{"ID":101011,"post_author":"9412100","post_date":"2022-02-11 17:00:38","post_date_gmt":"0000-00-00 00:00:00","post_content":"","post_title":"Choosing and Implementing a Cloud-based Service for Your Laboratory","post_excerpt":"","post_status":"draft","comment_status":"closed","ping_status":"closed","post_password":"","post_name":"","to_ping":"","pinged":"","post_modified":"2022-02-11 17:00:38","post_modified_gmt":"2022-02-11 22:00:38","post_content_filtered":"","post_parent":0,"guid":"https:\/\/www.limsforum.com\/?post_type=ebook&p=101011","menu_order":0,"post_type":"ebook","post_mime_type":"","comment_count":"0","filter":"","_ebook_metadata":{"enabled":"on","private":"0","guid":"1B2C446F-89D6-4707-8F89-3FD4E78A8F53","title":"Choosing and Implementing a Cloud-based Service for Your Laboratory","subtitle":"First Edition","cover_theme":"nico_3","cover_image":"https:\/\/www.limsforum.com\/wp-content\/plugins\/rdp-ebook-builder\/pl\/cover.php?cover_style=nico_3&subtitle=First+Edition&editor=Shawn+Douglas&title=Choosing+and+Implementing+a+Cloud-based+Service+for+Your+Laboratory&title_image=https%3A%2F%2Fs3.limsforum.com%2Fwww.limsforum.com%2Fwp-content%2Fuploads%2FCloud-computing-1.gif&publisher=LabLynx+Press","editor":"Shawn Douglas","publisher":"LabLynx Press","author_id":"26","image_url":"","items":{"9cc8b0dd65d5032d00360743f6ef5b8c_type":"article","9cc8b0dd65d5032d00360743f6ef5b8c_title":"RFI questions for MSSPs","9cc8b0dd65d5032d00360743f6ef5b8c_url":"https:\/\/www.limswiki.org\/index.php\/Book:Choosing_and_Implementing_a_Cloud-based_Service_for_Your_Laboratory\/RFI_questions_for_MSSPs","9cc8b0dd65d5032d00360743f6ef5b8c_plaintext":"\n\nBook:Choosing and Implementing a Cloud-based Service for Your Laboratory\/RFI questions for MSSPsFrom LIMSWikiJump to navigationJump to search-----Return to the beginning of this guide-----\n\r\n\n\n Appendix 3. An RFI\/RFP for evaluating managed security services providers (MSSPs) \nWhether conducting the request for information (RFI) or request for proposal (RFP) process, a quality set of questions for potential vendors to respond to provides a solid base for helping evaluate and narrow down a vendor for your service. The RFI in particular is good for this sort of \"fact finding,\" acting as an ideal means for learning more about a potential solution and how it can solve your problems, or when you're not even sure how to solve your problem yet. However, the RFI should not be unduly long and tedious to complete for prospective vendors; it should be concise, direct, and honest. This means not only presenting a clear and humble vision of your own organization and its goals, but also asking just the right amount of questions to allow potential vendors to demonstrate their expertise and provide a clearer picture of who they are. Some take a technical approach to an RFI, using dense language and complicated spreadsheets for fact finding. However, vendors appreciate a slightly more inviting approach, with practical questions or requests that are carefully chosen because they matter to you.[1]\nWhat follows are a carefully selected set of \"questions\" for managed security services providers (MSSPs) posed as, well, requests for information. This collection of questions is admittedly long. Keeping with advice about maintaining a concise RFI, you may not use all of these as part of your RFI process. Remember that an RFI is not meant to answer all of your questions, but rather is meant as a means to help narrow down your search to a few quality candidates while learning more about each other.[1] Feel free to narrow this list down to those questions that are most important to you as part of this fact finding mission.\nSources used to compile this selection of RFI questions include:\n\nExpel's \"12 revealing questions to ask when evaluating an MSSP or MDR vendor\"[2]\nNTT Security's How to Write an MSSP RDP whitepaper[3]\nSecureworks' RFI\/RFP template[4]\nSolutionary's RFP\/RFI Questions for Managed Security Services whitepaper[5]\nThe U.S. Department of State's Bureau of Diplomatic Security's 2020 RFI requesting MSSP services[6]\n\r\n\n\n RFI\/RFP introduction \nIf you're conducting a full RFI or RFP, you're going to lead with the standard components of an RFI or RFP, including:\n\na table of contents;\nan honest introduction and overview of your organization, its goals and problems, and the services sought to solve them;\ndetails on how the RFI or RFP evaluation process will be conducted;\nbasis for award (if an RFP);\nthe calendar schedule (including times) for related events;\nhow to submit the document and any related questions about it, including response format; and\nyour organization's background, business requirements, and current technical environment.\n\r\n\n\nOrganization basics \nPrimary business objectives \nPlease describe the primary business objectives for your organization.\n\r\n\n\r\n\n\r\n\n\nOrganization history \nPlease give some background on your organization's history, including how long it has been offering managed security services (MSSs).\n\r\n\n\r\n\n\r\n\n\nFinancial stability \nPlease provide information concerning the financial stability of your organization. If your organization is public, please include relevant documents such as annual reports and supporting financial statements. If private, please include documentation that supports the representation of your organization as a stable, profitable, and sustainable one. If not profitable, please provide details about your organization's path towards profitability. \n\r\n\n\r\n\n\r\n\n\nManaged security services offered \nPlease describe the primary MSSs offered by your organization, particularly any of which may be relevant based upon our company's stated needs. If the services are tiered, explain the different levels of service and any significant exceptions and differences separating the levels.\n\r\n\n\r\n\n\r\n\n\nDetails about those managed security services \nPlease provide details about:\n\nnumber of MSSs clients specifically using your organization's device management, security monitoring, vulnerability testing, log management, and other security-based managed services;\nhow long each of your organization's MSSs has been offered;\nthe growth rate of your organization's MSSs over the prior fiscal year;\nhow your organization's MSSs or your organization overall are ranked by top research firms such as Gartner and Forrester; and\nany awards received for your organization's MSSs.\n\r\n\n\r\n\n\r\n\n\nVision and investment in those managed security services \nPlease provide details about the vision and future direction for choosing, developing, and implementing new in-house or third-party technologies as part of your organization's MSS initiative. Additionally, discuss the level of investment made by your organization\u2014including in-house research and development\u2014towards solving emerging cybersecurity challenges and improving your clients' return on investment (ROI).\n\r\n\n\r\n\n\r\n\n\nExperience and references \nPlease provide details on:\n\nhow many clients you provide (or have provided) MSS to in our organization's industry;\nwhether any of them are willing to act as references for your services;\nwhat experience your organization has in meeting the unique security monitoring requirements of our industry;\nany examples of clients being a learning source for improving your service; and\nany whitepapers, reports, etc. authored by your organization that are relevant to our industry.