Difference between revisions of "User:Shawndouglas/sandbox/sublevel45"

From LIMSWiki
Jump to navigationJump to search
Line 1: Line 1:
In some cases—particularly if your organization is of significant size—it may make sense to issue a formal RFI or request for proposal (RFP) and have major cloud MSSPs approach your lab with how they can meet its needs. The RFI and RFP are traditional means towards soliciting bidding interest in an organization's project, typically containing the organization's specific requirements and vital questions that the bidder should be able to effectively answer. However, even if your organization chooses to do most of the investigative work of researching and approaching cloud MSSPs, turning to a key set of questions typically found in an RFI is extremely valuable for "fact finding."
[[File:Quanta Computer cloud computing servers at COSCUP 20120819.jpg|right|400px]]Much has been said to this point about [[cloud computing]], the importance of security to the technology, the risks inherent to it, and how to manage those risks. We've also looked at cloud computing within the realm of the [[laboratory]] and how security, risk, and [[risk management]] fit into the laboratory's concerns. Now it's time to take that knowledge and those concerns directly to the task of choosing one or more cloud services to implement in your lab. (Appendix 1 of this guide provides a list of profiles for top public, hybrid, and multicloud providers to consider.)


An RFI is an ideal means for learning more about a potential solution and how it can solve your problems, or for when you're not even sure how to solve your problem yet. However, the RFI should not be unduly long and tedious to complete for prospective vendors; it should be concise, direct, and honest. This means not only presenting a clear and humble vision of your own organization and its goals, but also asking just the right amount of questions to allow potential vendors to demonstrate their expertise and provide a clearer picture of who they are. Some take a technical approach to an RFI, using dense language and complicated spreadsheets for fact finding. However, vendors appreciate a slightly more inviting approach, with practical questions or requests that are carefully chosen because they matter to you.<ref name="HolmesItsAMatch">{{cite web |url=https://allcloud.io/blog/its-a-match-how-to-run-a-good-rfi-rfp-or-rfq-and-find-the-right-partner/ |title=It's a Match: How to Run a Good RFI, RFP, or RFQ and Find the Right Partner |author=Holmes, T. |work=AllCloud Blog |accessdate=21 August 2021}}</ref> Remember, however, that an RFI is not meant to answer all of your questions. The RFI is meant as a means to help narrow down your search to a few quality candidates while learning more about each other.<ref name="HolmesItsAMatch" /> Once the pool of potential MSSPs is narrowed down, more pointed questions can be asked to ensure those providers meet your needs.
Prior chapters have highlighted the fact that choosing to move towards a cloud-based approach in your organization is a process in itself, a process deserving of a plan. Just as risk management is part of an overall [[cybersecurity]] plan, choosing and implementing a cloud project is part of an overall cloud migration plan.<ref name="BuchananTheUltimate">{{cite web |url=https://www.buchanan.com/cloud-migration-project-plan/ |title=The Ultimate Cloud Migration Project Plan for SMBs |publisher=Buchanan Technologies |accessdate=21 August 2021}}</ref> By this point, you've hopefully already:


Be cognizant, however, that just like CSPs, there may be no MSSP that can meet each and every need of your lab. Your lab will have to make important decisions about which requirements are non-negotiable and which are more flexible. The MSSPs you engage with may be able to provide realistic advice in this regard, based upon your lab's requirements and their past experience with labs. As such, those MSSPs with real-world experience protecting the information systems of laboratories may have a strong leg up on other MSSPs, as they can make informed comments about your lab’s requirements based on their past experiences.
* stated the goals of the cloud project and received management buy-in;
* identified the project stakeholders;
* developed scope and responsibility documentation;
* examined and classified your existing—and future—data for criticality, sensitivity, cleanliness, suitability, etc.;
* identified relevant risks associated with the five risk categories as part of an overall/enterprise risk management assessment; and
* identified computing requirements and objectives, including the need for any [[data cleansing]] and migration tools.


For your convenience, Appendix 3 of this guide includes a comprehensive list of RFI questions to ask of MSSPs, as well as cloud providers. If you have zero experience developing an RFI, you may want to first seek out various example RFIs on the internet, as well as some basic advice articles on the topic. Some websites may provide templates to examine for further details. However, the templates in Appendix 3 attempt to provide basic background about the RFI process as well. This includes addressing important questions related to your business so providers responding to your RFI better understand your lab's goals and requirements.
Of course, there's more to the cloud migration plan, including documenting and training on processes and procedures, monitoring performance and security controls, and employing corrective action, but those come after you've chosen and implemented your cloud solution(s). The following sections examine what aspects to consider as part of that process, including what an average cloud service provider (CSP) should look like, what to look for in a CSP (including their service agreements), what your organization should ask of itself, and what your organization should be asking of the CSP.
 
Now that we've addressed MSSPs, it's time to move on and take a look at the considerations required when choosing and implementing a cloud solution. The next chapter will look at the various characteristics of an average cloud provider, what you should look for in a cloud provider, the questions your organization should ask of itself, and the questions your organization should be asking cloud providers.


==References==
==References==
{{Reflist}}
{{Reflist}}

Revision as of 22:23, 21 August 2021

Quanta Computer cloud computing servers at COSCUP 20120819.jpg

Much has been said to this point about cloud computing, the importance of security to the technology, the risks inherent to it, and how to manage those risks. We've also looked at cloud computing within the realm of the laboratory and how security, risk, and risk management fit into the laboratory's concerns. Now it's time to take that knowledge and those concerns directly to the task of choosing one or more cloud services to implement in your lab. (Appendix 1 of this guide provides a list of profiles for top public, hybrid, and multicloud providers to consider.)

Prior chapters have highlighted the fact that choosing to move towards a cloud-based approach in your organization is a process in itself, a process deserving of a plan. Just as risk management is part of an overall cybersecurity plan, choosing and implementing a cloud project is part of an overall cloud migration plan.[1] By this point, you've hopefully already:

  • stated the goals of the cloud project and received management buy-in;
  • identified the project stakeholders;
  • developed scope and responsibility documentation;
  • examined and classified your existing—and future—data for criticality, sensitivity, cleanliness, suitability, etc.;
  • identified relevant risks associated with the five risk categories as part of an overall/enterprise risk management assessment; and
  • identified computing requirements and objectives, including the need for any data cleansing and migration tools.

Of course, there's more to the cloud migration plan, including documenting and training on processes and procedures, monitoring performance and security controls, and employing corrective action, but those come after you've chosen and implemented your cloud solution(s). The following sections examine what aspects to consider as part of that process, including what an average cloud service provider (CSP) should look like, what to look for in a CSP (including their service agreements), what your organization should ask of itself, and what your organization should be asking of the CSP.

References