Difference between revisions of "User:Shawndouglas/sandbox/sublevel3"

From LIMSWiki
Jump to navigationJump to search
Tag: Reverted
 
(117 intermediate revisions by the same user not shown)
Line 1: Line 1:
{{Saved book
|title=Choosing and Implementing a Cloud-based Service for Your Laboratory
|subtitle=By Shawn E. Douglas
|cover-image=Cloud-computing-1.gif
|cover-color=#ffffff
| setting-papersize = A4
| setting-showtoc = 1
| setting-columns = 1
}}


==The laws themselves==


'''Title''': ''Choosing and Implementing a Cloud-based Service for Your Laboratory''
===1. Federal Telecommunications Act of 1996, Section 255 ([https://www.law.cornell.edu/uscode/text/47/255 47 U.S.C. § 255 - Access by persons with disabilities])===


'''Edition''': First edition
<blockquote>'''(b) Manufacturing'''
A manufacturer of telecommunications equipment or customer premises equipment shall ensure that the equipment is designed, developed, and fabricated to be accessible to and usable by individuals with disabilities, if readily achievable.


'''Author for citation''': Shawn E. Douglas
'''(c) Telecommunications services'''


'''License for content''': [https://creativecommons.org/licenses/by-sa/4.0/ Creative Commons Attribution-ShareAlike 4.0 International]
A provider of telecommunications service shall ensure that the service is accessible to and usable by individuals with disabilities, if readily achievable.


'''Publication date''': August 2021
'''(d) Compatibility'''
Whenever the requirements of subsections (b) and (c) are not readily achievable, such a manufacturer or provider shall ensure that the equipment or service is compatible with existing peripheral devices or specialized customer premises equipment commonly used by individuals with disabilities to achieve access, if readily achievable.</blockquote>


The term '''disability''' is [https://www.law.cornell.edu/uscode/text/42/12102 defined here]. You can read the full entry, but the basics are:


This guide examines the state of [[cloud computing]] and the security mechanisms inherent to it, especially in regards to how it relates to today's [[Laboratory|laboratories]]. While cloud computing and cloud-based applications can enhance the activities of many types of labs, a methodical and meticulous approach to [[cybersecurity]] is required to not only get the most out of a cloud solution but also mitigate future data catastrophes. This means understanding [[risk management]], regulatory considerations, deployment approaches, and the potential value of managed security services in the cloud. Additionally, the essential links between laboratory [[quality assurance]], the shared responsibility model, and cybersecurity in the lab are emphasized. Of course, it's also vital to understand what to look for in cloud providers, as well as how to approach finding them. In that regard, this guide adds value by more closely examining major public/hybrid cloud and managed security service providers (Appendix 1 and 2), as well as providing example request for information (RFI) templates for both provider types (Appendix 3). While this guide can prove useful to even non-laboratory organizations looking to dip into cloud services, it focuses heavily on laboratories implementing and updating information systems in the cloud.
<blockquote>'''(1) Disability''' The term “disability” means, with respect to an individual—
:'''(A)''' a physical or mental impairment that substantially limits one or more major life activities of such individual;


(NOTE: The PDF output of this guide fails to properly list the references. To see the original document, with references, see [[LII:Choosing and Implementing a Cloud-based Service for Your Laboratory|here]].)
:'''(B)''' a record of such an impairment; or


;About this book
:'''(C)''' being regarded as having such an impairment (as described in paragraph (3)).</blockquote>
:[[Book:Choosing and Implementing a Cloud-based Service for Your Laboratory/Introduction|Introduction]]


1. [[LII:Choosing and Implementing a Cloud-based Service for Your Laboratory/What is cloud computing?|What is cloud computing?]]
The term '''readily achievable''' is [https://www.law.cornell.edu/uscode/text/42/12181 defined here]. It is defines as:


:1.1 History and evolution
<blockquote>'''(9) Readily achievable''' The term “readily achievable” means easily accomplishable and able to be carried out without much difficulty or expense. In determining whether an action is readily achievable, factors to be considered include—
:1.2 Cloud computing services and deployment models
::1.2.1 Platform-as-a-service vs. serverless computing
::1.2.2 Hybrid cloud vs. multicloud vs. distributed cloud
:1.3 The relationship between cloud computing and the open source paradigm