\n\r\n\n\r\n\n\r\n\n\n Infrastructure, security, and related policies \nInternal security policy and procedure \nPlease describe your internal policy and procedure (P&P) regarding security within your organization, including any standards your organization has adopted as part of that P&P. Address any ancillary security policies regarding, e.g., acceptable use of technology, remote and from-home work, and security awareness training.\n\r\n\n\r\n\n\r\n\n\nBusiness continuity and disaster recovery policy \nPlease describe your organization's P&P regarding business continuity and disaster recovery.\n\r\n\n\r\n\n\r\n\n\nSecurity operation centers and related infrastructure \nDoes your organization use security operation centers (SOCs) to support its MSSs? If so, please provide details about:\n\nwhether or not you own and manage the SOCs;\nwhere the primary and secondary SOCs are located;\nwhere our data will be located;\nwhat specifications are used for data in transit and at rest;\nwhether or not all SOCs are \"always on\" and available;\nwhat level of redundancy is implemented within the SOCs;\nhow that redundancy limits service interruptions should an SOC go offline;\nwhat level of scalability is available to clients with growth or contraction states; and\nwhat qualifications and certifications apply to each SOC.\n\r\n\n\r\n\n\r\n\n\nPhysical security at security operation centers \nPlease describe the physical security (e.g., locks, badges, physical security perimeters, surveillance systems, etc.) and continuity measures (e.g., fire suppression, backup power, etc.) put in place at your organization's SOCs. Also address visitor procedures and how they are conducted. How are unauthorized access attempts at SOCs responded to?\n\r\n\n\r\n\n\r\n\n\nStaffing at security operation centers \nPlease describe the staffing procedures at these SOCs, including what percentage of overall staff is dedicated purely to delivering and managing MSS activities and accounts. Clearly define any implemented classifications of staff based on level of support or data sensitivity, as well as any related certifications and training required at each support or data sensitivity level. Are contractors treated any differently? Finally, describe what background checks or screening procedures, if any, are implemented towards any individual related to your organization's MSSs.\n\r\n\n\r\n\n\r\n\n\nIndependent infrastructure review \nIf your organization has received an independent review of its MSS infrastructure and services (e.g., SSAE 16), please provide details of this review, preferably with the full report, but if not, with critical details such as who, what, when, where, scope, frequency of testing, and a summary. If your organization has not completed such an independent review, please provide details of any plans or ongoing efforts towards such a review.\n\r\n\n\r\n\n\r\n\n\nInternal infrastructure review \nIf your organization has performed an internal review of its MSS infrastructure and services, please provide details of this review, with critical details such as who, what, when, where, scope, frequency of testing, and a summary. If your organization has not completed such an internal review, please provide details of any plans or ongoing efforts towards such a review.\n\r\n\n\r\n\n\r\n\n\nAuditing of your operations \nIf the results of your independent and\/or internal review cannot be shared, will your organization allow us to\u2014on our own or through a third party\u2014audit your operations, with the goal of determining the appropriateness of your organization's implemented safeguards?\n\r\n\n\r\n\n\r\n\n\nAuditing of client data \nPlease describe how your organization handles requests from outside entities for client data and notifies clients when such requests are made. If subpoenas, court orders, search warrants, or other law enforcement actions were to take place, describe how you would maintain any privileged, confidential, or otherwise sensitive information as being protected. Do you have legal representation should these issues arise?\n\r\n\n\r\n\n\r\n\n\nService: Threat intelligence \nResearch team \nIf your organization has a research team dedicated to threats and vulnerabilities, please describe the team, how it's integrated with an SOC's operations, and what services that team supports beyond research. If the research team has a mission, please state that mission. \n\r\n\n\r\n\n\r\n\n\nThreat detection \nPlease describe the information sources the research team uses to gather threat intelligence. Provide specifics about any anomaly detection, behavioral analysis, malicious host detection, signature analysis, and volume analysis detection methods.\n\r\n\n\r\n\n\r\n\n\nUse of and access to threat intelligence \nPlease describe how gathered threat intelligence is analyzed and validated. Additionally, describe how that analyzed and validated threat intelligence is used in the management and monitoring of our devices and data. Finally, please describe what level of visibility and access a client has into this intelligence, as well as the research team itself.\n\r\n\n\r\n\n\r\n\n\nExamples of action on threat intelligence \nPlease provide examples of how threat intelligence generated by your organization's research team (or someone else) has been effectively used to protect clients. Also provide examples of organization white papers, use cases, threat reports, or internal write-ups (if available) regarding threat intelligence and its effective use.\n\r\n\n\r\n\n\r\n\n\nService: Vulnerability testing \nVulnerability testing basics \nPlease describe the architecture behind any vulnerability testing your organization may conduct, including configuration, scoping, and scheduling capabilities. Also describe the origin of testing protocols used. If your architecture supports web application scanning and testing for database vulnerabilities, please provide important details.\n\r\n\n\r\n\n\r\n\n\nVulnerability identification and confirmation \nPlease describe how vulnerabilities are identified and confirmed. If your organization has a process for identifying and reporting false positives, provide details. Additionally, if a process is in place to escalate and prioritize confirmed vulnerabilities, please describe it. Finally, is vulnerability data incorporated into overall security monitoring processes, and if so, in what ways? For example, can vulnerability testing results be correlated to other monitoring and analysis data to provide a status of being \"on-target\" or \"off-target,\" along with an impact analysis rating?\n\r\n\n\r\n\n\r\n\n\nVulnerability testing process \nPlease provide details of how vulnerability testing is scheduled and how associated reports are delivered. Additionally, explain whether or not clients can conduct their own vulnerability testing and upload the results to you.\n\r\n\n\r\n\n\r\n\n\nInternal and external testing \nPlease describe whether or not the vulnerability testing process can be run both internally and externally, and if so, on what infrastructure. If your organization provides internal vulnerability scanning as or supports external vulnerability scanning through a PCI Security Standards Council Approved Scanning Vendor (PCI ASV) for quarterly compliance, please provide details.\n\r\n\n\r\n\n\r\n\n\nService: Endpoint protection \nEndpoint protection basics \nPlease describe any managed service your organization provides in regard to endpoint security. Address whether or not service agents must be installed at every endpoint and what bandwidth requirements they may have. Also, please describe whether the endpoint protection service is \"always on\" or acts as a schedules service. Also state what management responsibilities are associated with the service, and by whom.