Difference between revisions of "User:Shawndouglas/sandbox/sublevel34"
Shawndouglas (talk | contribs) |
Shawndouglas (talk | contribs) |
||
Line 5: | Line 5: | ||
What follows are a carefully selected set of "questions" for cloud computing and cloud-related providers posed as, well, requests for information. This collection of questions is admittedly long. Keeping with advice about maintaining a concise RFI, you may not use all of these as part of your RFI process. Remember that an RFI is not meant to answer all of your questions, but rather is meant as a means to help narrow down your search to a few quality candidates while learning more about each other.<ref name="HolmesItsAMatch" /> Feel free to narrow this list down to those questions that are most important to you as part of this fact finding mission. | What follows are a carefully selected set of "questions" for cloud computing and cloud-related providers posed as, well, requests for information. This collection of questions is admittedly long. Keeping with advice about maintaining a concise RFI, you may not use all of these as part of your RFI process. Remember that an RFI is not meant to answer all of your questions, but rather is meant as a means to help narrow down your search to a few quality candidates while learning more about each other.<ref name="HolmesItsAMatch" /> Feel free to narrow this list down to those questions that are most important to you as part of this fact finding mission. | ||
Sources used to compile this selection of RFI questions include the six sources from section 6.4 (including APHL, Interfocus, ''Lab Manager'', LBMC, and Thomson Reuters)<ref name="APHLBreaking17">{{cite web |url=https://www.aphl.org/aboutAPHL/publications/Documents/INFO-2017Jun-Cloud-Computing.pdf |format=PDF |title=Breaking Through the Cloud: A Laboratory Guide to Cloud Computing |author=Association of Public Health Laboratories |publisher=Association of Public Health Laboratories |date=2017 |accessdate=14 August 2023}}</ref><ref name="IFAhelp20">{{cite web |url=https://www.mynewlab.com/blog/a-helpful-guide-to-cloud-computing-in-a-laboratory/ |title=A Helpful Guide to Cloud Computing in a Laboratory |work=InterFocus Blog |publisher=InterFocus Ltd |date=05 October 2020 |accessdate=14 August 2023}}</ref><ref name="LBMCNine21">{{cite web |url=https://www.lbmc.com/blog/questions-cloud-service-providers/ |title=Nine Due Diligence Questions to Ask Cloud Service Providers |author=LBMC |work=LBMC Blog |date=24 February 2021 |accessdate=14 August 2023}}</ref><ref name="WardCloud19">{{cite web |url=https://www.labmanager.com/cloud-computing-for-the-laboratory-736 |title=Cloud Computing for the Laboratory: Using data in the cloud - What it means for data security |author=Ward, S. |work=Lab Manager |date=09 October 2019 |accessdate=14 August 2023}}</ref><ref name="EusticeUnder18">{{cite web |url=https://legal.thomsonreuters.com/en/insights/articles/understanding-data-privacy-and-cloud-computing |title=Understand the intersection between data privacy laws and cloud computing |author=Eustice, J.C. |work=Legal Technology, Products, and Services |publisher=Thomson Reuters |date=2018 |accessdate=14 August 2023}}</ref><ref name="TRThree21">{{cite web |url=https://legal.thomsonreuters.com/blog/3-questions-you-need-to-ask-your-cloud-vendors/ |archiveurl=https://web.archive.org/web/20210406150957/https://legal.thomsonreuters.com/blog/3-questions-you-need-to-ask-your-cloud-vendors/ |title=Three questions you need to ask your cloud vendors |author=Thomson Reuters |work=Thomson Reuters Legal Blog |archivedate=03 March 2021 |date=03 March 2021 |accessdate=14 August 2023}}</ref>, the five sources from the managed security services provider (MSSP) RFI/RFP template included in Appendix 3 of this guide (there's a lot of crossover, actually)<ref name="Korff12Rev19">{{cite web |url=https://expel.com/blog/12-revealing-questions-when-evaluating-mssp-mdr-vendor/ |title=12 revealing questions to ask when evaluating an MSSP or MDR vendor |author=Korff, Y. |work=Expel blog |publisher=Expel, Inc |date=19 February 2019 |accessdate=14 August 2023}}</ref><ref name="NTTSHowTo16">{{cite web |url=https://www.nttsecurity.com/docs/librariesprovider3/resources/us_whitepaper_mssp_rfp_uea_v1 |archiveurl= | Sources used to compile this selection of RFI questions include the six sources from section 6.4 (including APHL, Interfocus, ''Lab Manager'', LBMC, and Thomson Reuters)<ref name="APHLBreaking17">{{cite web |url=https://www.aphl.org/aboutAPHL/publications/Documents/INFO-2017Jun-Cloud-Computing.pdf |format=PDF |title=Breaking Through the Cloud: A Laboratory Guide to Cloud Computing |author=Association of Public Health Laboratories |publisher=Association of Public Health Laboratories |date=2017 |accessdate=14 August 2023}}</ref><ref name="IFAhelp20">{{cite web |url=https://www.mynewlab.com/blog/a-helpful-guide-to-cloud-computing-in-a-laboratory/ |title=A Helpful Guide to Cloud Computing in a Laboratory |work=InterFocus Blog |publisher=InterFocus Ltd |date=05 October 2020 |accessdate=14 August 2023}}</ref><ref name="LBMCNine21">{{cite web |url=https://www.lbmc.com/blog/questions-cloud-service-providers/ |title=Nine Due Diligence Questions to Ask Cloud Service Providers |author=LBMC |work=LBMC Blog |date=24 February 2021 |accessdate=14 August 2023}}</ref><ref name="WardCloud19">{{cite web |url=https://www.labmanager.com/cloud-computing-for-the-laboratory-736 |title=Cloud Computing for the Laboratory: Using data in the cloud - What it means for data security |author=Ward, S. |work=Lab Manager |date=09 October 2019 |accessdate=14 August 2023}}</ref><ref name="EusticeUnder18">{{cite web |url=https://legal.thomsonreuters.com/en/insights/articles/understanding-data-privacy-and-cloud-computing |title=Understand the intersection between data privacy laws and cloud computing |author=Eustice, J.C. |work=Legal Technology, Products, and Services |publisher=Thomson Reuters |date=2018 |accessdate=14 August 2023}}</ref><ref name="TRThree21">{{cite web |url=https://legal.thomsonreuters.com/blog/3-questions-you-need-to-ask-your-cloud-vendors/ |archiveurl=https://web.archive.org/web/20210406150957/https://legal.thomsonreuters.com/blog/3-questions-you-need-to-ask-your-cloud-vendors/ |title=Three questions you need to ask your cloud vendors |author=Thomson Reuters |work=Thomson Reuters Legal Blog |archivedate=03 March 2021 |date=03 March 2021 |accessdate=14 August 2023}}</ref>, the five sources from the managed security services provider (MSSP) RFI/RFP template included in Appendix 3 of this guide (there's a lot of crossover, actually)<ref name="Korff12Rev19">{{cite web |url=https://expel.com/blog/12-revealing-questions-when-evaluating-mssp-mdr-vendor/ |title=12 revealing questions to ask when evaluating an MSSP or MDR vendor |author=Korff, Y. |work=Expel blog |publisher=Expel, Inc |date=19 February 2019 |accessdate=14 August 2023}}</ref><ref name="NTTSHowTo16">{{cite web |url=https://www.nttsecurity.com/docs/librariesprovider3/resources/us_whitepaper_mssp_rfp_uea_v1 |archiveurl=08 May 2021 |format=PDF |title=How to Write an MSSP RDP |publisher=NTT Security |date=September 2016 |accessdate=14 August 2023}}</ref><ref name="SWGuideToBuild">{{cite web |url=https://pcdnscwx001.azureedge.net/~/media/Files/US/White%20Papers/SecureWorksNCO411PGuidetoBuildingaCloudRFPTemplate.ashx?modified=20170714201638 |archiveurl=https://web.archive.org/web/20210508225741/https://pcdnscwx001.azureedge.net/~/media/Files/US/White%20Papers/SecureWorksNCO411PGuidetoBuildingaCloudRFPTemplate.ashx?modified=20170714201638 |format=DOCX |title=Secureworks Guide to Building a Cloud MSSP RFP Template |publisher=Secureworks |archivedate=08 May 2021 |accessdate=14 August 2023}}</ref><ref name="SolutionaryRFP15">{{cite web |url=https://docecity.com/rfp-sample-questions-for-managed-security-services.html |title=RFP/RFI Questions for Managed Security Services: Sample MSSP RFP Template |publisher=Solutionary, Inc |date=September 2015 |accessdate=14 August 2023}}</ref><ref name="SAMCloudMiss20">{{cite web |url=https://beta.sam.gov/opp/91dc7217b32b459695b27339f4b5d9aa/view |title=Cloud Mission Support Request for Information |work=SAM.gov |author=U.S. Department of State |date=24 October 2020 |accessdate=21 August 2021}}</ref>{{Dead link|date=14 August 2023}}, and the following: | ||
* Cloud Security Alliance's ''Cloud Controls Matrix v4''<ref name="CSACloudCont4">{{cite web |url=https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4/ |format=xlsx |title=Cloud Controls Matrix v4 |publisher=Cloud Security Alliance |date=15 March 2021 |accessdate=14 August 2023}}</ref> | *Cloud Security Alliance's ''Cloud Controls Matrix v4''<ref name="CSACloudCont4">{{cite web |url=https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4/ |format=xlsx |title=Cloud Controls Matrix v4 |publisher=Cloud Security Alliance |date=15 March 2021 |accessdate=14 August 2023}}</ref> | ||
* Ireland's Office of Government Procurement ''Cloud Services Procurement Guidance Note''<ref name="OGPInform21">{{cite web |url=https://www.gov.ie/en/collection/aa996-guidance-notes/ |title=Cloud Services Procurement Guidance Note |publisher=Ireland Office of Government Procurement |date=09 February 2021 |accessdate=14 August 2023}}</ref> | *Ireland's Office of Government Procurement ''Cloud Services Procurement Guidance Note''<ref name="OGPInform21">{{cite web |url=https://www.gov.ie/en/collection/aa996-guidance-notes/ |title=Cloud Services Procurement Guidance Note |publisher=Ireland Office of Government Procurement |date=09 February 2021 |accessdate=14 August 2023}}</ref> | ||
* U.S. Internal Revenue Service RFI Cloud Response document<ref name="IRSRFICloud18">{{cite web |url=https://cic.gsa.gov/documents/IRS-Cloud-Services-RFI.docx |archiveurl=https://web.archive.org/web/20210421182505/https://cic.gsa.gov/documents/IRS-Cloud-Services-RFI.docx |format=DOCX |title=IRS RFI Cloud Response |publisher=Internal Revenue Service |date=January 2018 |archivedate=21 April 2021 |accessdate=14 August 2023}}</ref> | *U.S. Internal Revenue Service RFI Cloud Response document<ref name="IRSRFICloud18">{{cite web |url=https://cic.gsa.gov/documents/IRS-Cloud-Services-RFI.docx |archiveurl=https://web.archive.org/web/20210421182505/https://cic.gsa.gov/documents/IRS-Cloud-Services-RFI.docx |format=DOCX |title=IRS RFI Cloud Response |publisher=Internal Revenue Service |date=January 2018 |archivedate=21 April 2021 |accessdate=14 August 2023}}</ref> | ||
