Difference between revisions of "User:Shawndouglas/sandbox/sublevel45"

From LIMSWiki
Jump to navigationJump to search
Line 1: Line 1:
Whether conducting the request for information (RFI) or request for proposal (RFP) process, a quality set of questions for potential vendors to respond to provides a solid base for helping evaluate and narrow down a vendor for your service. The RFI in particular is good for this sort of "fact finding," acting as an ideal means for learning more about a potential solution and how it can solve your problems, or when you're not even sure how to solve your problem yet. However, the RFI should not be unduly long and tedious to complete for prospective vendors; it should be concise, direct, and honest. This means not only presenting a clear and humble vision of your own organization and its goals, but also asking just the right amount of questions to allow potential vendors to demonstrate their expertise and provide a clearer picture of who they are. Some take a technical approach to an RFI, using dense language and complicated spreadsheets for fact finding. However, vendors appreciate a slightly more inviting approach, with practical questions or requests that are carefully chosen because they matter to you.<ref name="HolmesItsAMatch">{{cite web |url=https://allcloud.io/blog/its-a-match-how-to-run-a-good-rfi-rfp-or-rfq-and-find-the-right-partner/ |title=It's a Match: How to Run a Good RFI, RFP, or RFQ and Find the Right Partner |author=Holmes, T. |work=AllCloud Blog |date=n.d. |accessdate=21 August 2021}}</ref>
Whether conducting the request for information (RFI) or request for proposal (RFP) process, a quality set of questions for potential vendors to respond to provides a solid base for helping evaluate and narrow down a vendor for your service. The RFI in particular is good for this sort of "fact finding," acting as an ideal means for learning more about a potential solution and how it can solve your problems, or when you're not even sure how to solve your problem yet. However, the RFI should not be unduly long and tedious to complete for prospective vendors; it should be concise, direct, and honest. This means not only presenting a clear and humble vision of your own organization and its goals, but also asking just the right amount of questions to allow potential vendors to demonstrate their expertise and provide a clearer picture of who they are. Some take a technical approach to an RFI, using dense language and complicated spreadsheets for fact finding. However, vendors appreciate a slightly more inviting approach, with practical questions or requests that are carefully chosen because they matter to you.<ref name="HolmesItsAMatch">{{cite web |url=https://allcloud.io/blog/its-a-match-how-to-run-a-good-rfi-rfp-or-rfq-and-find-the-right-partner/ |title=It's a Match: How to Run a Good RFI, RFP, or RFQ and Find the Right Partner |author=Holmes, T. |work=AllCloud Blog |date=n.d. |accessdate=21 August 2021}}</ref>


What follows are a carefully selected set of "questions" for cloud computing and cloud-related providers posed as, well, requests for information. This collection of questions is admittedly long. Keeping with advice about maintaining a concise RFI, you may not use all of these as part of your RFI process. Remember that an RFI is not meant to answer all of your questions, but rather is meant as a means to help narrow down your search to a few quality candidates while learning more about each other.<ref name="HolmesItsAMatch" /> Feel free to narrow this list down to those questions that are most important to you as part of this fact finding mission.
What follows are a carefully selected set of "questions" for managed security services providers (MSSPs) posed as, well, requests for information. This collection of questions is admittedly long. Keeping with advice about maintaining a concise RFI, you may not use all of these as part of your RFI process. Remember that an RFI is not meant to answer all of your questions, but rather is meant as a means to help narrow down your search to a few quality candidates while learning more about each other.<ref name="HolmesItsAMatch" /> Feel free to narrow this list down to those questions that are most important to you as part of this fact finding mission.


Sources used to compile this selection of RFI questions include the six sources from section 6.4 (including APHL, Interfocus, ''Lab Manager'', LBMC, and Thomson Reuters)<ref name="APHLBreaking17">{{cite web |url=https://www.aphl.org/aboutAPHL/publications/Documents/INFO-2017Jun-Cloud-Computing.pdf |format=PDF |title=Breaking Through the Cloud: A Laboratory Guide to Cloud Computing |author=Association of Public Health Laboratories |publisher=Association of Public Health Laboratories |date=2017 |accessdate=21 August 2021}}</ref><ref name="IFAhelp20">{{cite web |url=https://www.mynewlab.com/blog/a-helpful-guide-to-cloud-computing-in-a-laboratory/ |title=A Helpful Guide to Cloud Computing in a Laboratory |work=InterFocus Blog |publisher=InterFocus Ltd |date=05 October 2020 |accessdate=21 August 2021}}</ref><ref name="LBMCNine21">{{cite web |url=https://www.lbmc.com/blog/questions-cloud-service-providers/ |title=Nine Due Diligence Questions to Ask Cloud Service Providers |author=LBMC |work=LBMC Blog |date=24 February 2021 |accessdate=21 August 2021}}</ref><ref name="WardCloud19">{{cite web |url=https://www.labmanager.com/business-management/cloud-computing-for-the-laboratory-736 |title=Cloud Computing for the Laboratory: Using data in the cloud - What it means for data security |author=Ward, S. |work=Lab Manager |date=09 October 2019 |accessdate=21 August 2021}}</ref><ref name="EusticeUnder18">{{cite web |url=https://legal.thomsonreuters.com/en/insights/articles/understanding-data-privacy-and-cloud-computing |title=Understand the intersection between data privacy laws and cloud computing |author=Eustice, J.C. |work=Legal Technology, Products, and Services |publisher=Thomson Reuters |date=2018 |accessdate=21 August 2021}}</ref><ref name="TRThree21">{{cite web |url=https://legal.thomsonreuters.com/blog/3-questions-you-need-to-ask-your-cloud-vendors/ |title=Three questions you need to ask your cloud vendors |author=Thomson Reuters |work=Thomson Reuters Legal Blog |date=03 March 2021 |accessdate=21 August 2021}}</ref>, the five sources from the managed security services provider (MSSP) RFI/RFP template included in Appendix 3 of this guide (there's a lot of crossover, actually)<ref name="Korff12Rev19">{{cite web |url=https://expel.io/blog/12-revealing-questions-when-evaluating-mssp-mdr-vendor/ |title=12 revealing questions to ask when evaluating an MSSP or MDR vendor |author=Korff, Y. |work=Expel blog |publisher=Expel, Inc |date=19 February 2019 |accessdate=21 August 2021}}</ref><ref name="NTTSHowTo16">{{cite web |url=https://www.nttsecurity.com/docs/librariesprovider3/resources/us_whitepaper_mssp_rfp_uea_v1 |title=How to Write an MSSP RDP |publisher=NTT Security |date=September 2016 |accessdate=21 August 2021}}</ref><ref name="SWGuideToBuild">{{cite web |url=https://pcdnscwx001.azureedge.net/~/media/Files/US/White%20Papers/SecureWorksNCO411PGuidetoBuildingaCloudRFPTemplate.ashx?modified=20170714201638 |archiveurl=https://web.archive.org/web/20210508225741/https://pcdnscwx001.azureedge.net/~/media/Files/US/White%20Papers/SecureWorksNCO411PGuidetoBuildingaCloudRFPTemplate.ashx?modified=20170714201638 |format=DOCX |title=Secureworks Guide to Building a Cloud MSSP RFP Template |publisher=Secureworks |archivedate=08 May 2021 |accessdate=21 August 2021}}</ref><ref name="SolutionaryRFP15">{{cite web |url=https://docecity.com/rfp-sample-questions-for-managed-security-services.html |title=RFP/RFI Questions for Managed Security Services: Sample MSSP RFP Template |publisher=Solutionary, Inc |date=September 2015 |accessdate=21 August 2021}}</ref><ref name="SAMCloudMiss20">{{cite web |url=https://beta.sam.gov/opp/91dc7217b32b459695b27339f4b5d9aa/view |title=Cloud Mission Support Request for Information |work=SAM.gov |author=U.S. Department of State |date=24 October 2020 |accessdate=21 August 2021}}</ref>, and the following:
Sources used to compile this selection of RFI questions include:


* Cloud Security Alliance's ''Cloud Controls Matrix v4''<ref name="CSACloudCont4">{{cite web |url=https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4/ |format=xlsx |title=Cloud Controls Matrix v4 |publisher=Cloud Security Alliance |date=15 March 2021 |accessdate=21 August 2021}}</ref>
* Expel's "12 revealing questions to ask when evaluating an MSSP or MDR vendor"<ref name="Korff12Rev19">{{cite web |url=https://expel.io/blog/12-revealing-questions-when-evaluating-mssp-mdr-vendor/ |title=12 revealing questions to ask when evaluating an MSSP or MDR vendor |author=Korff, Y. |work=Expel blog |publisher=Expel, Inc |date=19 February 2019 |accessdate=21 August 2021}}</ref>
* Ireland's Office of Government Procurement ''Cloud Services Procurement Guidance Note''<ref name="OGPInform21">{{cite web |url=https://ogp.gov.ie/information-notes/ |title=Cloud Services Procurement Guidance Note |publisher=Ireland Office of Government Procurement |date=09 February 2021 |accessdate=21 August 2021}}</ref>
* NTT Security's ''How to Write an MSSP RDP'' whitepaper<ref name="NTTSHowTo16">{{cite web |url=https://www.nttsecurity.com/docs/librariesprovider3/resources/us_whitepaper_mssp_rfp_uea_v1 |title=How to Write an MSSP RDP |publisher=NTT Security |date=September 2016 |accessdate=21 August 2021}}</ref>
* U.S. Internal Revenue Service RFI Cloud Response document<ref name="IRSRFICloud18">{{cite web |url=https://cic.gsa.gov/documents/IRS-Cloud-Services-RFI.docx |format=DOCX |title=IRS RFI Cloud Response |publisher=Internal Revenue Service |date=January 2018 |accessdate=21 August 2021}}</ref>
* Secureworks' RFI/RFP template<ref name="SWGuideToBuild">{{cite web |url=https://pcdnscwx001.azureedge.net/~/media/Files/US/White%20Papers/SecureWorksNCO411PGuidetoBuildingaCloudRFPTemplate.ashx?modified=20170714201638 |archiveurl=https://web.archive.org/web/20210508225741/https://pcdnscwx001.azureedge.net/~/media/Files/US/White%20Papers/SecureWorksNCO411PGuidetoBuildingaCloudRFPTemplate.ashx?modified=20170714201638 |format=DOCX |title=Secureworks Guide to Building a Cloud MSSP RFP Template |publisher=Secureworks |archivedate=08 May 2021 |accessdate=21 August 2021}}</ref>
* Solutionary's ''RFP/RFI Questions for Managed Security Services'' whitepaper<ref name="SolutionaryRFP15">{{cite web |url=https://docecity.com/rfp-sample-questions-for-managed-security-services.html |title=RFP/RFI Questions for Managed Security Services: Sample MSSP RFP Template |publisher=Solutionary, Inc |date=September 2015 |accessdate=21 August 2021}}</ref>
* The U.S. Department of State's Bureau of Diplomatic Security's 2020 RFI requesting MSSP services<ref name="SAMCloudMiss20">{{cite web |url=https://beta.sam.gov/opp/91dc7217b32b459695b27339f4b5d9aa/view |title=Cloud Mission Support Request for Information |work=SAM.gov |author=U.S. Department of State |date=24 October 2020 |accessdate=21 August 2021}}</ref>




Line 34: Line 36:


===Organization history===
===Organization history===
Please give some background on your organization's history, including how long it has been offering cloud computing services.
Please give some background on your organization's history, including how long it has been offering managed security services (MSSs).




Line 51: Line 53:




===Cloud services offered===
===Managed security services offered===
Please describe the primary cloud computing or cloud-related services (e.g., software as a service or SaaS) offered by your organization, particularly any of which may be relevant based upon our company's stated needs. If the services are tiered, explain the different levels of service and any significant exceptions and differences separating the levels. Don't forget to describe the capabilities of your hybrid and multicloud offerings.
Please describe the primary MSSs offered by your organization, particularly any of which may be relevant based upon our company's stated needs. If the services are tiered, explain the different levels of service and any significant exceptions and differences separating the levels.




Line 60: Line 62:




===Expected level of integration or interoperability===
===Details about those managed security services===
Please describe how you anticipate your cloud solutions being able to readily integrate or have base interoperability with a client's systems and business processes, while making it easier for the client to perform their tasks in the cloud.
 
 
 
 
 
 
 
===Details about those cloud services===
Please provide details about:
Please provide details about:


* number of clients specifically using your organization's cloud computing or cloud-related services;
* number of MSSs clients specifically using your organization's device management, security monitoring, vulnerability testing, log management, and other security-based managed services;
* how long each of those services has been offered;
* how long each of your organization's MSSs has been offered;
* the growth rate of those services over the prior fiscal year;
* the growth rate of your organization's MSSs over the prior fiscal year;
* the average historical downtime of a given cloud service;
* how your organization's MSSs or your organization overall are ranked by top research firms such as Gartner and Forrester; and
* how those services or your organization overall are ranked by top research firms such as Gartner and Forrester; and
* any awards received for your organization's MSSs.
* any awards received for your organization's cloud computing or cloud-related services.




Line 85: Line 77:




===Vision and investment in those cloud services===
===Vision and investment in those managed security services===
Please provide details about the vision and future direction for choosing, developing, and implementing new in-house or third-party technologies as part of your organization's cloud computing initiative. Additionally, discuss the level of investment made by your organization towards researching, adopting, and integrating newer, more secure technologies and processes into your organization's operations.
Please provide details about the vision and future direction for choosing, developing, and implementing new in-house or third-party technologies as part of your organization's MSS initiative. Additionally, discuss the level of investment made by your organization—including in-house research and development—towards solving emerging cybersecurity challenges and improving your clients' return on investment (ROI).