2. [[LII:Choosing and Implementing a Cloud-based Service for Your Laboratory/Standards and security in the cloud|Standards and security in the cloud]]
:'''(A)''' the nature and cost of the action needed under this chapter;
:'''(B)''' the overall financial resources of the facility or facilities involved in the action; the number of persons employed at such facility; the effect on expenses and resources, or the impact otherwise of such action upon the operation of the facility;
:'''(C)''' the overall financial resources of the covered entity; the overall size of the business of a covered entity with respect to the number of its employees; the number, type, and location of its facilities; and
:'''(D)''' the type of operation or operations of the covered entity, including the composition, structure, and functions of the workforce of such entity; the geographic separateness, administrative or fiscal relationship of the facility or facilities in question to the covered entity.</blockquote>


:2.1 Standards and regulations influencing cloud computing
===2. Rehabilitation Act of 1973, Section 508, amended ([https://www.law.cornell.edu/uscode/text/29/794d 29 U.S.C. 794d] - Electronic and information technology)===
:2.2 Security in the cloud
::2.2.1 The shared responsibility model
::2.2.2 Public cloud
::2.2.3 Hybrid cloud and multicloud
::2.2.4 Container security and other concerns
::2.2.5 Software as a service


3. [[LII:Choosing and Implementing a Cloud-based Service for Your Laboratory/Organizational cloud computing risk management|Organizational cloud computing risk management]]
There's a government website dedicated to Section 508: [https://www.section508.gov/ https://www.section508.gov/] The related laws and polices can be [https://www.section508.gov/manage/laws-and-policies/ found here]. The intro states (italics emphasis mine):


:3.1 Five risk categories to consider
<blockquote>In 1998, Congress amended the Rehabilitation Act of 1973 to require Federal agencies to make their electronic and information technology (EIT) accessible to people with disabilities. The law (29 U.S.C § 794 (d)) ''applies to all Federal agencies when they develop, procure, maintain, or use electronic and information technology''. Under Section 508, agencies must give ''disabled employees and members of the public'' access to information comparable to the access available to others.
:3.2 Risk management and cybersecurity frameworks
:3.3 A brief note on cloud-inclusive cybersecurity insurance


4. [[LII:Choosing and Implementing a Cloud-based Service for Your Laboratory/Cloud computing in the laboratory|Cloud computing in the laboratory]]
The [https://www.access-board.gov/ U.S. Access Board] is responsible for developing Information and Communication Technology (ICT) accessibility ''standards'' to ''incorporate into regulations that govern Federal procurement practices.'' On January 18, 2017, the Access Board issued a final rule that updated accessibility requirements covered by Section 508, and refreshed guidelines for telecommunications equipment subject to Section 255 of the Communications Act. The final rule went into effect on January 18, 2018.


:4.1 Benefits
The rule updated and reorganized the Section 508 Standards and Section 255 Guidelines ''in response to market trends and innovations in technology.'' The refresh also harmonized these requirements with other guidelines and standards both in the U.S. and abroad, including standards issued by the European Commission, ''and with the World Wide Web Consortium (W3C) Web Content Accessibility Guidelines (WCAG 2.0), a globally recognized voluntary consensus standard for web content and ICT.''</blockquote>
:4.2 Regulatory considerations
:4.3 Deployment approaches
::4.3.1 Hybrid cloud, multicloud, and the vendor lock-in conundrum


5. [[LII:Choosing and Implementing a Cloud-based Service for Your Laboratory/Managed security services and quality assurance|Managed security services and quality assurance]]
In discussing ICT, the U.S. Access Board [https://www.access-board.gov/ict/#b-summary-of-key-provisions summarized the key provisions] as such:


:5.1 The provision of managed security services
<blockquote>The Revised 508 Standards and 255 Guidelines replace the current product-based regulatory approach with an approach based on ICT functions. The revised technical requirements, which are organized along the lines of ICT functionality, provide requirements to ensure that covered hardware, software, electronic content, and support documentation and services are accessible to people with disabilities. In addition, the revised requirements include functional performance criteria, which are outcome-based provisions that apply in two limited instances: when the technical requirements do not address one or more features of ICT or when evaluation of an alternative design or technology is needed under equivalent facilitation.</blockquote>
::5.1.1 Managed security services in the cloud
:5.2 Managed security services and the laboratory
::5.2.1 The quality assurance officer
::5.2.2 The shared responsibility model in the scope of security management and quality assurance
:5.3 Choosing a provider for managed security services
::5.3.1 Using a request for information (RFI) process


6. [[LII:Choosing and Implementing a Cloud-based Service for Your Laboratory/Considerations when choosing and implementing a cloud solution|Considerations when choosing and implementing a cloud solution]]
The full (lengthy) information about the ICT Accessibility 508 Standards and 255 Guidelines is found here: [https://www.access-board.gov/ict/ https://www.access-board.gov/ict/]