\n\r\n\n\r\n\n\r\n\n\nVisibility and notifications \nPlease provide information about how visible endpoint security is to clients. Describe what types of alerts are given in association with endpoint security and what, if any, remediation recommendations are provided.\n\r\n\n\r\n\n\r\n\n\nData retention \nPlease describe your organization's data retention policies related to endpoint data collected as part of the endpoint protection service.\n\r\n\n\r\n\n\r\n\n\nEndpoint protection features \nPlease describe:\n\nwhether or not threat intelligence is integrated into your endpoint protection service;\nwhat operating system (OS) endpoints are covered by the service; and\nwhat level of remote incident response is supported and whether compromised endpoints can be quickly isolated from your organization's network.\n\r\n\n\r\n\n\r\n\n\nService: Malware protection \nMalware protection basics \nPlease describe any managed service your organization provides in regard to malware protection. Address whether or not your service uses sandboxing technology, and if so, what type.\n\r\n\n\r\n\n\r\n\n\nMalware protection features \nPlease describe:\n\nwhether or not threat intelligence is integrated into your malware protection service;\nwhether or not the service is able to detect malware designed to evade a traditional sandbox; and\nwhether or not the service is able to detect zero-day malware threats.\n\r\n\n\r\n\n\r\n\n\nService level and support \nPlease describe whether or not a \"defense in depth\" approach is taken with malware protection, and if so, whether this is a complimentary part of the service or at additional cost. Additionally, describe your policy about assisting clients with remediation in the event of malware compromising client systems.\n\r\n\n\r\n\n\r\n\n\nService: Overall cloud security \nCompany philosophy or approach \nPlease describe how your cloud services address the ephemeral nature of cloud computing while at the same time helping clients maintain their overall security posture. Explain your organization's approach to its security team, including whether or not a dedicated team of security researchers are utilized. If such a team exists, also explain how that research from that team is incorporated into MSS activities. Finally, describe your team's overall approach to monitoring, analysis, and correlation of security threats, including how automated and human-based analyses are balanced in their approaches and in their handoff to each other.\n\r\n\n\r\n\n\r\n\n\nTechnology and security \nPlease describe:\n\nthe technical architecture of your MSS in the cloud, including any associated hardware and software agents that are installed;\nwhether or not you can manage client devices, and if so, how;\nhow troubleshooting for any managed devices is handled and subsequently validated should changes need to be made;\nwhat firewall performance monitoring your MSS is capable of in the cloud;\nhow managed and monitored intrusion prevention and detection is implemented as part of your MMS;\nhow security mechanisms built into your cloud solutions are activated; and\nwhat integration requirements, if any, exist for securely connecting to data analysis, incident management, or other SOAR (security orchestration, automation, and response) tools.\n\r\n\n\r\n\n\r\n\n\nEvent correlations and rules \nPlease explain how event information can be used within your correlation and rules engine. Additionally, describe whether or not event correlations can be made across multiple client device types, across clients, and by user identity.\n\r\n\n\r\n\n\r\n\n\nVulnerability testing \nPlease describe what agreements, if any, your organization has with CSPs to perform different types of vulnerability assessments on their platforms;\n\r\n\n\r\n\n\r\n\n\nLogging \nPlease describe your approach to collecting, analyzing, correlating, and acting upon cloud log and event data and how you're able to gain visibility into anomalous activity. List the log and event data sources and devices you support by clients and other CSPs. Do you enrich log data with your own contextual elements such as IP reputation scores and GeoIP2 data? Finally, provide background on your organizational policy in regards to retaining and making available collected log and event data.\n\r\n\n\r\n\n\r\n\n\nMonitoring \nIf your MSS provides a cloud monitoring portal to clients, please describe it. Include details on what data is viewable and reportable, as well as whether or not a central dashboard for all types of data is available. If not, explain how are clients are informed of security threats and other service-related activities. Additionally, if a client runs their own red team exercises on their infrastructure, does your organization have the capability of monitoring for and detecting those authorized red team activities, as well as reporting on them?\n\r\n\n\r\n\n\r\n\n\nIncident response \nShould a security threat be identified by your monitoring team, please explain how your incident response team cooperates with the monitoring team for efficiency. Additionally, describe how your incident response team works together with clients during a security incident, including the handling of breach notification.\n\r\n\n\r\n\n\r\n\n\nHybrid and multicloud \nPlease describe how your cloud services and their associated technology enable and improve secure integrations in hybrid and multicloud scenarios.\n\r\n\n\r\n\n\r\n\n\nAncillary services \nPlease describe if your organization is capable of assisting clients with security audits and certifications of their cloud installations. If your organization also provides consulting, technical testing, penetration testing, forensic investigation, and threat remediation services, please describe them, as well as any associated service tiers. How do teams associated with incident response and threat remediation services use their capabilities to provide value to the client?\n\r\n\n\r\n\n\r\n\n\nReporting \nApproach to reporting \nPlease describe your organization's approach to meaningful reporting, including the selection of security metrics. Explain how your MSS reporting provides value to clients by demonstrating security effectiveness and quality return on investment (ROI).\n\r\n\n\r\n\n\r\n\n\nReporting basics \nPlease describe your organization's approach to standard reporting, including details such as:\n\nreport frequency;\naccess and distribution methods (e.g., portal, app, email, SMS);\nformat (e.g., PDF, Excel, HTML);\nauthenticity (i.e., can they be digitally signed and tracked);\nthe structure of the reporting interface;\nwhether or not the reporting interface can integrate with other systems, or vice versa;\nany integration of reporting across different services; and\navailable and requestable report types, including pre-built, customizable, compliance, and regulatory reports.\nIf possible, provide examples such as sample reports or screenshots of your web-based interface. If reports can be customized, provide details of how this is accomplished.\n\r\n\n\r\n\n\r\n\n\nAsset-based and ad-hoc reporting \nPlease explain any asset-based and ad-hoc reporting capabilities available as part of your managed security services. If asset-based reporting is available to clients, describe whether or not the service allows clients to create and group assets, assign criticality levels to them, scan them, and view events related to them. IF ad-hoc reporting is available to clients, describe the request process and turnaround time (TAT) for such reports.