Line 97: Line 89:
Please provide details on:
Please provide details on:


* how many clients you provide (or have provided) cloud computing and cloud-related services to in our organization's industry;
* how many clients you provide (or have provided) MSS to in our organization's industry;
* whether any of them are willing to act as references for your services;
* whether any of them are willing to act as references for your services;
* what experience your organization has in meeting the unique regulatory requirements of our industry;  
* what experience your organization has in meeting the unique security monitoring requirements of our industry;  
* any examples of clients being a learning source for improving your service; and
* any examples of clients being a learning source for improving your service; and
* any whitepapers, reports, etc. authored by your organization that are relevant to our industry.
* any whitepapers, reports, etc. authored by your organization that are relevant to our industry.
Line 129: Line 121:




===Data centers and related infrastructure===
===Security operation centers and related infrastructure===
Please describe how your organization organizes its data centers and related infrastructure to optimally provide its cloud computing and cloud-related services. Additionally, address concerns about:
Does your organization use security operation centers (SOCs) to support its MSSs? If so, please provide details about:


* whether or not your organization owns and manages the data centers;
* whether or not you own and manage the SOCs;
* where those data centers are located;
* where the primary and secondary SOCs are located;
* where our data will be located;
* where our data will be located;
* what specifications and encryption types are used for in-transit and at-rest data;
* what specifications are used for data in transit and at rest;
* what level of availability is guaranteed for each data center;
* whether or not all SOCs are "always on" and available;
* what level of redundancy is implemented within the data centers;
* what level of redundancy is implemented within the SOCs;
* what disposal and data destruction policies are in place for end-of-life equipment;
* how that redundancy limits service interruptions should an SOC go offline;  
* how that redundancy limits service interruptions should a particular data center go offline;  
* what level of scalability is available to clients with growth or contraction states; and
* what level of cloud-based scalability is available to clients with growth or contraction states; and
* what qualifications and certifications apply to each SOC.
* what qualifications and certifications apply to each data center.




Line 149: Line 140:




===Physical security at data centers===
===Physical security at security operation centers===
Please describe the physical security (e.g., locks, badges, physical security perimeters, surveillance systems, etc.) and continuity (e.g., fire suppression, backup power, etc.) measures put in place at your organization's data centers. Also address visitor procedures and how they are conducted. How are unauthorized access attempts at data centers responded to?
Please describe the physical security (e.g., locks, badges, physical security perimeters, surveillance systems, etc.) and continuity measures (e.g., fire suppression, backup power, etc.) put in place at your organization's SOCs. Also address visitor procedures and how they are conducted. How are unauthorized access attempts at SOCs responded to?




Line 158: Line 149:




===Staffing at data centers===
===Staffing at security operation centers===
Please describe the staffing procedures at these data centers, including what percentage of overall staff will actually have authorized access to client data. Clearly define any implemented classifications of staff based on level of support or data sensitivity, as well as any related certifications and training required at each support or data sensitivity level. Are contractors treated any differently? Finally, describe what background checks or screening procedures, if any, are implemented towards any organizational personnel and third-parties (e.g., contractors, service technicians) interacting with systems containing client data.
Please describe the staffing procedures at these SOCs, including what percentage of overall staff is dedicated purely to delivering and managing MSS activities and accounts. Clearly define any implemented classifications of staff based on level of support or data sensitivity, as well as any related certifications and training required at each support or data sensitivity level. Are contractors treated any differently? Finally, describe what background checks or screening procedures, if any, are implemented towards any individual related to your organization's MSSs.




Line 168: Line 159:


===Independent infrastructure review===
===Independent infrastructure review===
If your organization has received an independent review of its cloud infrastructure and services (e.g., SOC 2), please provide details of this review, preferably with the full report, but if not, with critical details such as who, what, when, where, scope, frequency of testing, and a summary. If your organization has not completed such an independent review, please provide details of any plans or ongoing efforts towards such a review.
If your organization has received an independent review of its MSS infrastructure and services (e.g., SSAE 16), please provide details of this review, preferably with the full report, but if not, with critical details such as who, what, when, where, scope, frequency of testing, and a summary. If your organization has not completed such an independent review, please provide details of any plans or ongoing efforts towards such a review.




Line 177: Line 168:


===Internal infrastructure review===
===Internal infrastructure review===
If your organization has performed an internal review of its cloud infrastructure and services, please provide details of this review, with critical details such as who, what, when, where, scope, frequency of testing, and a summary. If your organization has not completed such an internal review, please provide details of any plans or ongoing efforts towards such a review. If your organization conducts internal "red team" or "attack-and-defense" exercises, describe them, their frequency, and how resulting information is acted upon.
If your organization has performed an internal review of its MSS infrastructure and services, please provide details of this review, with critical details such as who, what, when, where, scope, frequency of testing, and a summary. If your organization has not completed such an internal review, please provide details of any plans or ongoing efforts towards such a review.




Line 202: Line 193:




===Extraction of client data===
 
Please explain how clients may extract data from your cloud service (i.e., address data portability) on-demand, including particulars about data formats and transfer methods.
==Service: Threat intelligence==
 
===Research team===
If your organization has a research team dedicated to threats and vulnerabilities, please describe the team, how it's integrated with an SOC's operations, and what services that team supports beyond research. If the research team has a mission, please state that mission.  




Line 211: Line 205:




==Base cloud security==
===Threat detection===
Please describe the information sources the research team uses to gather threat intelligence. Provide specifics about any anomaly detection, behavioral analysis, malicious host detection, signature analysis, and volume analysis detection methods.
 
 
 
 
 
 
 
===Use of and access to threat intelligence===
Please describe how gathered threat intelligence is analyzed and validated. Additionally, describe how that analyzed and validated threat intelligence is used in the management and monitoring of our devices and data. Finally, please describe what level of visibility and access a client has into this intelligence, as well as the research team itself.
 
 
 
 
 
 
 
===Examples of action on threat intelligence===
Please provide examples of how threat intelligence generated by your organization's research team (or someone else) has been effectively used to protect clients. Also provide examples of organization white papers, use cases, threat reports, or internal write-ups (if available) regarding threat intelligence and its effective use.
 
 
 
 
 
 
 
==Service: Vulnerability testing==
 
===Vulnerability testing basics===
Please describe the architecture behind any vulnerability testing your organization may conduct, including configuration, scoping, and scheduling capabilities. Also describe the origin of testing protocols used. If your architecture supports web application scanning and testing for database vulnerabilities, please provide important details.
 
 
 
 


===Company philosophy or approach===
Please describe how your cloud services address the ephemeral nature of cloud computing while at the same time helping clients maintain their overall security posture. Explain your organization's approach to its security team, including whether or not a dedicated team of security researchers are utilized. If such a team exists, also explain how that research from that team is incorporated into protecting your organization's cloud solution or infrastructure. Finally, describe your team's overall approach to monitoring, analysis, and correlation of security threats, including how automated and human-based analyses are balanced in their approaches and in their handoff to each other.




===Vulnerability identification and confirmation===
Please describe how vulnerabilities are identified and confirmed. If your organization has a process for identifying and reporting false positives, provide details. Additionally, if a process is in place to escalate and prioritize confirmed vulnerabilities, please describe it. Finally, is vulnerability data incorporated into overall security monitoring processes, and if so, in what ways? For example, can vulnerability testing results be correlated to other monitoring and analysis data to provide a status of being "on-target" or "off-target," along with an impact analysis rating?