Line 15: | Line 15: | ||
If you're conducting a full RFI or RFP, you're going to lead with the standard components of an RFI or RFP, including: | If you're conducting a full RFI or RFP, you're going to lead with the standard components of an RFI or RFP, including: | ||
* a table of contents; | *a table of contents; | ||
* an honest introduction and overview of your organization, its goals and problems, and the services sought to solve them; | *an honest introduction and overview of your organization, its goals and problems, and the services sought to solve them; | ||
* details on how the RFI or RFP evaluation process will be conducted; | *details on how the RFI or RFP evaluation process will be conducted; | ||
* basis for award (if an RFP); | *basis for award (if an RFP); | ||
* the calendar schedule (including times) for related events; | *the calendar schedule (including times) for related events; | ||
* how to submit the document and any related questions about it, including response format; and | *how to submit the document and any related questions about it, including response format; and | ||
* your organization's background, business requirements, and current technical environment. | *your organization's background, business requirements, and current technical environment. | ||
Line 28: | Line 28: | ||
===Primary business objectives=== | ===Primary business objectives=== | ||
Please describe the primary business objectives for your organization. | Please describe the primary business objectives for your organization. | ||
Line 37: | Line 36: | ||
===Organization history=== | ===Organization history=== | ||
Please give some background on your organization's history, including how long it has been offering cloud computing services. | Please give some background on your organization's history, including how long it has been offering cloud computing services. | ||
Line 46: | Line 44: | ||
===Financial stability=== | ===Financial stability=== | ||
Please provide information concerning the financial stability of your organization. If your organization is public, please include relevant documents such as annual reports and supporting financial statements. If private, please include documentation that supports the representation of your organization as a stable, profitable, and sustainable one. If not profitable, please provide details about your organization's path towards profitability. | Please provide information concerning the financial stability of your organization. If your organization is public, please include relevant documents such as annual reports and supporting financial statements. If private, please include documentation that supports the representation of your organization as a stable, profitable, and sustainable one. If not profitable, please provide details about your organization's path towards profitability. | ||
Line 55: | Line 52: | ||
===Cloud services offered=== | ===Cloud services offered=== | ||
Please describe the primary cloud computing or cloud-related services (e.g., software as a service or SaaS) offered by your organization, particularly any of which may be relevant based upon our company's stated needs. If the services are tiered, explain the different levels of service and any significant exceptions and differences separating the levels. Don't forget to describe the capabilities of your hybrid and multicloud offerings. | Please describe the primary cloud computing or cloud-related services (e.g., software as a service or SaaS) offered by your organization, particularly any of which may be relevant based upon our company's stated needs. If the services are tiered, explain the different levels of service and any significant exceptions and differences separating the levels. Don't forget to describe the capabilities of your hybrid and multicloud offerings. | ||
Line 64: | Line 60: | ||
===Expected level of integration or interoperability=== | ===Expected level of integration or interoperability=== | ||
Please describe how you anticipate your cloud solutions being able to readily integrate or have base interoperability with a client's systems and business processes, while making it easier for the client to perform their tasks in the cloud. | Please describe how you anticipate your cloud solutions being able to readily integrate or have base interoperability with a client's systems and business processes, while making it easier for the client to perform their tasks in the cloud. | ||
Line 74: | Line 69: | ||
Please provide details about: | Please provide details about: | ||
* number of clients specifically using your organization's cloud computing or cloud-related services; | *number of clients specifically using your organization's cloud computing or cloud-related services; | ||
* how long each of those services has been offered; | *how long each of those services has been offered; | ||
* the growth rate of those services over the prior fiscal year; | *the growth rate of those services over the prior fiscal year; | ||
* the average historical downtime of a given cloud service; | *the average historical downtime of a given cloud service; | ||
* how those services or your organization overall are ranked by top research firms such as Gartner and Forrester; and | *how those services or your organization overall are ranked by top research firms such as Gartner and Forrester; and | ||
* any awards received for your organization's cloud computing or cloud-related services. | *any awards received for your organization's cloud computing or cloud-related services. | ||
Line 89: | Line 83: | ||
===Vision and investment in those cloud services=== | ===Vision and investment in those cloud services=== | ||
Please provide details about the vision and future direction for choosing, developing, and implementing new in-house or third-party technologies as part of your organization's cloud computing initiative. Additionally, discuss the level of investment made by your organization towards researching, adopting, and integrating newer, more secure technologies and processes into your organization's operations. | Please provide details about the vision and future direction for choosing, developing, and implementing new in-house or third-party technologies as part of your organization's cloud computing initiative. Additionally, discuss the level of investment made by your organization towards researching, adopting, and integrating newer, more secure technologies and processes into your organization's operations. | ||
Line 99: | Line 92: | ||
Please provide details on: | Please provide details on: | ||
* how many clients you provide (or have provided) cloud computing and cloud-related services to in our organization's industry; | *how many clients you provide (or have provided) cloud computing and cloud-related services to in our organization's industry; | ||
* whether any of them are willing to act as references for your services; | *whether any of them are willing to act as references for your services; | ||
* what experience your organization has in meeting the unique regulatory requirements of our industry; | *what experience your organization has in meeting the unique regulatory requirements of our industry; | ||
* any examples of clients being a learning source for improving your service; and | *any examples of clients being a learning source for improving your service; and | ||
* any whitepapers, reports, etc. authored by your organization that are relevant to our industry. | *any whitepapers, reports, etc. authored by your organization that are relevant to our industry. | ||
Line 115: | Line 107: | ||
===Internal security policy and procedure=== | ===Internal security policy and procedure=== | ||
Please describe your internal policy and procedure (P&P) regarding security within your organization, including any standards your organization has adopted as part of that P&P. Address any ancillary security policies regarding, e.g., acceptable use of technology, remote and from-home work, and security awareness training. | Please describe your internal policy and procedure (P&P) regarding security within your organization, including any standards your organization has adopted as part of that P&P. Address any ancillary security policies regarding, e.g., acceptable use of technology, remote and from-home work, and security awareness training. | ||
Line 124: | Line 115: | ||
===Business continuity and disaster recovery policy=== | ===Business continuity and disaster recovery policy=== | ||
Please describe your organization's P&P regarding business continuity and disaster recovery. | Please describe your organization's P&P regarding business continuity and disaster recovery. | ||
Line 134: | Line 124: | ||
Please describe how your organization organizes its data centers and related infrastructure to optimally provide its cloud computing and cloud-related services. Additionally, address concerns about: | Please describe how your organization organizes its data centers and related infrastructure to optimally provide its cloud computing and cloud-related services. Additionally, address concerns about: | ||
* whether or not your organization owns and manages the data centers; | *whether or not your organization owns and manages the data centers; | ||
* where those data centers are located; | *where those data centers are located; | ||
* where our data will be located; | *where our data will be located; | ||
* what specifications and encryption types are used for in-transit and at-rest data; | *what specifications and encryption types are used for in-transit and at-rest data; | ||
* what level of availability is guaranteed for each data center; | *what level of availability is guaranteed for each data center; | ||
* what level of redundancy is implemented within the data centers; | *what level of redundancy is implemented within the data centers; | ||
* what disposal and data destruction policies are in place for end-of-life equipment; | *what disposal and data destruction policies are in place for end-of-life equipment; | ||
* how that redundancy limits service interruptions should a particular data center go offline; | *how that redundancy limits service interruptions should a particular data center go offline; | ||