\n\r\n\n\r\n\n\r\n\n\nAvailability \nPlease explain how long MSS reports and associated data are accessible after creation, as well as whether or not any of that information is archived.\n\nAccount management and support \nSupport basics \nPlease describe your organizational approach to client support and how that support is structured, including the processes and mechanisms for handling client inquiries and issues. Describe the communication mechanisms primarily and secondarily used for support, including mailed documentation, phone calls, electronic communication, and face-to-face communication. Explain how the escalation process for inquiries and reported issues should be handled.\n\r\n\n\r\n\n\r\n\n\nHelp desk and support ticketing \nPlease indicate what help desk or ticketing functionality is available for clients having MSS-related incident and troubleshooting issues. How should clients go about using such tools to initiate the support process?\n\r\n\n\r\n\n\r\n\n\n Availability, provisioning, and responsiveness \nPlease indicate the availability of your organization's support services, including hours offered. Also indicate who is provisioning the service, whether it's in-house or a third party, and from where the service is provisioned. Note whether or not support services change hands at any point. Finally, describe how support quality is guaranteed at all times, including any guarantees on responsiveness.\n\r\n\n\r\n\n\r\n\n\nClient satisfaction \nPlease describe how your organization measures and reports (including frequency) client satisfaction with support and account services. Describe how deficiencies in client satisfaction are addressed and resolved within the organization.\n\r\n\n\r\n\n\r\n\n\nAncillary services \nPlease indicate whether or not your organization provides value-added support services, and if so what type. Can a dedicated account manager with sufficient technical knowledge be provided, and if so, at what cost?\n\r\n\n\r\n\n\r\n\n\n Service level agreements (SLAs) and contracts \nSLA basics \nPlease describe the details of your SLAs for the various services you provide, including any negotiable aspects of the SLAs. Provide examples. Any relevant measurements and ranges for work performed by you (e.g., service speed, response times, and accuracy) should also be clearly defined and stated. Explain what the cost implications related to any differing service levels are. Finally, explain whether or not your organization provides clients with a 30-day proof of concept test of the services to ensure your organization can prove its marketing and operational claims.\n\r\n\n\r\n\n\r\n\n\nSLA failure \nPlease explain how your organization monitors and measures its compliance with an SLA. Describe what options are available to clients upon your organization failing to meet an agreed-upon SLA.\n\r\n\n\r\n\n\r\n\n\nContract termination \nPlease describe your policy on archiving, deleting, and helping transition client data from any of your systems upon contract termination, including particulars about data formats, deletion methodologies, and transfer methods. Any explanation should include the respective termination rights of both the organization and the client.\n\r\n\n\r\n\n\r\n\n\nService implementation \nImplementation basics \nPlease describe your approach to implementing your MSS for clients. You should address:\n\nthe standard timeframe for implementation and onboarding (overall average or last 10 customers);\nwhether or not a dedicated point of contact will be maintained throughout implementation, to the end of the contract;\nwhat resources clients will require to support the implementation and throughout the contract's duration;\nwhat device and database integrations are supported in an implementation;\nwhether or not unsupported devices and databases can be added for support;\nhow the impact or disruption of client resources is minimized during implementation; and\nwhat your normalization and fine-tuning procedures are.\n\r\n\n\r\n\n\r\n\n\nCompletion and handoff \nPlease describe what steps are taken to ensure the implementation is complete, as well as how the service is handed off to the client afterwards. If your organization provides training and documentation at handoff, describe how this training and documentation is administered, and at what additional cost, if any.\n\r\n\n\r\n\n\r\n\n\nMulti-site implementations \nPlease describe the process used when implementing a service to a client with many geographically dispersed facilities.\n\r\n\n\r\n\n\r\n\n\nPricing \nPricing basics \nPlease describe how your company's pricing and payment models meet industry standard practices (e.g., payment per actual services consumed, per GB of storage, per server, per annual subscription, etc.). Provide pricing estimates and examples based upon the various services provided using a current published catalog, standard market pricing, and\/or web enabled price calculators. Explain how any metered services are clearly reported and billed. Ensure all costs are accurately reflected, including any:\n\nunderlying \"implied\" costs,\ninitial \"stand up\" costs,\nongoing maintenance or subscription costs,\nrenewal-related price increases\ndata download costs, and\ntermination costs.\n\r\n\n\r\n\n\r\n\n\nReferences \n\n\n\u2191 1.0 1.1 Holmes, T. (11 February 2022). \"It's a Match: How to Run a Good RFI, RFP, or RFQ and Find the Right Partner\". AllCloud Blog. https:\/\/allcloud.io\/blog\/its-a-match-how-to-run-a-good-rfi-rfp-or-rfq-and-find-the-right-partner\/ . Retrieved 21 August 2021 .   \n \n\n\u2191 Korff, Y. (19 February 2019). \"12 revealing questions to ask when evaluating an MSSP or MDR vendor\". Expel blog. Expel, Inc. https:\/\/expel.io\/blog\/12-revealing-questions-when-evaluating-mssp-mdr-vendor\/ . Retrieved 21 August 2021 .   \n \n\n\u2191 \"How to Write an MSSP RDP\". NTT Security. September 2016. https:\/\/www.nttsecurity.com\/docs\/librariesprovider3\/resources\/us_whitepaper_mssp_rfp_uea_v1 . Retrieved 21 August 2021 .   \n \n\n\u2191 \"Secureworks Guide to Building a Cloud MSSP RFP Template\" (DOCX). Secureworks. Archived from the original on 08 May 2021. https:\/\/web.archive.org\/web\/20210508225741\/https:\/\/pcdnscwx001.azureedge.net\/~\/media\/Files\/US\/White%20Papers\/SecureWorksNCO411PGuidetoBuildingaCloudRFPTemplate.ashx?modified=20170714201638 . Retrieved 21 August 2021 .   \n \n\n\u2191 \"RFP\/RFI Questions for Managed Security Services: Sample MSSP RFP Template\". Solutionary, Inc. September 2015. https:\/\/docecity.com\/rfp-sample-questions-for-managed-security-services.html . Retrieved 21 August 2021 .   \n \n\n\u2191 U.S. Department of State (24 October 2020). \"Cloud Mission Support Request for Information\". SAM.gov. https:\/\/beta.sam.gov\/opp\/91dc7217b32b459695b27339f4b5d9aa\/view . Retrieved 21 August 2021 .   \n \n\n\n\r\n\n\nCitation information for this chapter \nChapter: Appendix 3. RFI questions for MSSPs\nTitle: Choosing and Implementing a Cloud-based Service for Your Laboratory\nEdition: First edition\nAuthor for citation: Shawn E. Douglas\nLicense for content: Creative Commons Attribution-ShareAlike 4.0 International\nPublication date: August 2021\n\r\n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Book:Choosing_and_Implementing_a_Cloud-based_Service_for_Your_Laboratory\/RFI_questions_for_MSSPs\">https:\/\/www.limswiki.org\/index.php\/Book:Choosing_and_Implementing_a_Cloud-based_Service_for_Your_Laboratory\/RFI_questions_for_MSSPs<\/a>\nNavigation menuPage actionsBookDiscussionView sourceHistoryPage actionsBookDiscussionMoreToolsIn other languagesPersonal toolsLog inRequest accountNavigationMain pageRecent changesRandom pageHelp about MediaWikiSearch\u00a0 ToolsWhat links hereRelated changesSpecial pagesPermanent linkPage informationSponsors \r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n \n\t\n\t\n\t\r\n\n\t\r\n\n \n\t\n\t\r\n\n\t\r\n\n\t\n\t\n\t\r\n\n\t\n\t\n\t\r\n\n\t\r\n\n\t\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\nPrint\/exportCreate a bookDownload as PDFDownload as PDFDownload as Plain textPrintable version This page was last edited on 9 February 2022, at 20:46.Content is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.This page has been accessed 12 times.Privacy policyAbout LIMSWikiDisclaimers\n\n\n\n","9cc8b0dd65d5032d00360743f6ef5b8c_html":"<body class=\"mediawiki ltr sitedir-ltr mw-hide-empty-elt ns-208 ns-subject page-Book_Choosing_and_Implementing_a_Cloud-based_Service_for_Your_Laboratory_RFI_questions_for_MSSPs rootpage-Book_Choosing_and_Implementing_a_Cloud-based_Service_for_Your_Laboratory_RFI_questions_for_MSSPs skin-monobook action-view skin--responsive\"><div id=\"rdp-ebb-globalWrapper\"><div id=\"rdp-ebb-column-content\"><div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\"><a id=\"rdp-ebb-top\"><\/a>\n<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">Book:Choosing and Implementing a Cloud-based Service for Your Laboratory\/RFI questions for MSSPs<\/h1><div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\"><!-- start content --><div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><div class=\"mw-parser-output\"><div align=\"center\">-----Return to <a href=\"https:\/\/www.limswiki.org\/index.php\/Book:Choosing_and_Implementing_a_Cloud-based_Service_for_Your_Laboratory\/Introduction\" title=\"Book:Choosing and Implementing a Cloud-based Service for Your Laboratory\/Introduction\" class=\"wiki-link\" data-key=\"a5122d160da552b7fab8ca62d4bc6155\">the beginning<\/a> of this guide-----<\/div>\n<p><br \/>\n<\/p>\n<h1><span id=\"rdp-ebb-Appendix_3._An_RFI\/RFP_for_evaluating_managed_security_services_providers_(MSSPs)\"><\/span><span class=\"mw-headline\" id=\"Appendix_3._An_RFI.2FRFP_for_evaluating_managed_security_services_providers_.28MSSPs.29\">Appendix 3. An RFI\/RFP for evaluating managed security services providers (MSSPs)<\/span><\/h1>\n<p>Whether conducting the request for information (RFI) or request for proposal (RFP) process, a quality set of questions for potential vendors to respond to provides a solid base for helping evaluate and narrow down a vendor for your service. The RFI in particular is good for this sort of \"fact finding,\" acting as an ideal means for learning more about a potential solution and how it can solve your problems, or when you're not even sure how to solve your problem yet. However, the RFI should not be unduly long and tedious to complete for prospective vendors; it should be concise, direct, and honest. This means not only presenting a clear and humble vision of your own organization and its goals, but also asking just the right amount of questions to allow potential vendors to demonstrate their expertise and provide a clearer picture of who they are. Some take a technical approach to an RFI, using dense language and complicated spreadsheets for fact finding. However, vendors appreciate a slightly more inviting approach, with practical questions or requests that are carefully chosen because they matter to you.<sup id=\"rdp-ebb-cite_ref-HolmesItsAMatch_1-0\" class=\"reference\"><a href=\"#cite_note-HolmesItsAMatch-1\">[1]<\/a><\/sup>\n<\/p><p>What follows are a carefully selected set of \"questions\" for managed security services providers (MSSPs) posed as, well, requests for information. This collection of questions is admittedly long. Keeping with advice about maintaining a concise RFI, you may not use all of these as part of your RFI process. Remember that an RFI is not meant to answer all of your questions, but rather is meant as a means to help narrow down your search to a few quality candidates while learning more about each other.<sup id=\"rdp-ebb-cite_ref-HolmesItsAMatch_1-1\" class=\"reference\"><a href=\"#cite_note-HolmesItsAMatch-1\">[1]<\/a><\/sup> Feel free to narrow this list down to those questions that are most important to you as part of this fact finding mission.\n<\/p><p>Sources used to compile this selection of RFI questions include:\n<\/p>\n<ul><li>Expel's \"12 revealing questions to ask when evaluating an MSSP or MDR vendor\"<sup id=\"rdp-ebb-cite_ref-Korff12Rev19_2-0\" class=\"reference\"><a href=\"#cite_note-Korff12Rev19-2\">[2]<\/a><\/sup><\/li>\n<li>NTT Security's <i>How to Write an MSSP RDP<\/i> whitepaper<sup id=\"rdp-ebb-cite_ref-NTTSHowTo16_3-0\" class=\"reference\"><a href=\"#cite_note-NTTSHowTo16-3\">[3]<\/a><\/sup><\/li>\n<li>Secureworks' RFI\/RFP template<sup id=\"rdp-ebb-cite_ref-SWGuideToBuild_4-0\" class=\"reference\"><a href=\"#cite_note-SWGuideToBuild-4\">[4]<\/a><\/sup><\/li>\n<li>Solutionary's <i>RFP\/RFI Questions for Managed Security Services<\/i> whitepaper<sup id=\"rdp-ebb-cite_ref-SolutionaryRFP15_5-0\" class=\"reference\"><a href=\"#cite_note-SolutionaryRFP15-5\">[5]<\/a><\/sup><\/li>\n<li>The U.S. Department of State's Bureau of Diplomatic Security's 2020 RFI requesting MSSP services<sup id=\"rdp-ebb-cite_ref-SAMCloudMiss20_6-0\" class=\"reference\"><a href=\"#cite_note-SAMCloudMiss20-6\">[6]<\/a><\/sup><\/li><\/ul>\n<p><br \/>\n<\/p>\n<h2><span id=\"rdp-ebb-RFI\/RFP_introduction\"><\/span><span class=\"mw-headline\" id=\"RFI.2FRFP_introduction\">RFI\/RFP introduction<\/span><\/h2>\n<p>If you're conducting a full RFI or RFP, you're going to lead with the standard components of an RFI or RFP, including:\n<\/p>\n<ul><li>a table of contents;<\/li>\n<li>an honest introduction and overview of your organization, its goals and problems, and the services sought to solve them;<\/li>\n<li>details on how the RFI or RFP evaluation process will be conducted;<\/li>\n<li>basis for award (if an RFP);<\/li>\n<li>the calendar schedule (including times) for related events;<\/li>\n<li>how to submit the document and any related questions about it, including response format; and<\/li>\n<li>your organization's background, business requirements, and current technical environment.<\/li><\/ul>\n<p><br \/>\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Organization_basics\">Organization basics<\/span><\/h2>\n<h3><span class=\"mw-headline\" id=\"Primary_business_objectives\">Primary business objectives<\/span><\/h3>\n<p>Please describe the primary business objectives for your organization.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Organization_history\">Organization history<\/span><\/h3>\n<p>Please give some background on your organization's history, including how long it has been offering managed security services (MSSs).\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Financial_stability\">Financial stability<\/span><\/h3>\n<p>Please provide information concerning the financial stability of your organization. If your organization is public, please include relevant documents such as annual reports and supporting financial statements. If private, please include documentation that supports the representation of your organization as a stable, profitable, and sustainable one. If not profitable, please provide details about your organization's path towards profitability. \n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Managed_security_services_offered\">Managed security services offered<\/span><\/h3>\n<p>Please describe the primary MSSs offered by your organization, particularly any of which may be relevant based upon our company's stated needs. If the services are tiered, explain the different levels of service and any significant exceptions and differences separating the levels.