Line 222: Line 250:




===Philosophy or approach to client security===
Please provide relevant considerations a client should have—and primary risks a client should mitigate—when securing information in your organization's cloud infrastructure. Does a clear "shared responsibility" model exist, and if so, how is it effectively communicated to potential and existing clients? If you have documented data security policies, please describe how new and existing clients may access them. Additionally, explain how those policies better ensure client data integrity.


===Vulnerability testing process===
Please provide details of how vulnerability testing is scheduled and how associated reports are delivered. Additionally, explain whether or not clients can conduct their own vulnerability testing and upload the results to you.




Line 231: Line 260:




===Technology and security===
Please describe the organizational and client-based availability and use of cloud security technologies such as:


* device management tools,
===Internal and external testing===
* firewalls and related performance monitoring tools,
Please describe whether or not the vulnerability testing process can be run both internally and externally, and if so, on what infrastructure. If your organization provides internal vulnerability scanning as or supports external vulnerability scanning through a PCI Security Standards Council Approved Scanning Vendor (PCI ASV) for quarterly compliance, please provide details.
* identity and access management mechanisms,
* intrusion prevention and detection systems,
* integration tools, and
* any other security-related analysis and prevention tools (e.g., rules engines).




Line 247: Line 270:




===Data storage===
==Service: Endpoint protection==
Please describe how sensitive and regulated data is able to be stored on a machine dedicated to complying with the laws and regulations relevant to the data owner. How is that type of data segregated from other clients' data, and will lapses in security of other clients' data affect our own?


===Endpoint protection basics===
Please describe any managed service your organization provides in regard to endpoint security. Address whether or not service agents must be installed at every endpoint and what bandwidth requirements they may have. Also, please describe whether the endpoint protection service is "always on" or acts as a schedules service. Also state what management responsibilities are associated with the service, and by whom.




Line 256: Line 280:




===Data transmission, sharing, and transfer===
Please describe how your cloud services allow for secure transmission and sharing of data across network boundaries, including across other cloud provider environments. Additionally, provide details about any dependencies or technical challenges associated with seamlessly transferring an application, system, or database 1. from a client or third-party cloud environment to your cloud environment and 2. from your cloud environment to another cloud environment. What solutions do you provide towards this seamless transfer?


===Visibility and notifications===
Please provide information about how visible endpoint security is to clients. Describe what types of alerts are given in association with endpoint security and what, if any, remediation recommendations are provided.




Line 265: Line 289:




===Logging===
Please describe your approach to collecting, analyzing, correlating, and acting upon cloud log and event data, particularly in relation to client data and services. Describe how thorough those logs are and provide background on your organizational policy in regards to retaining and making available collected log and event data to clients on-demand. Finally, explain how long those logs and associated data are accessible after creation, as well as whether or not any of that information is kept in secure retention.


===Data retention===
Please describe your organization's data retention policies related to endpoint data collected as part of the endpoint protection service.




Line 274: Line 298:




===Monitoring===
If your organization has its own cloud infrastructure, please describe how your organization monitors that infrastructure for security purposes. What self-monitoring services and tools are made available to clients, if any?


===Endpoint protection features===
Please describe:


* whether or not threat intelligence is integrated into your endpoint protection service;
* what operating system (OS) endpoints are covered by the service; and
* what level of remote incident response is supported and whether compromised endpoints can be quickly isolated from your organization's network.




Line 283: Line 310:




===Incident response and reporting===
Should a security threat be identified by your monitoring activities, please explain how your incident response team cooperates with the monitoring team for efficiency. Additionally, describe how your incident response team works together with clients during a security incident. Provide details on how your organization handles reporting of intrusions, hacks, or other types of breaches to effected clients. Also explain how teams associated with incident response and threat remediation use their capabilities to provide value to the client.




==Service: Malware protection==


===Malware protection basics===
Please describe any managed service your organization provides in regard to malware protection. Address whether or not your service uses sandboxing technology, and if so, what type.








===Hybrid and multicloud security===
Please explain how your cloud services and their associated technology enable and improve secure integrations and activities in hybrid and multicloud scenarios.






===Malware protection features===
Please describe:


* whether or not threat intelligence is integrated into your malware protection service;
* whether or not the service is able to detect malware designed to evade a traditional sandbox; and
* whether or not the service is able to detect zero-day malware threats.






==Threat intelligence==


===Research team===
If your organization has a research team dedicated to discovering cloud threats and vulnerabilities, please describe the team, how it's integrated with the organization's operations, and what services that team supports beyond research. If the research team has a mission, please state that mission.






===Service level and support===
Please describe whether or not a "defense in depth" approach is taken with malware protection, and if so, whether this is a complimentary part of the service or at additional cost. Additionally, describe your policy about assisting clients with remediation in the event of malware compromising client systems.








===Threat detection===
Please describe the information sources the research team (or, if no research team, the overall security team) uses to gather threat intelligence. Provide specifics about any anomaly detection, behavioral analysis, malicious host detection, signature analysis, and volume analysis detection methods.






==Service: Overall cloud security==


===Company philosophy or approach===
Please describe how your cloud services address the ephemeral nature of cloud computing while at the same time helping clients maintain their overall security posture. Explain your organization's approach to its security team, including whether or not a dedicated team of security researchers are utilized. If such a team exists, also explain how that research from that team is incorporated into MSS activities. Finally, describe your team's overall approach to monitoring, analysis, and correlation of security threats, including how automated and human-based analyses are balanced in their approaches and in their handoff to each other.






===Use of and access to threat intelligence===
Please describe how gathered threat intelligence is analyzed and validated. Additionally, describe how that analyzed and validated threat intelligence is used in the management and monitoring of your cloud services and infrastructure. Also describe what level of visibility and access a client has into this intelligence, as well as the research team itself. If any bug bounty programs or the like exist, please explain them here as well.








===Technology and security===
Please describe:


* the technical architecture of your MSS in the cloud, including any associated hardware and software agents that are installed;
* whether or not you can manage client devices, and if so, how;
* how troubleshooting for any managed devices is handled and subsequently validated should changes need to be made;
* what firewall performance monitoring your MSS is capable of in the cloud;
* how managed and monitored intrusion prevention and detection is implemented as part of your MMS;
* how security mechanisms built into your cloud solutions are activated; and
* what integration requirements, if any, exist for securely connecting to data analysis, incident management, or other SOAR (security orchestration, automation, and response) tools.




===Examples of action on threat intelligence===
Please provide examples of how threat intelligence generated by your organization's research team (or someone else) has been effectively used to protect clients. Also provide examples of organization white papers, use cases, threat reports, or internal write-ups (if available) regarding threat intelligence and its effective use in the organizational cloud infrastructure.




Line 337: Line 373:




===Event correlations and rules===
Please explain how event information can be used within your correlation and rules engine. Additionally, describe whether or not event correlations can be made across multiple client device types, across clients, and by user identity.