:6.1 What are the various characteristics of an average cloud provider?
The specific software requirements that LabLynx will likely need to consider under Section 508 appear to be found in [https://www.access-board.gov/ict/#chapter-5-software Chapter 5: Software] and [https://www.access-board.gov/ict/#chapter-6-support-documentation-and-services Chapter 6: Support Documentation and Services]. (If for some reason LLX is in the hardware domain, they'll want to also consider[https://www.access-board.gov/ict/#chapter-4-hardware Chapter 4: Hardware] If you're curious about the underlying standards, you can find them in [https://www.access-board.gov/ict/#chapter-7-%C2%A0-referenced-standards Chapter 7: Referenced Standards].
:6.2 What should your lab look for in a cloud provider?
::6.2.1 Service-level agreements
:6.3 What questions should you ask yourself?
:6.4 What questions should be asked of a cloud provider?
::6.4.1 Using a request for information (RFI) process


7. [[LII:Choosing and Implementing a Cloud-based Service for Your Laboratory/Final thoughts and additional resources|Final thoughts and additional resources]]
Finally, the Section 508 government website has a full Design & Develop section that may be applicable to development process: [https://www.section508.gov/develop/ https://www.section508.gov/develop/]


:7.1 Final thoughts
==Additional information==
:7.2 Key reading and reference material
:7.3 Associations, organizations, and interest groups
:7.4 Consultancy and support services


;Appendix 1. Top public and hybrid/mutlicloud services
1. The Section 508 website and its glossary mention LIMS under "[https://www.section508.gov/art/glossary/#S scientific instrument]," though only secondarily. At the end: "If a scientific instrument is integrated with a computer or a monitor, the computer (and associated operating system) and the monitor would be separate EIT deliverables, requiring their own Government Product Accessibility Templates (GPAT). If the computer included application software, this software would be another EIT deliverable requiring its own GPAT."
:[[Alibaba Cloud]]
:[[Amazon Web Services]]
2. It appears some software can qualify for "a legally-defined Exception (Back Office)," as found in this example with STARLIMS and the VA: [https://www.oit.va.gov/Services/TRM/ToolPage.aspx?tid=7502 https://www.oit.va.gov/Services/TRM/ToolPage.aspx?tid=7502]
:[[Cisco Cloudcenter and UCS Director]]
 
:[[Dell Technologies Cloud]]
3. Some additional posts and guides that may be revealing:
:[[DigitalOcean]]
* [https://www.levelaccess.com/how-do-i-determine-if-my-web-site-or-application-is-section-508-compliant/ How do I determine if my website or application is Section 508 compliant?]
:[[Google Cloud]]
* [https://ftp.cdc.gov/pub/Software/RegistryPlus/508%20Compliance/508softwareandos.doc GSA Guide For Making Software Applications and Operating Systems Accessible] (.doc file; NOTE: No date, so not sure if incorporates amended material, so be careful)
:[[HPE GreenLake]]
* [https://www.dhs.gov/publication/dhs-section-508-compliance-test-processes DHS Section 508 Compliance Test Processes]
:[[IBM Cloud]]
:[[Linode]]
:[[Microsoft Azure]]
:[[Oracle Cloud Infrastructure]]
:[[OVHcloud]]
:[[Tencent Cloud]]
:[[VMware Cloud]]
;Appendix 2. Top managed security services
:[[Accenture Security Managed Security]]
:[[AT&T Cуbеrѕесurіtу]]
:[[Atos Managed Security Services]]
:[[BT Cyber Security Platform]]
:[[Cisco Cloudcenter and UCS Director|Cisco Active Threat Analytics]]
:[[Foresite Managed Cybersecurity]]
:[[Herjavec Group Managed Security Services]]
:[[IBM Cloud|IBM Managed Security Services]]
:[[NTT Managed Security Services]]
:[[Orange Cyberdefense]]
:[[Secureworks Managed Security Services]]
:[[Trustwave Managed Security Services]]
:[[Verizon Managed Security Services]]
:[[Wipro Managed Security Services]]
;Appendix 3. RFI questions for cloud providers and MSSPs
:[[Book:Choosing and Implementing a Cloud-based Service for Your Laboratory/RFI questions for cloud providers|RFI questions for cloud providers]]
:[[Book:Choosing and Implementing a Cloud-based Service for Your Laboratory/RFI questions for MSSPs|RFI questions for MSSPs]]

Latest revision as of 21:23, 28 February 2022

The laws themselves

1. Federal Telecommunications Act of 1996, Section 255 (47 U.S.C. § 255 - Access by persons with disabilities)

(b) Manufacturing

A manufacturer of telecommunications equipment or customer premises equipment shall ensure that the equipment is designed, developed, and fabricated to be accessible to and usable by individuals with disabilities, if readily achievable.