* what level of cloud-based scalability is available to clients with growth or contraction states; and | *what level of cloud-based scalability is available to clients with growth or contraction states; and | ||
* what qualifications and certifications apply to each data center. | *what qualifications and certifications apply to each data center. | ||
Line 153: | Line 142: | ||
===Physical security at data centers=== | ===Physical security at data centers=== | ||
Please describe the physical security (e.g., locks, badges, physical security perimeters, surveillance systems, etc.) and continuity (e.g., fire suppression, backup power, etc.) measures put in place at your organization's data centers. Also address visitor procedures and how they are conducted. How are unauthorized access attempts at data centers responded to? | Please describe the physical security (e.g., locks, badges, physical security perimeters, surveillance systems, etc.) and continuity (e.g., fire suppression, backup power, etc.) measures put in place at your organization's data centers. Also address visitor procedures and how they are conducted. How are unauthorized access attempts at data centers responded to? | ||
Line 162: | Line 150: | ||
===Staffing at data centers=== | ===Staffing at data centers=== | ||
Please describe the staffing procedures at these data centers, including what percentage of overall staff will actually have authorized access to client data. Clearly define any implemented classifications of staff based on level of support or data sensitivity, as well as any related certifications and training required at each support or data sensitivity level. Are contractors treated any differently? Finally, describe what background checks or screening procedures, if any, are implemented towards any organizational personnel and third-parties (e.g., contractors, service technicians) interacting with systems containing client data. | Please describe the staffing procedures at these data centers, including what percentage of overall staff will actually have authorized access to client data. Clearly define any implemented classifications of staff based on level of support or data sensitivity, as well as any related certifications and training required at each support or data sensitivity level. Are contractors treated any differently? Finally, describe what background checks or screening procedures, if any, are implemented towards any organizational personnel and third-parties (e.g., contractors, service technicians) interacting with systems containing client data. | ||
Line 171: | Line 158: | ||
===Independent infrastructure review=== | ===Independent infrastructure review=== | ||
If your organization has received an independent review of its cloud infrastructure and services (e.g., SOC 2), please provide details of this review, preferably with the full report, but if not, with critical details such as who, what, when, where, scope, frequency of testing, and a summary. If your organization has not completed such an independent review, please provide details of any plans or ongoing efforts towards such a review. | If your organization has received an independent review of its cloud infrastructure and services (e.g., SOC 2), please provide details of this review, preferably with the full report, but if not, with critical details such as who, what, when, where, scope, frequency of testing, and a summary. If your organization has not completed such an independent review, please provide details of any plans or ongoing efforts towards such a review. | ||
Line 180: | Line 166: | ||
===Internal infrastructure review=== | ===Internal infrastructure review=== | ||
If your organization has performed an internal review of its cloud infrastructure and services, please provide details of this review, with critical details such as who, what, when, where, scope, frequency of testing, and a summary. If your organization has not completed such an internal review, please provide details of any plans or ongoing efforts towards such a review. If your organization conducts internal "red team" or "attack-and-defense" exercises, describe them, their frequency, and how resulting information is acted upon. | If your organization has performed an internal review of its cloud infrastructure and services, please provide details of this review, with critical details such as who, what, when, where, scope, frequency of testing, and a summary. If your organization has not completed such an internal review, please provide details of any plans or ongoing efforts towards such a review. If your organization conducts internal "red team" or "attack-and-defense" exercises, describe them, their frequency, and how resulting information is acted upon. | ||
Line 189: | Line 174: | ||
===Auditing of your operations=== | ===Auditing of your operations=== | ||
If the results of your independent and/or internal review cannot be shared, will your organization allow us to—on our own or through a third party—audit your operations, with the goal of determining the appropriateness of your organization's implemented safeguards? | If the results of your independent and/or internal review cannot be shared, will your organization allow us to—on our own or through a third party—audit your operations, with the goal of determining the appropriateness of your organization's implemented safeguards? | ||
Line 206: | Line 190: | ||
===Extraction of client data=== | ===Extraction of client data=== | ||
Please explain how clients may extract data from your cloud service (i.e., address data portability) on-demand, including particulars about data formats and transfer methods. | Please explain how clients may extract data from your cloud service (i.e., address data portability) on-demand, including particulars about data formats and transfer methods. | ||
Line 217: | Line 200: | ||
===Company philosophy or approach=== | ===Company philosophy or approach=== | ||
Please describe how your cloud services address the ephemeral nature of cloud computing while at the same time helping clients maintain their overall security posture. Explain your organization's approach to its security team, including whether or not a dedicated team of security researchers are utilized. If such a team exists, also explain how that research from that team is incorporated into protecting your organization's cloud solution or infrastructure. Finally, describe your team's overall approach to monitoring, analysis, and correlation of security threats, including how automated and human-based analyses are balanced in their approaches and in their handoff to each other. | Please describe how your cloud services address the ephemeral nature of cloud computing while at the same time helping clients maintain their overall security posture. Explain your organization's approach to its security team, including whether or not a dedicated team of security researchers are utilized. If such a team exists, also explain how that research from that team is incorporated into protecting your organization's cloud solution or infrastructure. Finally, describe your team's overall approach to monitoring, analysis, and correlation of security threats, including how automated and human-based analyses are balanced in their approaches and in their handoff to each other. | ||
Line 226: | Line 208: | ||
===Philosophy or approach to client security=== | ===Philosophy or approach to client security=== | ||
Please provide relevant considerations a client should have—and primary risks a client should mitigate—when securing information in your organization's cloud infrastructure. Does a clear "shared responsibility" model exist, and if so, how is it effectively communicated to potential and existing clients? If you have documented data security policies, please describe how new and existing clients may access them. Additionally, explain how those policies better ensure client data integrity. | Please provide relevant considerations a client should have—and primary risks a client should mitigate—when securing information in your organization's cloud infrastructure. Does a clear "shared responsibility" model exist, and if so, how is it effectively communicated to potential and existing clients? If you have documented data security policies, please describe how new and existing clients may access them. Additionally, explain how those policies better ensure client data integrity. | ||
Line 236: | Line 217: | ||
Please describe the organizational and client-based availability and use of cloud security technologies such as: | Please describe the organizational and client-based availability and use of cloud security technologies such as: | ||
* device management tools, | *device management tools, | ||
* firewalls and related performance monitoring tools, | *firewalls and related performance monitoring tools, | ||
* identity and access management mechanisms, | *identity and access management mechanisms, | ||
* intrusion prevention and detection systems, | *intrusion prevention and detection systems, | ||
* integration tools, and | *integration tools, and | ||
* any other security-related analysis and prevention tools (e.g., rules engines). | *any other security-related analysis and prevention tools (e.g., rules engines). | ||
Line 251: | Line 231: | ||
===Data storage=== | ===Data storage=== | ||
Please describe how sensitive and regulated data is able to be stored on a machine dedicated to complying with the laws and regulations relevant to the data owner. How is that type of data segregated from other clients' data, and will lapses in security of other clients' data affect our own? | Please describe how sensitive and regulated data is able to be stored on a machine dedicated to complying with the laws and regulations relevant to the data owner. How is that type of data segregated from other clients' data, and will lapses in security of other clients' data affect our own? | ||
Line 260: | Line 239: | ||
===Data transmission, sharing, and transfer=== | ===Data transmission, sharing, and transfer=== | ||