==Vulnerability testing==


===Vulnerability testing basics===
Please describe the extent of vulnerability testing your organization may conduct on its cloud infrastructure, including the origin of any testing protocols.








===Vulnerability testing===
Please describe what agreements, if any, your organization has with CSPs to perform different types of vulnerability assessments on their platforms;






===Vulnerability identification and confirmation===
Please describe how vulnerabilities are identified and confirmed within your cloud infrastructure. If your organization has a process for identifying and reporting false positives, provide details. Is vulnerability data incorporated into overall cloud security monitoring processes, and if so, in what ways?








===Logging===
Please describe your approach to collecting, analyzing, correlating, and acting upon cloud log and event data and how you're able to gain visibility into anomalous activity. List the log and event data sources and devices you support by clients and other CSPs. Do you enrich log data with your own contextual elements such as IP reputation scores and GeoIP2 data? Finally, provide background on your organizational policy in regards to retaining and making available collected log and event data.






===Client-based vulnerability testing===
If a client or a representative third party of a client is allowed to perform vulnerability testing on your organization's cloud infrastructure, provide details. If your cloud services support web application scanning and testing for database vulnerabilities, please provide important details.








===Monitoring===
If your MSS provides a cloud monitoring portal to clients, please describe it. Include details on what data is viewable and reportable, as well as whether or not a central dashboard for all types of data is available. If not, explain how are clients are informed of security threats and other service-related activities. Additionally, if a client runs their own red team exercises on their infrastructure, does your organization have the capability of monitoring for and detecting those authorized red team activities, as well as reporting on them?






==Additional cloud security==


===Endpoint protection===
Please describe any managed service, software solution, hardware solution, or other mechanism your organization provides or makes available to clients in regard to helping clients maintain endpoint security in the cloud. If such a service or tool is offered, describe what types of alerts are given in association with it and what, if any, remediation recommendations are provided. Be sure to address whether or not threat intelligence is integrated into the service or tool and what operating system (OS) endpoints are covered.






===Incident response===
Should a security threat be identified by your monitoring team, please explain how your incident response team cooperates with the monitoring team for efficiency. Additionally, describe how your incident response team works together with clients during a security incident, including the handling of breach notification.








===Malware protection===
Please describe any managed service, software solution, or other mechanism your organization provides or makes available to clients in regard to helping clients with malware protection. If such a service or tool is offered, describe whether or not it uses sandboxing technology, and if so, what type. Be sure to address whether or not threat intelligence is integrated into the service or tool and what zero-day threat capabilities it may have.






===Hybrid and multicloud===
Please describe how your cloud services and their associated technology enable and improve secure integrations in hybrid and multicloud scenarios.








===Other ancillary services===
Please describe if your organization is capable of assisting clients with security audits and analyses of their own instances. If your organization also provides consulting, technical testing, penetration testing, forensic investigation, and threat remediation services, please describe them, as well as any associated service tiers.






===Ancillary services===
Please describe if your organization is capable of assisting clients with security audits and certifications of their cloud installations. If your organization also provides consulting, technical testing, penetration testing, forensic investigation, and threat remediation services, please describe them, as well as any associated service tiers. How do teams associated with incident response and threat remediation services use their capabilities to provide value to the client?








==Account management and support==


===Account management basics===
Please describe how accounts are established on your organization's service and what level of visibility clients and their authorized users will have into the cloud services administered, including consumption metrics, security metrics, and various account logs.




==Reporting==


===Approach to reporting===
Please describe your organization's approach to meaningful reporting, including the selection of security metrics. Explain how your MSS reporting provides value to clients by demonstrating security effectiveness and quality return on investment (ROI).








===Support basics===
Please describe your organizational approach to client support and how that support is structured, including the processes and mechanisms for handling client inquiries and issues. Describe the communication mechanisms primarily and secondarily used for support, including mailed documentation, phone calls, electronic communication, and face-to-face communication. Explain how the escalation process for inquiries and reported issues should be handled.






===Reporting basics===
Please describe your organization's approach to standard reporting, including details such as:


* report frequency;
* access and distribution methods (e.g., portal, app, email, SMS);
* format (e.g., PDF, Excel, HTML);
* authenticity (i.e., can they be digitally signed and tracked);
* the structure of the reporting interface;
* whether or not the reporting interface can integrate with other systems, or vice versa;
* any integration of reporting across different services; and
* available and requestable report types, including pre-built, customizable, compliance, and regulatory reports.


If possible, provide examples such as sample reports or screenshots of your web-based interface. If reports can be customized, provide details of how this is accomplished.




===Help desk and support ticketing===
Please indicate what help desk or ticketing functionality is available for clients having cloud service issues. Describe how clients should go about using such tools to initiate the support process. Do clients receive comprehensive downtime support in the case of service downtime?




Line 424: Line 467:




===Asset-based and ad-hoc reporting===
Please explain any asset-based and ad-hoc reporting capabilities available as part of your managed security services. If asset-based reporting is available to clients, describe whether or not the service allows clients to create and group assets, assign criticality levels to them, scan them, and view events related to them. IF ad-hoc reporting is available to clients, describe the request process and turnaround time (TAT) for such reports.




===Availability, provisioning, and responsiveness===
Please indicate the availability of your organization's support services, including hours offered. Also indicate who is provisioning the service, whether it's in-house or a third party, and from where the service is provisioned. Note whether or not support services change hands at any point. Finally, describe how support quality is guaranteed at all times, including any guarantees on responsiveness.




Line 433: Line 476:




===Availability===
Please explain how long MSS reports and associated data are accessible after creation, as well as whether or not any of that information is archived.


==Account management and support==


===Client satisfaction===
===Support basics===
Please describe how your organization measures and reports (including frequency) client satisfaction with support, account, and overall services. Describe how deficiencies in client satisfaction are addressed and resolved within the organization.
Please describe your organizational approach to client support and how that support is structured, including the processes and mechanisms for handling client inquiries and issues. Describe the communication mechanisms primarily and secondarily used for support, including mailed documentation, phone calls, electronic communication, and face-to-face communication. Explain how the escalation process for inquiries and reported issues should be handled.




Line 444: Line 490:




===Ancillary services===
===Help desk and support ticketing===
Please indicate whether or not your organization provides value-added support services, and if so what type. Can a dedicated account manager with sufficient technical knowledge be provided, and if so, at what cost?
Please indicate what help desk or ticketing functionality is available for clients having MSS-related incident and troubleshooting issues. How should clients go about using such tools to initiate the support process?




Line 453: Line 499:




==Service level agreements (SLAs) and contracts==
===Availability, provisioning, and responsiveness===
Please indicate the availability of your organization's support services, including hours offered. Also indicate who is provisioning the service, whether it's in-house or a third party, and from where the service is provisioned. Note whether or not support services change hands at any point. Finally, describe how support quality is guaranteed at all times, including any guarantees on responsiveness.


===SLA basics===
Please describe the details of your SLAs for the various services you provide, including any negotiable aspects of the SLAs. Provide examples. Any relevant measurements and ranges for work performed by you (e.g., service speed, response times, and accuracy) should also be clearly defined and stated. Explain what the cost implications related to any differing service levels are. Finally, explain whether or not your organization provides clients with a 30-day proof of concept test of the services to ensure your organization can prove its marketing and operational claims.