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Details_about_those_managed_security_services\">Details about those managed security services<\/span><\/h3>\n<p>Please provide details about:\n<\/p>\n<ul><li>number of MSSs clients specifically using your organization's device management, security monitoring, vulnerability testing, log management, and other security-based managed services;<\/li>\n<li>how long each of your organization's MSSs has been offered;<\/li>\n<li>the growth rate of your organization's MSSs over the prior fiscal year;<\/li>\n<li>how your organization's MSSs or your organization overall are ranked by top research firms such as Gartner and Forrester; and<\/li>\n<li>any awards received for your organization's MSSs.<\/li><\/ul>\n<p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Vision_and_investment_in_those_managed_security_services\">Vision and investment in those managed security services<\/span><\/h3>\n<p>Please provide details about the vision and future direction for choosing, developing, and implementing new in-house or third-party technologies as part of your organization's MSS initiative. Additionally, discuss the level of investment made by your organization\u2014including in-house research and development\u2014towards solving emerging cybersecurity challenges and improving your clients' return on investment (ROI).\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Experience_and_references\">Experience and references<\/span><\/h3>\n<p>Please provide details on:\n<\/p>\n<ul><li>how many clients you provide (or have provided) MSS to in our organization's industry;<\/li>\n<li>whether any of them are willing to act as references for your services;<\/li>\n<li>what experience your organization has in meeting the unique security monitoring requirements of our industry;<\/li>\n<li>any examples of clients being a learning source for improving your service; and<\/li>\n<li>any whitepapers, reports, etc. authored by your organization that are relevant to our industry.<\/li><\/ul>\n<p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h2><span id=\"rdp-ebb-Infrastructure,_security,_and_related_policies\"><\/span><span class=\"mw-headline\" id=\"Infrastructure.2C_security.2C_and_related_policies\">Infrastructure, security, and related policies<\/span><\/h2>\n<h3><span class=\"mw-headline\" id=\"Internal_security_policy_and_procedure\">Internal security policy and procedure<\/span><\/h3>\n<p>Please describe your internal policy and procedure (P&P) regarding security within your organization, including any standards your organization has adopted as part of that P&P. Address any ancillary security policies regarding, e.g., acceptable use of technology, remote and from-home work, and security awareness training.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Business_continuity_and_disaster_recovery_policy\">Business continuity and disaster recovery policy<\/span><\/h3>\n<p>Please describe your organization's P&P regarding business continuity and disaster recovery.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Security_operation_centers_and_related_infrastructure\">Security operation centers and related infrastructure<\/span><\/h3>\n<p>Does your organization use security operation centers (SOCs) to support its MSSs? If so, please provide details about:\n<\/p>\n<ul><li>whether or not you own and manage the SOCs;<\/li>\n<li>where the primary and secondary SOCs are located;<\/li>\n<li>where our data will be located;<\/li>\n<li>what specifications are used for data in transit and at rest;<\/li>\n<li>whether or not all SOCs are \"always on\" and available;<\/li>\n<li>what level of redundancy is implemented within the SOCs;<\/li>\n<li>how that redundancy limits service interruptions should an SOC go offline;<\/li>\n<li>what level of scalability is available to clients with growth or contraction states; and<\/li>\n<li>what qualifications and certifications apply to each SOC.<\/li><\/ul>\n<p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Physical_security_at_security_operation_centers\">Physical security at security operation centers<\/span><\/h3>\n<p>Please describe the physical security (e.g., locks, badges, physical security perimeters, surveillance systems, etc.) and continuity measures (e.g., fire suppression, backup power, etc.) put in place at your organization's SOCs. Also address visitor procedures and how they are conducted. How are unauthorized access attempts at SOCs responded to?\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Staffing_at_security_operation_centers\">Staffing at security operation centers<\/span><\/h3>\n<p>Please describe the staffing procedures at these SOCs, including what percentage of overall staff is dedicated purely to delivering and managing MSS activities and accounts. Clearly define any implemented classifications of staff based on level of support or data sensitivity, as well as any related certifications and training required at each support or data sensitivity level. Are contractors treated any differently? Finally, describe what background checks or screening procedures, if any, are implemented towards any individual related to your organization's MSSs.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Independent_infrastructure_review\">Independent infrastructure review<\/span><\/h3>\n<p>If your organization has received an independent review of its MSS infrastructure and services (e.g., SSAE 16), please provide details of this review, preferably with the full report, but if not, with critical details such as who, what, when, where, scope, frequency of testing, and a summary. If your organization has not completed such an independent review, please provide details of any plans or ongoing efforts towards such a review.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Internal_infrastructure_review\">Internal infrastructure review<\/span><\/h3>\n<p>If your organization has performed an internal review of its MSS infrastructure and services, please provide details of this review, with critical details such as who, what, when, where, scope, frequency of testing, and a summary. If your organization has not completed such an internal review, please provide details of any plans or ongoing efforts towards such a review.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Auditing_of_your_operations\">Auditing of your operations<\/span><\/h3>\n<p>If the results of your independent and\/or internal review cannot be shared, will your organization allow us to\u2014on our own or through a third party\u2014audit your operations, with the goal of determining the appropriateness of your organization's implemented safeguards?\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Auditing_of_client_data\">Auditing of client data<\/span><\/h3>\n<p>Please describe how your organization handles requests from outside entities for client data and notifies clients when such requests are made. If subpoenas, court orders, search warrants, or other law enforcement actions were to take place, describe how you would maintain any privileged, confidential, or otherwise sensitive information as being protected. Do you have legal representation should these issues arise?\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Service:_Threat_intelligence\">Service: Threat intelligence<\/span><\/h2>\n<h3><span class=\"mw-headline\" id=\"Research_team\">Research team<\/span><\/h3>\n<p>If your organization has a research team dedicated to threats and vulnerabilities, please describe the team, how it's integrated with an SOC's operations, and what services that team supports beyond research. If the research team has a mission, please state that mission. \n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Threat_detection\">Threat detection<\/span><\/h3>\n<p>Please describe the information sources the research team uses to gather threat intelligence. Provide specifics about any anomaly detection, behavioral analysis, malicious host detection, signature analysis, and volume analysis detection methods.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Use_of_and_access_to_threat_intelligence\">Use of and access to threat intelligence<\/span><\/h3>\n<p>Please describe how gathered threat intelligence is analyzed and validated. Additionally, describe how that analyzed and validated threat intelligence is used in the management and monitoring of our devices and data. Finally, please describe what level of visibility and access a client has into this intelligence, as well as the research team itself.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Examples_of_action_on_threat_intelligence\">Examples of action on threat intelligence<\/span><\/h3>\n<p>Please provide examples of how threat intelligence generated by your organization's research team (or someone else) has been effectively used to protect clients. Also provide examples of organization white papers, use cases, threat reports, or internal write-ups (if available) regarding threat intelligence and its effective use.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Service:_Vulnerability_testing\">Service: Vulnerability testing<\/span><\/h2>\n<h3><span class=\"mw-headline\" id=\"Vulnerability_testing_basics\">Vulnerability testing basics<\/span><\/h3>\n<p>Please describe the architecture behind any vulnerability testing your organization may conduct, including configuration, scoping, and scheduling capabilities. Also describe the origin of testing protocols used. If your architecture supports web application scanning and testing for database vulnerabilities, please provide important details.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Vulnerability_identification_and_confirmation\">Vulnerability identification and confirmation<\/span><\/h3>\n<p>Please describe how vulnerabilities are identified and confirmed. If your organization has a process for identifying and reporting false positives, provide details. Additionally, if a process is in place to escalate and prioritize confirmed vulnerabilities, please describe it. Finally, is vulnerability data incorporated into overall security monitoring processes, and if so, in what ways? For example, can vulnerability testing results be correlated to other monitoring and analysis data to provide a status of being \"on-target\" or \"off-target,\" along with an impact analysis rating?\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Vulnerability_testing_process\">Vulnerability testing process<\/span><\/h3>\n<p>Please provide details of how vulnerability testing is scheduled and how associated reports are delivered. Additionally, explain whether or not clients can conduct their own vulnerability testing and upload the results to you.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Internal_and_external_testing\">Internal and external testing<\/span><\/h3>\n<p>Please describe whether or not the vulnerability testing process can be run both internally and externally, and if so, on what infrastructure. If your organization provides internal vulnerability scanning as or supports external vulnerability scanning through a PCI Security Standards Council Approved Scanning Vendor (PCI ASV) for quarterly compliance, please provide details.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Service:_Endpoint_protection\">Service: Endpoint protection<\/span><\/h2>\n<h3><span class=\"mw-headline\" id=\"Endpoint_protection_basics\">Endpoint protection basics<\/span><\/h3>\n<p>Please describe any managed service your organization provides in regard to endpoint security. Address whether or not service agents must be installed at every endpoint and what bandwidth requirements they may have. Also, please describe whether the endpoint protection service is \"always on\" or acts as a schedules service. Also state what management responsibilities are associated with the service, and by whom.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Visibility_and_notifications\">Visibility and notifications<\/span><\/h3>\n<p>Please provide information about how visible endpoint security is to clients. Describe what types of alerts are given in association with endpoint security and what, if any, remediation recommendations are provided.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Data_retention\">Data retention<\/span><\/h3>\n<p>Please describe your organization's data retention policies related to endpoint data collected as part of the endpoint protection service.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Endpoint_protection_features\">Endpoint protection features<\/span><\/h3>\n<p>Please describe:\n<\/p>\n<ul><li>whether or not threat intelligence is integrated into your endpoint protection service;<\/li>\n<li>what operating system (OS) endpoints are covered by the service; and<\/li>\n<li>what level of remote incident response is supported and whether compromised endpoints can be quickly isolated from your organization's network.<\/li><\/ul>\n<p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Service:_Malware_protection\">Service: Malware protection<\/span><\/h2>\n<h3><span class=\"mw-headline\" id=\"Malware_protection_basics\">Malware protection basics<\/span><\/h3>\n<p>Please describe any managed service your organization provides in regard to malware protection. Address whether or not your service uses sandboxing technology, and if so, what type.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Malware_protection_features\">Malware protection features<\/span><\/h3>\n<p>Please describe:\n<\/p>\n<ul><li>whether or not threat intelligence is integrated into your malware protection service;<\/li>\n<li>whether or not the service is able to detect malware designed to evade a traditional sandbox; and<\/li>\n<li>whether or not the service is able to detect zero-day malware threats.<\/li><\/ul>\n<p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Service_level_and_support\">Service level and support<\/span><\/h3>\n<p>Please describe whether or not a \"defense in depth\" approach is taken with malware protection, and if so, whether this is a complimentary part of the service or at additional cost. Additionally, describe your policy about assisting clients with remediation in the event of malware compromising client systems.