Please describe how your cloud services allow for secure transmission and sharing of data across network boundaries, including across other cloud provider environments. Additionally, provide details about any dependencies or technical challenges associated with seamlessly transferring an application, system, or database 1. from a client or third-party cloud environment to your cloud environment and 2. from your cloud environment to another cloud environment. What solutions do you provide towards this seamless transfer? | Please describe how your cloud services allow for secure transmission and sharing of data across network boundaries, including across other cloud provider environments. Additionally, provide details about any dependencies or technical challenges associated with seamlessly transferring an application, system, or database 1. from a client or third-party cloud environment to your cloud environment and 2. from your cloud environment to another cloud environment. What solutions do you provide towards this seamless transfer? | ||
Line 269: | Line 247: | ||
===Logging=== | ===Logging=== | ||
Please describe your approach to collecting, analyzing, correlating, and acting upon cloud log and event data, particularly in relation to client data and services. Describe how thorough those logs are and provide background on your organizational policy in regards to retaining and making available collected log and event data to clients on-demand. Finally, explain how long those logs and associated data are accessible after creation, as well as whether or not any of that information is kept in secure retention. | Please describe your approach to collecting, analyzing, correlating, and acting upon cloud log and event data, particularly in relation to client data and services. Describe how thorough those logs are and provide background on your organizational policy in regards to retaining and making available collected log and event data to clients on-demand. Finally, explain how long those logs and associated data are accessible after creation, as well as whether or not any of that information is kept in secure retention. | ||
Line 278: | Line 255: | ||
===Monitoring=== | ===Monitoring=== | ||
If your organization has its own cloud infrastructure, please describe how your organization monitors that infrastructure for security purposes. What self-monitoring services and tools are made available to clients, if any? | If your organization has its own cloud infrastructure, please describe how your organization monitors that infrastructure for security purposes. What self-monitoring services and tools are made available to clients, if any? | ||
Line 287: | Line 263: | ||
===Incident response and reporting=== | ===Incident response and reporting=== | ||
Should a security threat be identified by your monitoring activities, please explain how your incident response team cooperates with the monitoring team for efficiency. Additionally, describe how your incident response team works together with clients during a security incident. Provide details on how your organization handles reporting of intrusions, hacks, or other types of breaches to effected clients. Also explain how teams associated with incident response and threat remediation use their capabilities to provide value to the client. | Should a security threat be identified by your monitoring activities, please explain how your incident response team cooperates with the monitoring team for efficiency. Additionally, describe how your incident response team works together with clients during a security incident. Provide details on how your organization handles reporting of intrusions, hacks, or other types of breaches to effected clients. Also explain how teams associated with incident response and threat remediation use their capabilities to provide value to the client. | ||
Line 296: | Line 271: | ||
===Hybrid and multicloud security=== | ===Hybrid and multicloud security=== | ||
Please explain how your cloud services and their associated technology enable and improve secure integrations and activities in hybrid and multicloud scenarios. | Please explain how your cloud services and their associated technology enable and improve secure integrations and activities in hybrid and multicloud scenarios. | ||
Line 307: | Line 281: | ||
===Research team=== | ===Research team=== | ||
If your organization has a research team dedicated to discovering cloud threats and vulnerabilities, please describe the team, how it's integrated with the organization's operations, and what services that team supports beyond research. If the research team has a mission, please state that mission. | If your organization has a research team dedicated to discovering cloud threats and vulnerabilities, please describe the team, how it's integrated with the organization's operations, and what services that team supports beyond research. If the research team has a mission, please state that mission. | ||
Line 316: | Line 289: | ||
===Threat detection=== | ===Threat detection=== | ||
Please describe the information sources the research team (or, if no research team, the overall security team) uses to gather threat intelligence. Provide specifics about any anomaly detection, behavioral analysis, malicious host detection, signature analysis, and volume analysis detection methods. | Please describe the information sources the research team (or, if no research team, the overall security team) uses to gather threat intelligence. Provide specifics about any anomaly detection, behavioral analysis, malicious host detection, signature analysis, and volume analysis detection methods. | ||
Line 325: | Line 297: | ||
===Use of and access to threat intelligence=== | ===Use of and access to threat intelligence=== | ||
Please describe how gathered threat intelligence is analyzed and validated. Additionally, describe how that analyzed and validated threat intelligence is used in the management and monitoring of your cloud services and infrastructure. Also describe what level of visibility and access a client has into this intelligence, as well as the research team itself. If any bug bounty programs or the like exist, please explain them here as well. | Please describe how gathered threat intelligence is analyzed and validated. Additionally, describe how that analyzed and validated threat intelligence is used in the management and monitoring of your cloud services and infrastructure. Also describe what level of visibility and access a client has into this intelligence, as well as the research team itself. If any bug bounty programs or the like exist, please explain them here as well. | ||
Line 334: | Line 305: | ||
===Examples of action on threat intelligence=== | ===Examples of action on threat intelligence=== | ||
Please provide examples of how threat intelligence generated by your organization's research team (or someone else) has been effectively used to protect clients. Also provide examples of organization white papers, use cases, threat reports, or internal write-ups (if available) regarding threat intelligence and its effective use in the organizational cloud infrastructure. | Please provide examples of how threat intelligence generated by your organization's research team (or someone else) has been effectively used to protect clients. Also provide examples of organization white papers, use cases, threat reports, or internal write-ups (if available) regarding threat intelligence and its effective use in the organizational cloud infrastructure. | ||
Line 345: | Line 315: | ||
===Vulnerability testing basics=== | ===Vulnerability testing basics=== | ||
Please describe the extent of vulnerability testing your organization may conduct on its cloud infrastructure, including the origin of any testing protocols. | Please describe the extent of vulnerability testing your organization may conduct on its cloud infrastructure, including the origin of any testing protocols. | ||
Line 354: | Line 323: | ||
===Vulnerability identification and confirmation=== | ===Vulnerability identification and confirmation=== | ||
Please describe how vulnerabilities are identified and confirmed within your cloud infrastructure. If your organization has a process for identifying and reporting false positives, provide details. Is vulnerability data incorporated into overall cloud security monitoring processes, and if so, in what ways? | Please describe how vulnerabilities are identified and confirmed within your cloud infrastructure. If your organization has a process for identifying and reporting false positives, provide details. Is vulnerability data incorporated into overall cloud security monitoring processes, and if so, in what ways? | ||
Line 363: | Line 331: | ||
===Client-based vulnerability testing=== | ===Client-based vulnerability testing=== | ||
If a client or a representative third party of a client is allowed to perform vulnerability testing on your organization's cloud infrastructure, provide details. If your cloud services support web application scanning and testing for database vulnerabilities, please provide important details. | If a client or a representative third party of a client is allowed to perform vulnerability testing on your organization's cloud infrastructure, provide details. If your cloud services support web application scanning and testing for database vulnerabilities, please provide important details. | ||
Line 374: | Line 341: | ||
===Endpoint protection=== | ===Endpoint protection=== | ||
Please describe any managed service, software solution, hardware solution, or other mechanism your organization provides or makes available to clients in regard to helping clients maintain endpoint security in the cloud. If such a service or tool is offered, describe what types of alerts are given in association with it and what, if any, remediation recommendations are provided. Be sure to address whether or not threat intelligence is integrated into the service or tool and what operating system (OS) endpoints are covered. | Please describe any managed service, software solution, hardware solution, or other mechanism your organization provides or makes available to clients in regard to helping clients maintain endpoint security in the cloud. If such a service or tool is offered, describe what types of alerts are given in association with it and what, if any, remediation recommendations are provided. Be sure to address whether or not threat intelligence is integrated into the service or tool and what operating system (OS) endpoints are covered. | ||
Line 383: | Line 349: | ||
===Malware protection=== | ===Malware protection=== | ||
Please describe any managed service, software solution, or other mechanism your organization provides or makes available to clients in regard to helping clients with malware protection. If such a service or tool is offered, describe whether or not it uses sandboxing technology, and if so, what type. Be sure to address whether or not threat intelligence is integrated into the service or tool and what zero-day threat capabilities it may have. | Please describe any managed service, software solution, or other mechanism your organization provides or makes available to clients in regard to helping clients with malware protection. If such a service or tool is offered, describe whether or not it uses sandboxing technology, and if so, what type. Be sure to address whether or not threat intelligence is integrated into the service or tool and what zero-day threat capabilities it may have. | ||
Line 392: | Line 357: | ||
===Other ancillary services=== | ===Other ancillary services=== | ||
Please describe if your organization is capable of assisting clients with security audits and analyses of their own instances. If your organization also provides consulting, technical testing, penetration testing, forensic investigation, and threat remediation services, please describe them, as well as any associated service tiers. | Please describe if your organization is capable of assisting clients with security audits and analyses of their own instances. If your organization also provides consulting, technical testing, penetration testing, forensic investigation, and threat remediation services, please describe them, as well as any associated service tiers. | ||
Line 403: | Line 367: | ||
===Account management basics=== | ===Account management basics=== | ||
Please describe how accounts are established on your organization's service and what level of visibility clients and their authorized users will have into the cloud services administered, including consumption metrics, security metrics, and various account logs. | Please describe how accounts are established on your organization's service and what level of visibility clients and their authorized users will have into the cloud services administered, including consumption metrics, security metrics, and various account logs. | ||
Line 412: | Line 375: | ||
===Support basics=== | ===Support basics=== | ||
Please describe your organizational approach to client support and how that support is structured, including the processes and mechanisms for handling client inquiries and issues. Describe the communication mechanisms primarily and secondarily used for support, including mailed documentation, phone calls, electronic communication, and face-to-face communication. Explain how the escalation process for inquiries and reported issues should be handled. | Please describe your organizational approach to client support and how that support is structured, including the processes and mechanisms for handling client inquiries and issues. Describe the communication mechanisms primarily and secondarily used for support, including mailed documentation, phone calls, electronic communication, and face-to-face communication. Explain how the escalation process for inquiries and reported issues should be handled. | ||
Line 421: | Line 383: | ||
===Help desk and support ticketing=== | ===Help desk and support ticketing=== | ||
Please indicate what help desk or ticketing functionality is available for clients having cloud service issues. Describe how clients should go about using such tools to initiate the support process. Do clients receive comprehensive downtime support in the case of service downtime? | Please indicate what help desk or ticketing functionality is available for clients having cloud service issues. Describe how clients should go about using such tools to initiate the support process. Do clients receive comprehensive downtime support in the case of service downtime? | ||
Line 430: | Line 391: | ||
===Availability, provisioning, and responsiveness=== | ===Availability, provisioning, and responsiveness=== | ||
Please indicate the availability of your organization's support services, including hours offered. Also indicate who is provisioning the service, whether it's in-house or a third party, and from where the service is provisioned. Note whether or not support services change hands at any point. Finally, describe how support quality is guaranteed at all times, including any guarantees on responsiveness. | Please indicate the availability of your organization's support services, including hours offered. Also indicate who is provisioning the service, whether it's in-house or a third party, and from where the service is provisioned. Note whether or not support services change hands at any point. Finally, describe how support quality is guaranteed at all times, including any guarantees on responsiveness. | ||
Line 439: | Line 399: | ||
===Client satisfaction=== | ===Client satisfaction=== | ||
Please describe how your organization measures and reports (including frequency) client satisfaction with support, account, and overall services. Describe how deficiencies in client satisfaction are addressed and resolved within the organization. | Please describe how your organization measures and reports (including frequency) client satisfaction with support, account, and overall services. Describe how deficiencies in client satisfaction are addressed and resolved within the organization. | ||
Line 448: | Line 407: | ||
===Ancillary services=== | ===Ancillary services=== | ||
Please indicate whether or not your organization provides value-added support services, and if so what type. Can a dedicated account manager with sufficient technical knowledge be provided, and if so, at what cost? | Please indicate whether or not your organization provides value-added support services, and if so what type. Can a dedicated account manager with sufficient technical knowledge be provided, and if so, at what cost? | ||
Line 459: | Line 417: | ||
===SLA basics=== | ===SLA basics=== | ||
Please describe the details of your SLAs for the various services you provide, including any negotiable aspects of the SLAs. Provide examples. Any relevant measurements and ranges for work performed by you (e.g., service speed, response times, and accuracy) should also be clearly defined and stated. Explain what the cost implications related to any differing service levels are. Finally, explain whether or not your organization provides clients with a 30-day proof of concept test of the services to ensure your organization can prove its marketing and operational claims. | Please describe the details of your SLAs for the various services you provide, including any negotiable aspects of the SLAs. Provide examples. Any relevant measurements and ranges for work performed by you (e.g., service speed, response times, and accuracy) should also be clearly defined and stated. Explain what the cost implications related to any differing service levels are. Finally, explain whether or not your organization provides clients with a 30-day proof of concept test of the services to ensure your organization can prove its marketing and operational claims. | ||
Line 468: | Line 425: | ||
===SLAs for SaaS=== | ===SLAs for SaaS=== | ||
In the case of SaaS-related cloud agreements (if applicable) with your organization, please explain how software customization, upgrades, testing, and versioning are addressed in such agreements. | In the case of SaaS-related cloud agreements (if applicable) with your organization, please explain how software customization, upgrades, testing, and versioning are addressed in such agreements. | ||
Line 477: | Line 433: | ||
===SLA failure=== | ===SLA failure=== | ||
Please explain how your organization monitors and measures its compliance with an SLA. Describe what options are available to clients upon your organization failing to meet an agreed-upon SLA. | Please explain how your organization monitors and measures its compliance with an SLA. Describe what options are available to clients upon your organization failing to meet an agreed-upon SLA. | ||
Line 486: | Line 441: | ||
===Business associate agreements=== | ===Business associate agreements=== | ||
State whether or not your organization will sign a business associate agreement or addendum for purposes of ensuring your organization appropriately safeguards protected health information, as dictated by the Health Insurance Portability and Accountability Act (HIPAA). | State whether or not your organization will sign a business associate agreement or addendum for purposes of ensuring your organization appropriately safeguards protected health information, as dictated by the Health Insurance Portability and Accountability Act (HIPAA). | ||
Line 495: | Line 449: | ||
===Contract termination=== | ===Contract termination=== | ||
Please describe your policy on archiving, deleting, and helping transition client data from any of your systems upon contract termination, including particulars about data formats, deletion methodologies, and transfer methods. Any explanation should include the respective termination rights of both the organization and the client. | Please describe your policy on archiving, deleting, and helping transition client data from any of your systems upon contract termination, including particulars about data formats, deletion methodologies, and transfer methods. Any explanation should include the respective termination rights of both the organization and the client. | ||
Line 504: | Line 457: | ||
===Organization termination or catastrophic loss=== | ===Organization termination or catastrophic loss=== | ||
Please describe what would happen to a client's data in the event of your organization going out of business or suffering a catastrophic loss. | Please describe what would happen to a client's data in the event of your organization going out of business or suffering a catastrophic loss. | ||
Line 516: | Line 468: | ||
Please describe your approach to implementing your cloud computing or cloud-based services for clients. You should address: | Please describe your approach to implementing your cloud computing or cloud-based services for clients. You should address: | ||
* the standard timeframe for implementation and onboarding (overall average or last 10 customers); | *the standard timeframe for implementation and onboarding (overall average or last 10 customers); | ||
* whether or not a dedicated point of contact will be maintained throughout implementation, to the end of the contract; | *whether or not a dedicated point of contact will be maintained throughout implementation, to the end of the contract; | ||
* what resources clients will require to support the implementation and throughout the contract's duration; | *what resources clients will require to support the implementation and throughout the contract's duration; | ||
* what client processes and procedures your organization has found to be vital to optimal cloud implementation and operation; | *what client processes and procedures your organization has found to be vital to optimal cloud implementation and operation; | ||
* what device and database integrations are supported in an implementation; | *what device and database integrations are supported in an implementation; | ||
* whether or not unsupported devices and databases can be added for support; | *whether or not unsupported devices and databases can be added for support; | ||
* how the impact or disruption of client resources is minimized during implementation; and | *how the impact or disruption of client resources is minimized during implementation; and | ||
* what your normalization and fine-tuning procedures are. | *what your normalization and fine-tuning procedures are. | ||
Line 533: | Line 484: | ||
===Completion and handoff=== | ===Completion and handoff=== | ||
Please describe what steps are taken to ensure the implementation is complete, as well as how the service is handed off to the client afterwards. If your organization provides training and documentation at handoff, describe how this training and documentation is administered, and at what additional cost, if any. | Please describe what steps are taken to ensure the implementation is complete, as well as how the service is handed off to the client afterwards. If your organization provides training and documentation at handoff, describe how this training and documentation is administered, and at what additional cost, if any. | ||
Line 542: | Line 492: | ||
===Multi-site implementations=== | ===Multi-site implementations=== | ||
Please describe the process used when implementing a service to a client with many geographically dispersed facilities. | Please describe the process used when implementing a service to a client with many geographically dispersed facilities. | ||
Line 554: | Line 503: | ||
Please describe how your company's pricing and payment models meet industry standard practices (e.g., payment per actual services consumed, per GB of storage, per server, per annual subscription, etc.). Provide pricing estimates and examples based upon the various services provided using a current published catalog, standard market pricing, and/or web enabled price calculators. Explain how any metered services are clearly reported and billed. Ensure all costs are accurately reflected, including any: | Please describe how your company's pricing and payment models meet industry standard practices (e.g., payment per actual services consumed, per GB of storage, per server, per annual subscription, etc.). Provide pricing estimates and examples based upon the various services provided using a current published catalog, standard market pricing, and/or web enabled price calculators. Explain how any metered services are clearly reported and billed. Ensure all costs are accurately reflected, including any: | ||
* underlying "implied" costs, | *underlying "implied" costs, | ||
* initial "stand up" costs, | *initial "stand up" costs, | ||
* ongoing maintenance or subscription costs, | *ongoing maintenance or subscription costs, | ||
* renewal-related price increases | *renewal-related price increases | ||
* data download costs, and | *data download costs, and | ||
* termination costs. | *termination costs. | ||
Revision as of 19:47, 14 August 2023
Appendix 3. An RFI/RFP for evaluating cloud service providers (CSPs)
Whether conducting the request for information (RFI) or request for proposal (RFP) process, a quality set of questions for potential vendors to respond to provides a solid base for helping evaluate and narrow down a vendor for your service. The RFI in particular is good for this sort of "fact finding," acting as an ideal means for learning more about a potential solution and how it can solve your problems, or when you're not even sure how to solve your problem yet. However, the RFI should not be unduly long and tedious to complete for prospective vendors; it should be concise, direct, and honest. This means not only presenting a clear and humble vision of your own organization and its goals, but also asking just the right amount of questions to allow potential vendors to demonstrate their expertise and provide a clearer picture of who they are. Some take a technical approach to an RFI, using dense language and complicated spreadsheets for fact finding. However, vendors appreciate a slightly more inviting approach, with practical questions or requests that are carefully chosen because they matter to you.[1]
What follows are a carefully selected set of "questions" for cloud computing and cloud-related providers posed as, well, requests for information. This collection of questions is admittedly long. Keeping with advice about maintaining a concise RFI, you may not use all of these as part of your RFI process. Remember that an RFI is not meant to answer all of your questions, but rather is meant as a means to help narrow down your search to a few quality candidates while learning more about each other.[1] Feel free to narrow this list down to those questions that are most important to you as part of this fact finding mission.
Sources used to compile this selection of RFI questions include the six sources from section 6.4 (including APHL, Interfocus, Lab Manager, LBMC, and Thomson Reuters)[2][3][4][5][6][7], the five sources from the managed security services provider (MSSP) RFI/RFP template included in Appendix 3 of this guide (there's a lot of crossover, actually)[8][9][10][11][12][dead link], and the following:
- Cloud Security Alliance's Cloud Controls Matrix v4[13]
- Ireland's Office of Government Procurement Cloud Services Procurement Guidance Note[14]
- U.S. Internal Revenue Service RFI Cloud Response document[15]
RFI/RFP introduction
If you're conducting a full RFI or RFP, you're going to lead with the standard components of an RFI or RFP, including:
- a table of contents;
- an honest introduction and overview of your organization, its goals and problems, and the services sought to solve them;
- details on how the RFI or RFP evaluation process will be conducted;
- basis for award (if an RFP);
- the calendar schedule (including times) for related events;
- how to submit the document and any related questions about it, including response format; and
- your organization's background, business requirements, and current technical environment.
Organization basics
Primary business objectives
Please describe the primary business objectives for your organization.
Organization history
Please give some background on your organization's history, including how long it has been offering cloud computing services.
Financial stability
Please provide information concerning the financial stability of your organization. If your organization is public, please include relevant documents such as annual reports and supporting financial statements. If private, please include documentation that supports the representation of your organization as a stable, profitable, and sustainable one. If not profitable, please provide details about your organization's path towards profitability.
Cloud services offered
Please describe the primary cloud computing or cloud-related services (e.g., software as a service or SaaS) offered by your organization, particularly any of which may be relevant based upon our company's stated needs. If the services are tiered, explain the different levels of service and any significant exceptions and differences separating the levels. Don't forget to describe the capabilities of your hybrid and multicloud offerings.
Expected level of integration or interoperability
Please describe how you anticipate your cloud solutions being able to readily integrate or have base interoperability with a client's systems and business processes, while making it easier for the client to perform their tasks in the cloud.
Details about those cloud services
Please provide details about:
- number of clients specifically using your organization's cloud computing or cloud-related services;
- how long each of those services has been offered;
- the growth rate of those services over the prior fiscal year;
- the average historical downtime of a given cloud service;
- how those services or your organization overall are ranked by top research firms such as Gartner and Forrester; and
- any awards received for your organization's cloud computing or cloud-related services.
Vision and investment in those cloud services
Please provide details about the vision and future direction for choosing, developing, and implementing new in-house or third-party technologies as part of your organization's cloud computing initiative. Additionally, discuss the level of investment made by your organization towards researching, adopting, and integrating newer, more secure technologies and processes into your organization's operations.
Experience and references
Please provide details on:
- how many clients you provide (or have provided) cloud computing and cloud-related services to in our organization's industry;
- whether any of them are willing to act as references for your services;
- what experience your organization has in meeting the unique regulatory requirements of our industry;
- any examples of clients being a learning source for improving your service; and
- any whitepapers, reports, etc. authored by your organization that are relevant to our industry.
Internal security policy and procedure
Please describe your internal policy and procedure (P&P) regarding security within your organization, including any standards your organization has adopted as part of that P&P. Address any ancillary security policies regarding, e.g., acceptable use of technology, remote and from-home work, and security awareness training.
Business continuity and disaster recovery policy
Please describe your organization's P&P regarding business continuity and disaster recovery.
Please describe how your organization organizes its data centers and related infrastructure to optimally provide its cloud computing and cloud-related services. Additionally, address concerns about:
- whether or not your organization owns and manages the data centers;
- where those data centers are located;
- where our data will be located;
- what specifications and encryption types are used for in-transit and at-rest data;
- what level of availability is guaranteed for each data center;
- what level of redundancy is implemented within the data centers;
- what disposal and data destruction policies are in place for end-of-life equipment;
- how that redundancy limits service interruptions should a particular data center go offline;
- what level of cloud-based scalability is available to clients with growth or contraction states; and
- what qualifications and certifications apply to each data center.
Physical security at data centers
Please describe the physical security (e.g., locks, badges, physical security perimeters, surveillance systems, etc.) and continuity (e.g., fire suppression, backup power, etc.) measures put in place at your organization's data centers. Also address visitor procedures and how they are conducted. How are unauthorized access attempts at data centers responded to?
Staffing at data centers
Please describe the staffing procedures at these data centers, including what percentage of overall staff will actually have authorized access to client data. Clearly define any implemented classifications of staff based on level of support or data sensitivity, as well as any related certifications and training required at each support or data sensitivity level. Are contractors treated any differently? Finally, describe what background checks or screening procedures, if any, are implemented towards any organizational personnel and third-parties (e.g., contractors, service technicians) interacting with systems containing client data.
Independent infrastructure review
If your organization has received an independent review of its cloud infrastructure and services (e.g., SOC 2), please provide details of this review, preferably with the full report, but if not, with critical details such as who, what, when, where, scope, frequency of testing, and a summary. If your organization has not completed such an independent review, please provide details of any plans or ongoing efforts towards such a review.
Internal infrastructure review
If your organization has performed an internal review of its cloud infrastructure and services, please provide details of this review, with critical details such as who, what, when, where, scope, frequency of testing, and a summary. If your organization has not completed such an internal review, please provide details of any plans or ongoing efforts towards such a review. If your organization conducts internal "red team" or "attack-and-defense" exercises, describe them, their frequency, and how resulting information is acted upon.
Auditing of your operations
If the results of your independent and/or internal review cannot be shared, will your organization allow us to—on our own or through a third party—audit your operations, with the goal of determining the appropriateness of your organization's implemented safeguards?
Auditing of client data
Please describe how your organization handles requests from outside entities for client data and notifies clients when such requests are made. If subpoenas, court orders, search warrants, or other law enforcement actions were to take place, describe how you would maintain any privileged, confidential, or otherwise sensitive information as being protected. Do you have legal representation should these issues arise?
Extraction of client data
Please explain how clients may extract data from your cloud service (i.e., address data portability) on-demand, including particulars about data formats and transfer methods.
Base cloud security
Company philosophy or approach
Please describe how your cloud services address the ephemeral nature of cloud computing while at the same time helping clients maintain their overall security posture. Explain your organization's approach to its security team, including whether or not a dedicated team of security researchers are utilized. If such a team exists, also explain how that research from that team is incorporated into protecting your organization's cloud solution or infrastructure. Finally, describe your team's overall approach to monitoring, analysis, and correlation of security threats, including how automated and human-based analyses are balanced in their approaches and in their handoff to each other.
Philosophy or approach to client security
Please provide relevant considerations a client should have—and primary risks a client should mitigate—when securing information in your organization's cloud infrastructure. Does a clear "shared responsibility" model exist, and if so, how is it effectively communicated to potential and existing clients? If you have documented data security policies, please describe how new and existing clients may access them. Additionally, explain how those policies better ensure client data integrity.
Technology and security
Please describe the organizational and client-based availability and use of cloud security technologies such as:
- device management tools,
- firewalls and related performance monitoring tools,
- identity and access management mechanisms,
- intrusion prevention and detection systems,
- integration tools, and
- any other security-related analysis and prevention tools (e.g., rules engines).
Data storage
Please describe how sensitive and regulated data is able to be stored on a machine dedicated to complying with the laws and regulations relevant to the data owner. How is that type of data segregated from other clients' data, and will lapses in security of other clients' data affect our own?
Data transmission, sharing, and transfer
Please describe how your cloud services allow for secure transmission and sharing of data across network boundaries, including across other cloud provider environments. Additionally, provide details about any dependencies or technical challenges associated with seamlessly transferring an application, system, or database 1. from a client or third-party cloud environment to your cloud environment and 2. from your cloud environment to another cloud environment. What solutions do you provide towards this seamless transfer?
Logging
Please describe your approach to collecting, analyzing, correlating, and acting upon cloud log and event data, particularly in relation to client data and services. Describe how thorough those logs are and provide background on your organizational policy in regards to retaining and making available collected log and event data to clients on-demand. Finally, explain how long those logs and associated data are accessible after creation, as well as whether or not any of that information is kept in secure retention.
Monitoring
If your organization has its own cloud infrastructure, please describe how your organization monitors that infrastructure for security purposes. What self-monitoring services and tools are made available to clients, if any?
Incident response and reporting
Should a security threat be identified by your monitoring activities, please explain how your incident response team cooperates with the monitoring team for efficiency. Additionally, describe how your incident response team works together with clients during a security incident. Provide details on how your organization handles reporting of intrusions, hacks, or other types of breaches to effected clients. Also explain how teams associated with incident response and threat remediation use their capabilities to provide value to the client.
Hybrid and multicloud security
Please explain how your cloud services and their associated technology enable and improve secure integrations and activities in hybrid and multicloud scenarios.
Threat intelligence
Research team
If your organization has a research team dedicated to discovering cloud threats and vulnerabilities, please describe the team, how it's integrated with the organization's operations, and what services that team supports beyond research. If the research team has a mission, please state that mission.
Threat detection
Please describe the information sources the research team (or, if no research team, the overall security team) uses to gather threat intelligence. Provide specifics about any anomaly detection, behavioral analysis, malicious host detection, signature analysis, and volume analysis detection methods.
Use of and access to threat intelligence
Please describe how gathered threat intelligence is analyzed and validated. Additionally, describe how that analyzed and validated threat intelligence is used in the management and monitoring of your cloud services and infrastructure. Also describe what level of visibility and access a client has into this intelligence, as well as the research team itself. If any bug bounty programs or the like exist, please explain them here as well.
Examples of action on threat intelligence
Please provide examples of how threat intelligence generated by your organization's research team (or someone else) has been effectively used to protect clients. Also provide examples of organization white papers, use cases, threat reports, or internal write-ups (if available) regarding threat intelligence and its effective use in the organizational cloud infrastructure.
Vulnerability testing
Vulnerability testing basics
Please describe the extent of vulnerability testing your organization may conduct on its cloud infrastructure, including the origin of any testing protocols.
Vulnerability identification and confirmation
Please describe how vulnerabilities are identified and confirmed within your cloud infrastructure. If your organization has a process for identifying and reporting false positives, provide details. Is vulnerability data incorporated into overall cloud security monitoring processes, and if so, in what ways?
Client-based vulnerability testing
If a client or a representative third party of a client is allowed to perform vulnerability testing on your organization's cloud infrastructure, provide details. If your cloud services support web application scanning and testing for database vulnerabilities, please provide important details.
Additional cloud security
Endpoint protection
Please describe any managed service, software solution, hardware solution, or other mechanism your organization provides or makes available to clients in regard to helping clients maintain endpoint security in the cloud. If such a service or tool is offered, describe what types of alerts are given in association with it and what, if any, remediation recommendations are provided. Be sure to address whether or not threat intelligence is integrated into the service or tool and what operating system (OS) endpoints are covered.
Malware protection
Please describe any managed service, software solution, or other mechanism your organization provides or makes available to clients in regard to helping clients with malware protection. If such a service or tool is offered, describe whether or not it uses sandboxing technology, and if so, what type. Be sure to address whether or not threat intelligence is integrated into the service or tool and what zero-day threat capabilities it may have.
Other ancillary services
Please describe if your organization is capable of assisting clients with security audits and analyses of their own instances. If your organization also provides consulting, technical testing, penetration testing, forensic investigation, and threat remediation services, please describe them, as well as any associated service tiers.
Account management and support
Account management basics
Please describe how accounts are established on your organization's service and what level of visibility clients and their authorized users will have into the cloud services administered, including consumption metrics, security metrics, and various account logs.
Support basics
Please describe your organizational approach to client support and how that support is structured, including the processes and mechanisms for handling client inquiries and issues. Describe the communication mechanisms primarily and secondarily used for support, including mailed documentation, phone calls, electronic communication, and face-to-face communication. Explain how the escalation process for inquiries and reported issues should be handled.
Help desk and support ticketing
Please indicate what help desk or ticketing functionality is available for clients having cloud service issues. Describe how clients should go about using such tools to initiate the support process. Do clients receive comprehensive downtime support in the case of service downtime?
Availability, provisioning, and responsiveness
Please indicate the availability of your organization's support services, including hours offered. Also indicate who is provisioning the service, whether it's in-house or a third party, and from where the service is provisioned. Note whether or not support services change hands at any point. Finally, describe how support quality is guaranteed at all times, including any guarantees on responsiveness.
Client satisfaction
Please describe how your organization measures and reports (including frequency) client satisfaction with support, account, and overall services. Describe how deficiencies in client satisfaction are addressed and resolved within the organization.
Ancillary services
Please indicate whether or not your organization provides value-added support services, and if so what type. Can a dedicated account manager with sufficient technical knowledge be provided, and if so, at what cost?
Service level agreements (SLAs) and contracts
SLA basics
Please describe the details of your SLAs for the various services you provide, including any negotiable aspects of the SLAs. Provide examples. Any relevant measurements and ranges for work performed by you (e.g., service speed, response times, and accuracy) should also be clearly defined and stated. Explain what the cost implications related to any differing service levels are. Finally, explain whether or not your organization provides clients with a 30-day proof of concept test of the services to ensure your organization can prove its marketing and operational claims.
SLAs for SaaS
In the case of SaaS-related cloud agreements (if applicable) with your organization, please explain how software customization, upgrades, testing, and versioning are addressed in such agreements.
SLA failure
Please explain how your organization monitors and measures its compliance with an SLA. Describe what options are available to clients upon your organization failing to meet an agreed-upon SLA.
Business associate agreements
State whether or not your organization will sign a business associate agreement or addendum for purposes of ensuring your organization appropriately safeguards protected health information, as dictated by the Health Insurance Portability and Accountability Act (HIPAA).
Contract termination
Please describe your policy on archiving, deleting, and helping transition client data from any of your systems upon contract termination, including particulars about data formats, deletion methodologies, and transfer methods. Any explanation should include the respective termination rights of both the organization and the client.
Organization termination or catastrophic loss
Please describe what would happen to a client's data in the event of your organization going out of business or suffering a catastrophic loss.
Service implementation
Implementation basics
Please describe your approach to implementing your cloud computing or cloud-based services for clients. You should address:
- the standard timeframe for implementation and onboarding (overall average or last 10 customers);
- whether or not a dedicated point of contact will be maintained throughout implementation, to the end of the contract;
- what resources clients will require to support the implementation and throughout the contract's duration;
- what client processes and procedures your organization has found to be vital to optimal cloud implementation and operation;
- what device and database integrations are supported in an implementation;
- whether or not unsupported devices and databases can be added for support;
- how the impact or disruption of client resources is minimized during implementation; and
- what your normalization and fine-tuning procedures are.
Completion and handoff
Please describe what steps are taken to ensure the implementation is complete, as well as how the service is handed off to the client afterwards. If your organization provides training and documentation at handoff, describe how this training and documentation is administered, and at what additional cost, if any.
Multi-site implementations
Please describe the process used when implementing a service to a client with many geographically dispersed facilities.
Pricing
Pricing basics
Please describe how your company's pricing and payment models meet industry standard practices (e.g., payment per actual services consumed, per GB of storage, per server, per annual subscription, etc.). Provide pricing estimates and examples based upon the various services provided using a current published catalog, standard market pricing, and/or web enabled price calculators. Explain how any metered services are clearly reported and billed. Ensure all costs are accurately reflected, including any:
- underlying "implied" costs,
- initial "stand up" costs,
- ongoing maintenance or subscription costs,
- renewal-related price increases
- data download costs, and
- termination costs.
References
- ↑ 1.0 1.1 Holmes, T.. "It's a Match: How to Run a Good RFI, RFP, or RFQ and Find the Right Partner". AllCloud Blog. https://allcloud.io/blog/its-a-match-how-to-run-a-good-rfi-rfp-or-rfq-and-find-the-right-partner/. Retrieved 14 August 2023.
- ↑ Association of Public Health Laboratories (2017). "Breaking Through the Cloud: A Laboratory Guide to Cloud Computing" (PDF). Association of Public Health Laboratories. https://www.aphl.org/aboutAPHL/publications/Documents/INFO-2017Jun-Cloud-Computing.pdf. Retrieved 14 August 2023.
- ↑ "A Helpful Guide to Cloud Computing in a Laboratory". InterFocus Blog. InterFocus Ltd. 5 October 2020. https://www.mynewlab.com/blog/a-helpful-guide-to-cloud-computing-in-a-laboratory/. Retrieved 14 August 2023.
- ↑ LBMC (24 February 2021). "Nine Due Diligence Questions to Ask Cloud Service Providers". LBMC Blog. https://www.lbmc.com/blog/questions-cloud-service-providers/. Retrieved 14 August 2023.
- ↑ Ward, S. (9 October 2019). "Cloud Computing for the Laboratory: Using data in the cloud - What it means for data security". Lab Manager. https://www.labmanager.com/cloud-computing-for-the-laboratory-736. Retrieved 14 August 2023.
- ↑ Eustice, J.C. (2018). "Understand the intersection between data privacy laws and cloud computing". Legal Technology, Products, and Services. Thomson Reuters. https://legal.thomsonreuters.com/en/insights/articles/understanding-data-privacy-and-cloud-computing. Retrieved 14 August 2023.
- ↑ Thomson Reuters (3 March 2021). "Three questions you need to ask your cloud vendors". Thomson Reuters Legal Blog. Archived from the original on 03 March 2021. https://web.archive.org/web/20210406150957/https://legal.thomsonreuters.com/blog/3-questions-you-need-to-ask-your-cloud-vendors/. Retrieved 14 August 2023.
- ↑ Korff, Y. (19 February 2019). "12 revealing questions to ask when evaluating an MSSP or MDR vendor". Expel blog. Expel, Inc. https://expel.com/blog/12-revealing-questions-when-evaluating-mssp-mdr-vendor/. Retrieved 14 August 2023.
- ↑ [08 May 2021 "How to Write an MSSP RDP"] (PDF). NTT Security. September 2016. Archived from the original. Error: If you specify
|archiveurl=
, you must also specify|archivedate=
. 08 May 2021. Retrieved 14 August 2023. - ↑ "Secureworks Guide to Building a Cloud MSSP RFP Template" (DOCX). Secureworks. Archived from the original on 08 May 2021. https://web.archive.org/web/20210508225741/https://pcdnscwx001.azureedge.net/~/media/Files/US/White%20Papers/SecureWorksNCO411PGuidetoBuildingaCloudRFPTemplate.ashx?modified=20170714201638. Retrieved 14 August 2023.
- ↑ "RFP/RFI Questions for Managed Security Services: Sample MSSP RFP Template". Solutionary, Inc. September 2015. https://docecity.com/rfp-sample-questions-for-managed-security-services.html. Retrieved 14 August 2023.
- ↑ U.S. Department of State (24 October 2020). "Cloud Mission Support Request for Information". SAM.gov. https://beta.sam.gov/opp/91dc7217b32b459695b27339f4b5d9aa/view. Retrieved 21 August 2021.
- ↑ "Cloud Controls Matrix v4" (xlsx). Cloud Security Alliance. 15 March 2021. https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4/. Retrieved 14 August 2023.
- ↑ "Cloud Services Procurement Guidance Note". Ireland Office of Government Procurement. 9 February 2021. https://www.gov.ie/en/collection/aa996-guidance-notes/. Retrieved 14 August 2023.
- ↑ "IRS RFI Cloud Response" (DOCX). Internal Revenue Service. January 2018. Archived from the original on 21 April 2021. https://web.archive.org/web/20210421182505/https://cic.gsa.gov/documents/IRS-Cloud-Services-RFI.docx. Retrieved 14 August 2023.