Line 463: Line 508:




===Client satisfaction===
Please describe how your organization measures and reports (including frequency) client satisfaction with support and account services. Describe how deficiencies in client satisfaction are addressed and resolved within the organization.


===SLAs for SaaS===
In the case of SaaS-related cloud agreements (if applicable) with your organization, please explain how software customization, upgrades, testing, and versioning are addressed in such agreements.




Line 472: Line 517:




===Ancillary services===
Please indicate whether or not your organization provides value-added support services, and if so what type. Can a dedicated account manager with sufficient technical knowledge be provided, and if so, at what cost?


===SLA failure===
Please explain how your organization monitors and measures its compliance with an SLA. Describe what options are available to clients upon your organization failing to meet an agreed-upon SLA.




Line 481: Line 526:




==Service level agreements (SLAs) and contracts==


===Business associate agreements===
===SLA basics===
State whether or not your organization will sign a business associate agreement or addendum for purposes of ensuring your organization appropriately safeguards protected health information, as dictated by the Health Insurance Portability and Accountability Act (HIPAA).
Please describe the details of your SLAs for the various services you provide, including any negotiable aspects of the SLAs. Provide examples. Any relevant measurements and ranges for work performed by you (e.g., service speed, response times, and accuracy) should also be clearly defined and stated. Explain what the cost implications related to any differing service levels are. Finally, explain whether or not your organization provides clients with a 30-day proof of concept test of the services to ensure your organization can prove its marketing and operational claims.




Line 491: Line 537:




===Contract termination===
===SLA failure===
Please describe your policy on archiving, deleting, and helping transition client data from any of your systems upon contract termination, including particulars about data formats, deletion methodologies, and transfer methods. Any explanation should include the respective termination rights of both the organization and the client.
Please explain how your organization monitors and measures its compliance with an SLA. Describe what options are available to clients upon your organization failing to meet an agreed-upon SLA.




Line 500: Line 546:




===Organization termination or catastrophic loss===
===Contract termination===
Please describe what would happen to a client's data in the event of your organization going out of business or suffering a catastrophic loss.
Please describe your policy on archiving, deleting, and helping transition client data from any of your systems upon contract termination, including particulars about data formats, deletion methodologies, and transfer methods. Any explanation should include the respective termination rights of both the organization and the client.




Line 512: Line 558:


===Implementation basics===
===Implementation basics===
Please describe your approach to implementing your cloud computing or cloud-based services for clients. You should address:
Please describe your approach to implementing your MSS for clients. You should address:


* the standard timeframe for implementation and onboarding (overall average or last 10 customers);
* the standard timeframe for implementation and onboarding (overall average or last 10 customers);
* whether or not a dedicated point of contact will be maintained throughout implementation, to the end of the contract;
* whether or not a dedicated point of contact will be maintained throughout implementation, to the end of the contract;
* what resources clients will require to support the implementation and throughout the contract's duration;
* what resources clients will require to support the implementation and throughout the contract's duration;
* what client processes and procedures your organization has found to be vital to optimal cloud implementation and operation;
* what device and database integrations are supported in an implementation;  
* what device and database integrations are supported in an implementation;  
* whether or not unsupported devices and databases can be added for support;
* whether or not unsupported devices and databases can be added for support;

Revision as of 15:36, 22 August 2021

Whether conducting the request for information (RFI) or request for proposal (RFP) process, a quality set of questions for potential vendors to respond to provides a solid base for helping evaluate and narrow down a vendor for your service. The RFI in particular is good for this sort of "fact finding," acting as an ideal means for learning more about a potential solution and how it can solve your problems, or when you're not even sure how to solve your problem yet. However, the RFI should not be unduly long and tedious to complete for prospective vendors; it should be concise, direct, and honest. This means not only presenting a clear and humble vision of your own organization and its goals, but also asking just the right amount of questions to allow potential vendors to demonstrate their expertise and provide a clearer picture of who they are. Some take a technical approach to an RFI, using dense language and complicated spreadsheets for fact finding. However, vendors appreciate a slightly more inviting approach, with practical questions or requests that are carefully chosen because they matter to you.[1]

What follows are a carefully selected set of "questions" for managed security services providers (MSSPs) posed as, well, requests for information. This collection of questions is admittedly long. Keeping with advice about maintaining a concise RFI, you may not use all of these as part of your RFI process. Remember that an RFI is not meant to answer all of your questions, but rather is meant as a means to help narrow down your search to a few quality candidates while learning more about each other.[1] Feel free to narrow this list down to those questions that are most important to you as part of this fact finding mission.

Sources used to compile this selection of RFI questions include:

  • Expel's "12 revealing questions to ask when evaluating an MSSP or MDR vendor"[2]
  • NTT Security's How to Write an MSSP RDP whitepaper[3]
  • Secureworks' RFI/RFP template[4]
  • Solutionary's RFP/RFI Questions for Managed Security Services whitepaper[5]
  • The U.S. Department of State's Bureau of Diplomatic Security's 2020 RFI requesting MSSP services[6]


RFI/RFP introduction

If you're conducting a full RFI or RFP, you're going to lead with the standard components of an RFI or RFP, including:

  • a table of contents;
  • an honest introduction and overview of your organization, its goals and problems, and the services sought to solve them;
  • details on how the RFI or RFP evaluation process will be conducted;
  • basis for award (if an RFP);
  • the calendar schedule (including times) for related events;
  • how to submit the document and any related questions about it, including response format; and
  • your organization's background, business requirements, and current technical environment.


Organization basics

Primary business objectives

Please describe the primary business objectives for your organization.




Organization history

Please give some background on your organization's history, including how long it has been offering managed security services (MSSs).




Financial stability

Please provide information concerning the financial stability of your organization. If your organization is public, please include relevant documents such as annual reports and supporting financial statements. If private, please include documentation that supports the representation of your organization as a stable, profitable, and sustainable one. If not profitable, please provide details about your organization's path towards profitability.




Managed security services offered

Please describe the primary MSSs offered by your organization, particularly any of which may be relevant based upon our company's stated needs. If the services are tiered, explain the different levels of service and any significant exceptions and differences separating the levels.




Details about those managed security services

Please provide details about:

  • number of MSSs clients specifically using your organization's device management, security monitoring, vulnerability testing, log management, and other security-based managed services;
  • how long each of your organization's MSSs has been offered;
  • the growth rate of your organization's MSSs over the prior fiscal year;
  • how your organization's MSSs or your organization overall are ranked by top research firms such as Gartner and Forrester; and
  • any awards received for your organization's MSSs.




Vision and investment in those managed security services

Please provide details about the vision and future direction for choosing, developing, and implementing new in-house or third-party technologies as part of your organization's MSS initiative. Additionally, discuss the level of investment made by your organization—including in-house research and development—towards solving emerging cybersecurity challenges and improving your clients' return on investment (ROI).




Experience and references

Please provide details on:

  • how many clients you provide (or have provided) MSS to in our organization's industry;
  • whether any of them are willing to act as references for your services;
  • what experience your organization has in meeting the unique security monitoring requirements of our industry;
  • any examples of clients being a learning source for improving your service; and
  • any whitepapers, reports, etc. authored by your organization that are relevant to our industry.




Infrastructure, security, and related policies

Internal security policy and procedure

Please describe your internal policy and procedure (P&P) regarding security within your organization, including any standards your organization has adopted as part of that P&P. Address any ancillary security policies regarding, e.g., acceptable use of technology, remote and from-home work, and security awareness training.




Business continuity and disaster recovery policy

Please describe your organization's P&P regarding business continuity and disaster recovery.




Security operation centers and related infrastructure

Does your organization use security operation centers (SOCs) to support its MSSs? If so, please provide details about:

  • whether or not you own and manage the SOCs;
  • where the primary and secondary SOCs are located;
  • where our data will be located;
  • what specifications are used for data in transit and at rest;
  • whether or not all SOCs are "always on" and available;
  • what level of redundancy is implemented within the SOCs;
  • how that redundancy limits service interruptions should an SOC go offline;
  • what level of scalability is available to clients with growth or contraction states; and
  • what qualifications and certifications apply to each SOC.




Physical security at security operation centers

Please describe the physical security (e.g., locks, badges, physical security perimeters, surveillance systems, etc.) and continuity measures (e.g., fire suppression, backup power, etc.) put in place at your organization's SOCs. Also address visitor procedures and how they are conducted. How are unauthorized access attempts at SOCs responded to?




Staffing at security operation centers

Please describe the staffing procedures at these SOCs, including what percentage of overall staff is dedicated purely to delivering and managing MSS activities and accounts. Clearly define any implemented classifications of staff based on level of support or data sensitivity, as well as any related certifications and training required at each support or data sensitivity level. Are contractors treated any differently? Finally, describe what background checks or screening procedures, if any, are implemented towards any individual related to your organization's MSSs.




Independent infrastructure review

If your organization has received an independent review of its MSS infrastructure and services (e.g., SSAE 16), please provide details of this review, preferably with the full report, but if not, with critical details such as who, what, when, where, scope, frequency of testing, and a summary. If your organization has not completed such an independent review, please provide details of any plans or ongoing efforts towards such a review.




Internal infrastructure review

If your organization has performed an internal review of its MSS infrastructure and services, please provide details of this review, with critical details such as who, what, when, where, scope, frequency of testing, and a summary. If your organization has not completed such an internal review, please provide details of any plans or ongoing efforts towards such a review.




Auditing of your operations

If the results of your independent and/or internal review cannot be shared, will your organization allow us to—on our own or through a third party—audit your operations, with the goal of determining the appropriateness of your organization's implemented safeguards?




Auditing of client data

Please describe how your organization handles requests from outside entities for client data and notifies clients when such requests are made. If subpoenas, court orders, search warrants, or other law enforcement actions were to take place, describe how you would maintain any privileged, confidential, or otherwise sensitive information as being protected. Do you have legal representation should these issues arise?




Service: Threat intelligence

Research team

If your organization has a research team dedicated to threats and vulnerabilities, please describe the team, how it's integrated with an SOC's operations, and what services that team supports beyond research. If the research team has a mission, please state that mission.




Threat detection

Please describe the information sources the research team uses to gather threat intelligence. Provide specifics about any anomaly detection, behavioral analysis, malicious host detection, signature analysis, and volume analysis detection methods.




Use of and access to threat intelligence

Please describe how gathered threat intelligence is analyzed and validated. Additionally, describe how that analyzed and validated threat intelligence is used in the management and monitoring of our devices and data. Finally, please describe what level of visibility and access a client has into this intelligence, as well as the research team itself.




Examples of action on threat intelligence

Please provide examples of how threat intelligence generated by your organization's research team (or someone else) has been effectively used to protect clients. Also provide examples of organization white papers, use cases, threat reports, or internal write-ups (if available) regarding threat intelligence and its effective use.




Service: Vulnerability testing

Vulnerability testing basics

Please describe the architecture behind any vulnerability testing your organization may conduct, including configuration, scoping, and scheduling capabilities. Also describe the origin of testing protocols used. If your architecture supports web application scanning and testing for database vulnerabilities, please provide important details.




Vulnerability identification and confirmation

Please describe how vulnerabilities are identified and confirmed. If your organization has a process for identifying and reporting false positives, provide details. Additionally, if a process is in place to escalate and prioritize confirmed vulnerabilities, please describe it. Finally, is vulnerability data incorporated into overall security monitoring processes, and if so, in what ways? For example, can vulnerability testing results be correlated to other monitoring and analysis data to provide a status of being "on-target" or "off-target," along with an impact analysis rating?




Vulnerability testing process

Please provide details of how vulnerability testing is scheduled and how associated reports are delivered. Additionally, explain whether or not clients can conduct their own vulnerability testing and upload the results to you.




Internal and external testing

Please describe whether or not the vulnerability testing process can be run both internally and externally, and if so, on what infrastructure. If your organization provides internal vulnerability scanning as or supports external vulnerability scanning through a PCI Security Standards Council Approved Scanning Vendor (PCI ASV) for quarterly compliance, please provide details.




Service: Endpoint protection

Endpoint protection basics

Please describe any managed service your organization provides in regard to endpoint security. Address whether or not service agents must be installed at every endpoint and what bandwidth requirements they may have. Also, please describe whether the endpoint protection service is "always on" or acts as a schedules service. Also state what management responsibilities are associated with the service, and by whom.




Visibility and notifications

Please provide information about how visible endpoint security is to clients. Describe what types of alerts are given in association with endpoint security and what, if any, remediation recommendations are provided.




Data retention

Please describe your organization's data retention policies related to endpoint data collected as part of the endpoint protection service.




Endpoint protection features

Please describe:

  • whether or not threat intelligence is integrated into your endpoint protection service;
  • what operating system (OS) endpoints are covered by the service; and
  • what level of remote incident response is supported and whether compromised endpoints can be quickly isolated from your organization's network.




Service: Malware protection

Malware protection basics

Please describe any managed service your organization provides in regard to malware protection. Address whether or not your service uses sandboxing technology, and if so, what type.




Malware protection features

Please describe:

  • whether or not threat intelligence is integrated into your malware protection service;
  • whether or not the service is able to detect malware designed to evade a traditional sandbox; and
  • whether or not the service is able to detect zero-day malware threats.




Service level and support

Please describe whether or not a "defense in depth" approach is taken with malware protection, and if so, whether this is a complimentary part of the service or at additional cost. Additionally, describe your policy about assisting clients with remediation in the event of malware compromising client systems.




Service: Overall cloud security

Company philosophy or approach

Please describe how your cloud services address the ephemeral nature of cloud computing while at the same time helping clients maintain their overall security posture. Explain your organization's approach to its security team, including whether or not a dedicated team of security researchers are utilized. If such a team exists, also explain how that research from that team is incorporated into MSS activities. Finally, describe your team's overall approach to monitoring, analysis, and correlation of security threats, including how automated and human-based analyses are balanced in their approaches and in their handoff to each other.