(c) Telecommunications services

A provider of telecommunications service shall ensure that the service is accessible to and usable by individuals with disabilities, if readily achievable.

(d) Compatibility

Whenever the requirements of subsections (b) and (c) are not readily achievable, such a manufacturer or provider shall ensure that the equipment or service is compatible with existing peripheral devices or specialized customer premises equipment commonly used by individuals with disabilities to achieve access, if readily achievable.

The term disability is defined here. You can read the full entry, but the basics are:

(1) Disability The term “disability” means, with respect to an individual—

(A) a physical or mental impairment that substantially limits one or more major life activities of such individual;
(B) a record of such an impairment; or
(C) being regarded as having such an impairment (as described in paragraph (3)).

The term readily achievable is defined here. It is defines as:

(9) Readily achievable The term “readily achievable” means easily accomplishable and able to be carried out without much difficulty or expense. In determining whether an action is readily achievable, factors to be considered include—

(A) the nature and cost of the action needed under this chapter;
(B) the overall financial resources of the facility or facilities involved in the action; the number of persons employed at such facility; the effect on expenses and resources, or the impact otherwise of such action upon the operation of the facility;
(C) the overall financial resources of the covered entity; the overall size of the business of a covered entity with respect to the number of its employees; the number, type, and location of its facilities; and
(D) the type of operation or operations of the covered entity, including the composition, structure, and functions of the workforce of such entity; the geographic separateness, administrative or fiscal relationship of the facility or facilities in question to the covered entity.

2. Rehabilitation Act of 1973, Section 508, amended (29 U.S.C. 794d - Electronic and information technology)

There's a government website dedicated to Section 508: https://www.section508.gov/ The related laws and polices can be found here. The intro states (italics emphasis mine):

In 1998, Congress amended the Rehabilitation Act of 1973 to require Federal agencies to make their electronic and information technology (EIT) accessible to people with disabilities. The law (29 U.S.C § 794 (d)) applies to all Federal agencies when they develop, procure, maintain, or use electronic and information technology. Under Section 508, agencies must give disabled employees and members of the public access to information comparable to the access available to others.

The U.S. Access Board is responsible for developing Information and Communication Technology (ICT) accessibility standards to incorporate into regulations that govern Federal procurement practices. On January 18, 2017, the Access Board issued a final rule that updated accessibility requirements covered by Section 508, and refreshed guidelines for telecommunications equipment subject to Section 255 of the Communications Act. The final rule went into effect on January 18, 2018.

The rule updated and reorganized the Section 508 Standards and Section 255 Guidelines in response to market trends and innovations in technology. The refresh also harmonized these requirements with other guidelines and standards both in the U.S. and abroad, including standards issued by the European Commission, and with the World Wide Web Consortium (W3C) Web Content Accessibility Guidelines (WCAG 2.0), a globally recognized voluntary consensus standard for web content and ICT.

In discussing ICT, the U.S. Access Board summarized the key provisions as such:

The Revised 508 Standards and 255 Guidelines replace the current product-based regulatory approach with an approach based on ICT functions. The revised technical requirements, which are organized along the lines of ICT functionality, provide requirements to ensure that covered hardware, software, electronic content, and support documentation and services are accessible to people with disabilities. In addition, the revised requirements include functional performance criteria, which are outcome-based provisions that apply in two limited instances: when the technical requirements do not address one or more features of ICT or when evaluation of an alternative design or technology is needed under equivalent facilitation.

The full (lengthy) information about the ICT Accessibility 508 Standards and 255 Guidelines is found here: https://www.access-board.gov/ict/

The specific software requirements that LabLynx will likely need to consider under Section 508 appear to be found in Chapter 5: Software and Chapter 6: Support Documentation and Services. (If for some reason LLX is in the hardware domain, they'll want to also considerChapter 4: Hardware If you're curious about the underlying standards, you can find them in Chapter 7: Referenced Standards.

Finally, the Section 508 government website has a full Design & Develop section that may be applicable to development process: https://www.section508.gov/develop/

Additional information

1. The Section 508 website and its glossary mention LIMS under "scientific instrument," though only secondarily. At the end: "If a scientific instrument is integrated with a computer or a monitor, the computer (and associated operating system) and the monitor would be separate EIT deliverables, requiring their own Government Product Accessibility Templates (GPAT). If the computer included application software, this software would be another EIT deliverable requiring its own GPAT."

2. It appears some software can qualify for "a legally-defined Exception (Back Office)," as found in this example with STARLIMS and the VA: https://www.oit.va.gov/Services/TRM/ToolPage.aspx?tid=7502

3. Some additional posts and guides that may be revealing: