals, system and data aspects, and risk assessments. Additionally, while driven by the framework, the cybersecurity plan also doesn't need to contain every detail recommended by the framework; sometimes it's easier to have policy external to but referenced within the plan.

Some additional considerations and tips concerning the blending of a cybersecurity standards framework with your organization's cybersecurity plan include<ref name="NiliUnderstand14">{{cite web |url=https://corpgov.law.harvard.edu/2014/08/25/understanding-and-implementing-the-nist-cybersecurity-framework/ |title=Understanding and Implementing the NIST Cybersecurity Framework |author=Nili, T. |work=Harvard Law School Forum on Corporate Governance and Financial Regulation |publisher=Harvard |date=25 August 2014 |accessdate=19 December 2019}}</ref><ref name="NISTAnIntro19">{{cite web |url=https://www.nist.gov/cyberframework/online-learning/components-framework |title=An Introduction to the Components of the Framework |publisher=National Institute of Standards and Technology |date=08 October 2019 |accessdate=19 December 2019}}</ref><ref name="MorganHowToUse18">{{cite web |url=https://www.securitymagazine.com/blogs/14-security-blog/post/88890-how-to-use-the-nist-cybersecurity-framework |title=How to Use the NIST Cybersecurity Framework: A Conversation with NIST’s Matthew Barrett |author=Morgan, J. |work=Security |publisher=BNP Media |date=04 April 2018 |accessdate=19 December 2019}}</ref><ref name="CorneliusUnder18">{{cite web |url=https://www.linkedin.com/pulse/understanding-cybersecurity-privacy-best-practices-tom-cornelius/ |title=Understanding Cybersecurity & Privacy Best Practices |author=Cornelius, T. |work=LinkedIn Pulse |date=31 July 2018 |accessdate=19 December 2019}}</ref>:

* After selecting one or more frameworks, ensure at a minimum that key stakeholders and related personnel are given a chance to become more familiar with the frameworks before continuing with extensive plan development.
* Map cybersecurity requirements, organizational objectives, and planned process and procedure to security controls, and then compare the results to your current operating state to understand what gaps exist, if any.
* Don't be afraid to customize controls and other framework elements in order for your organization to get the maximum benefit out of them. Do keep relevant regulations affecting your organization in mind, however, when customizing.
* Think of the framework as the defining sauce or crust base of a pizza: it allows you to bake security and privacy principles into your overall cybersecurity strategy, with an end result of being more naturally prepared to address regulatory and contractual obligations.
* Don't forget to look for additional implementation resources created by the developer of the framework, e.g., from [https://www.isa.org/technical-topics/cybersecurity/cybersecurity-resources/ ISA], [https://www.sans.org/critical-security-controls/ SANS], and [https://www.cisecurity.org/controls/cis-controls-list/ CIS].
* If expertise isn't available in-house, you may want to turn to a cybersecurity services provider to assist with integrating a framework into your plan.

==References==
{{Reflist|colwidth=30em}}

User:Shawndouglas/sandbox/sublevel26 - Revision history

Shawndouglas: Replaced content with "__TOC__ {{ombox | type = notice | style = width: 960px; | text = This is sublevel26 of my sandbox, where I play with features and..."

Shawndouglas at 23:31, 15 August 2023

Shawndouglas at 22:42, 27 July 2023

Shawndouglas: Blanked the page

Shawndouglas at 21:05, 5 May 2022

Shawndouglas at 20:47, 27 April 2022

Shawndouglas: Blanked the page

Shawndouglas: Updated citations

Shawndouglas: Grammar tweaks

Shawndouglas: Created page with "==3. Fitting a cybersecurity standards framework into a cybersecurity plan== 450pxIn the introductory section, a cybers..."

Shawndouglas: Replaced content with "
TOC
{{ombox | type = notice | style = width: 960px; | text = This is sublevel26 of my sandbox, where I play with features and..."