Technology and security

Please describe:

  • the technical architecture of your MSS in the cloud, including any associated hardware and software agents that are installed;
  • whether or not you can manage client devices, and if so, how;
  • how troubleshooting for any managed devices is handled and subsequently validated should changes need to be made;
  • what firewall performance monitoring your MSS is capable of in the cloud;
  • how managed and monitored intrusion prevention and detection is implemented as part of your MMS;
  • how security mechanisms built into your cloud solutions are activated; and
  • what integration requirements, if any, exist for securely connecting to data analysis, incident management, or other SOAR (security orchestration, automation, and response) tools.




Event correlations and rules

Please explain how event information can be used within your correlation and rules engine. Additionally, describe whether or not event correlations can be made across multiple client device types, across clients, and by user identity.




Vulnerability testing

Please describe what agreements, if any, your organization has with CSPs to perform different types of vulnerability assessments on their platforms;




Logging

Please describe your approach to collecting, analyzing, correlating, and acting upon cloud log and event data and how you're able to gain visibility into anomalous activity. List the log and event data sources and devices you support by clients and other CSPs. Do you enrich log data with your own contextual elements such as IP reputation scores and GeoIP2 data? Finally, provide background on your organizational policy in regards to retaining and making available collected log and event data.




Monitoring

If your MSS provides a cloud monitoring portal to clients, please describe it. Include details on what data is viewable and reportable, as well as whether or not a central dashboard for all types of data is available. If not, explain how are clients are informed of security threats and other service-related activities. Additionally, if a client runs their own red team exercises on their infrastructure, does your organization have the capability of monitoring for and detecting those authorized red team activities, as well as reporting on them?




Incident response

Should a security threat be identified by your monitoring team, please explain how your incident response team cooperates with the monitoring team for efficiency. Additionally, describe how your incident response team works together with clients during a security incident, including the handling of breach notification.




Hybrid and multicloud

Please describe how your cloud services and their associated technology enable and improve secure integrations in hybrid and multicloud scenarios.




Ancillary services

Please describe if your organization is capable of assisting clients with security audits and certifications of their cloud installations. If your organization also provides consulting, technical testing, penetration testing, forensic investigation, and threat remediation services, please describe them, as well as any associated service tiers. How do teams associated with incident response and threat remediation services use their capabilities to provide value to the client?




Reporting

Approach to reporting

Please describe your organization's approach to meaningful reporting, including the selection of security metrics. Explain how your MSS reporting provides value to clients by demonstrating security effectiveness and quality return on investment (ROI).




Reporting basics

Please describe your organization's approach to standard reporting, including details such as:

  • report frequency;
  • access and distribution methods (e.g., portal, app, email, SMS);
  • format (e.g., PDF, Excel, HTML);
  • authenticity (i.e., can they be digitally signed and tracked);
  • the structure of the reporting interface;
  • whether or not the reporting interface can integrate with other systems, or vice versa;
  • any integration of reporting across different services; and
  • available and requestable report types, including pre-built, customizable, compliance, and regulatory reports.

If possible, provide examples such as sample reports or screenshots of your web-based interface. If reports can be customized, provide details of how this is accomplished.




Asset-based and ad-hoc reporting

Please explain any asset-based and ad-hoc reporting capabilities available as part of your managed security services. If asset-based reporting is available to clients, describe whether or not the service allows clients to create and group assets, assign criticality levels to them, scan them, and view events related to them. IF ad-hoc reporting is available to clients, describe the request process and turnaround time (TAT) for such reports.




Availability

Please explain how long MSS reports and associated data are accessible after creation, as well as whether or not any of that information is archived.

Account management and support

Support basics

Please describe your organizational approach to client support and how that support is structured, including the processes and mechanisms for handling client inquiries and issues. Describe the communication mechanisms primarily and secondarily used for support, including mailed documentation, phone calls, electronic communication, and face-to-face communication. Explain how the escalation process for inquiries and reported issues should be handled.




Help desk and support ticketing

Please indicate what help desk or ticketing functionality is available for clients having MSS-related incident and troubleshooting issues. How should clients go about using such tools to initiate the support process?




Availability, provisioning, and responsiveness

Please indicate the availability of your organization's support services, including hours offered. Also indicate who is provisioning the service, whether it's in-house or a third party, and from where the service is provisioned. Note whether or not support services change hands at any point. Finally, describe how support quality is guaranteed at all times, including any guarantees on responsiveness.




Client satisfaction

Please describe how your organization measures and reports (including frequency) client satisfaction with support and account services. Describe how deficiencies in client satisfaction are addressed and resolved within the organization.




Ancillary services

Please indicate whether or not your organization provides value-added support services, and if so what type. Can a dedicated account manager with sufficient technical knowledge be provided, and if so, at what cost?




Service level agreements (SLAs) and contracts

SLA basics

Please describe the details of your SLAs for the various services you provide, including any negotiable aspects of the SLAs. Provide examples. Any relevant measurements and ranges for work performed by you (e.g., service speed, response times, and accuracy) should also be clearly defined and stated. Explain what the cost implications related to any differing service levels are. Finally, explain whether or not your organization provides clients with a 30-day proof of concept test of the services to ensure your organization can prove its marketing and operational claims.




SLA failure

Please explain how your organization monitors and measures its compliance with an SLA. Describe what options are available to clients upon your organization failing to meet an agreed-upon SLA.




Contract termination

Please describe your policy on archiving, deleting, and helping transition client data from any of your systems upon contract termination, including particulars about data formats, deletion methodologies, and transfer methods. Any explanation should include the respective termination rights of both the organization and the client.




Service implementation

Implementation basics

Please describe your approach to implementing your MSS for clients. You should address:

  • the standard timeframe for implementation and onboarding (overall average or last 10 customers);
  • whether or not a dedicated point of contact will be maintained throughout implementation, to the end of the contract;
  • what resources clients will require to support the implementation and throughout the contract's duration;
  • what device and database integrations are supported in an implementation;
  • whether or not unsupported devices and databases can be added for support;
  • how the impact or disruption of client resources is minimized during implementation; and
  • what your normalization and fine-tuning procedures are.




Completion and handoff

Please describe what steps are taken to ensure the implementation is complete, as well as how the service is handed off to the client afterwards. If your organization provides training and documentation at handoff, describe how this training and documentation is administered, and at what additional cost, if any.




Multi-site implementations

Please describe the process used when implementing a service to a client with many geographically dispersed facilities.




Pricing

Pricing basics

Please describe how your company's pricing and payment models meet industry standard practices (e.g., payment per actual services consumed, per GB of storage, per server, per annual subscription, etc.). Provide pricing estimates and examples based upon the various services provided using a current published catalog, standard market pricing, and/or web enabled price calculators. Explain how any metered services are clearly reported and billed. Ensure all costs are accurately reflected, including any:

  • underlying "implied" costs,
  • initial "stand up" costs,
  • ongoing maintenance or subscription costs,
  • renewal-related price increases
  • data download costs, and
  • termination costs.




References