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Service:_Overall_cloud_security\">Service: Overall cloud security<\/span><\/h2>\n<h3><span class=\"mw-headline\" id=\"Company_philosophy_or_approach\">Company philosophy or approach<\/span><\/h3>\n<p>Please describe how your cloud services address the ephemeral nature of cloud computing while at the same time helping clients maintain their overall security posture. Explain your organization's approach to its security team, including whether or not a dedicated team of security researchers are utilized. If such a team exists, also explain how that research from that team is incorporated into MSS activities. Finally, describe your team's overall approach to monitoring, analysis, and correlation of security threats, including how automated and human-based analyses are balanced in their approaches and in their handoff to each other.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Technology_and_security\">Technology and security<\/span><\/h3>\n<p>Please describe:\n<\/p>\n<ul><li>the technical architecture of your MSS in the cloud, including any associated hardware and software agents that are installed;<\/li>\n<li>whether or not you can manage client devices, and if so, how;<\/li>\n<li>how troubleshooting for any managed devices is handled and subsequently validated should changes need to be made;<\/li>\n<li>what firewall performance monitoring your MSS is capable of in the cloud;<\/li>\n<li>how managed and monitored intrusion prevention and detection is implemented as part of your MMS;<\/li>\n<li>how security mechanisms built into your cloud solutions are activated; and<\/li>\n<li>what integration requirements, if any, exist for securely connecting to data analysis, incident management, or other SOAR (security orchestration, automation, and response) tools.<\/li><\/ul>\n<p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Event_correlations_and_rules\">Event correlations and rules<\/span><\/h3>\n<p>Please explain how event information can be used within your correlation and rules engine. Additionally, describe whether or not event correlations can be made across multiple client device types, across clients, and by user identity.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Vulnerability_testing\">Vulnerability testing<\/span><\/h3>\n<p>Please describe what agreements, if any, your organization has with CSPs to perform different types of vulnerability assessments on their platforms;\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Logging\">Logging<\/span><\/h3>\n<p>Please describe your approach to collecting, analyzing, correlating, and acting upon cloud log and event data and how you're able to gain visibility into anomalous activity. List the log and event data sources and devices you support by clients and other CSPs. Do you enrich log data with your own contextual elements such as IP reputation scores and GeoIP2 data? Finally, provide background on your organizational policy in regards to retaining and making available collected log and event data.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Monitoring\">Monitoring<\/span><\/h3>\n<p>If your MSS provides a cloud monitoring portal to clients, please describe it. Include details on what data is viewable and reportable, as well as whether or not a central dashboard for all types of data is available. If not, explain how are clients are informed of security threats and other service-related activities. Additionally, if a client runs their own red team exercises on their infrastructure, does your organization have the capability of monitoring for and detecting those authorized red team activities, as well as reporting on them?\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Incident_response\">Incident response<\/span><\/h3>\n<p>Should a security threat be identified by your monitoring team, please explain how your incident response team cooperates with the monitoring team for efficiency. Additionally, describe how your incident response team works together with clients during a security incident, including the handling of breach notification.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Hybrid_and_multicloud\">Hybrid and multicloud<\/span><\/h3>\n<p>Please describe how your cloud services and their associated technology enable and improve secure integrations in hybrid and multicloud scenarios.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Ancillary_services\">Ancillary services<\/span><\/h3>\n<p>Please describe if your organization is capable of assisting clients with security audits and certifications of their cloud installations. If your organization also provides consulting, technical testing, penetration testing, forensic investigation, and threat remediation services, please describe them, as well as any associated service tiers. How do teams associated with incident response and threat remediation services use their capabilities to provide value to the client?\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Reporting\">Reporting<\/span><\/h2>\n<h3><span class=\"mw-headline\" id=\"Approach_to_reporting\">Approach to reporting<\/span><\/h3>\n<p>Please describe your organization's approach to meaningful reporting, including the selection of security metrics. Explain how your MSS reporting provides value to clients by demonstrating security effectiveness and quality return on investment (ROI).\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Reporting_basics\">Reporting basics<\/span><\/h3>\n<p>Please describe your organization's approach to standard reporting, including details such as:\n<\/p>\n<ul><li>report frequency;<\/li>\n<li>access and distribution methods (e.g., portal, app, email, SMS);<\/li>\n<li>format (e.g., PDF, Excel, HTML);<\/li>\n<li>authenticity (i.e., can they be digitally signed and tracked);<\/li>\n<li>the structure of the reporting interface;<\/li>\n<li>whether or not the reporting interface can integrate with other systems, or vice versa;<\/li>\n<li>any integration of reporting across different services; and<\/li>\n<li>available and requestable report types, including pre-built, customizable, compliance, and regulatory reports.<\/li><\/ul>\n<p>If possible, provide examples such as sample reports or screenshots of your web-based interface. If reports can be customized, provide details of how this is accomplished.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Asset-based_and_ad-hoc_reporting\">Asset-based and ad-hoc reporting<\/span><\/h3>\n<p>Please explain any asset-based and ad-hoc reporting capabilities available as part of your managed security services. If asset-based reporting is available to clients, describe whether or not the service allows clients to create and group assets, assign criticality levels to them, scan them, and view events related to them. IF ad-hoc reporting is available to clients, describe the request process and turnaround time (TAT) for such reports.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Availability\">Availability<\/span><\/h3>\n<p>Please explain how long MSS reports and associated data are accessible after creation, as well as whether or not any of that information is archived.\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Account_management_and_support\">Account management and support<\/span><\/h2>\n<h3><span class=\"mw-headline\" id=\"Support_basics\">Support basics<\/span><\/h3>\n<p>Please describe your organizational approach to client support and how that support is structured, including the processes and mechanisms for handling client inquiries and issues. Describe the communication mechanisms primarily and secondarily used for support, including mailed documentation, phone calls, electronic communication, and face-to-face communication. Explain how the escalation process for inquiries and reported issues should be handled.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Help_desk_and_support_ticketing\">Help desk and support ticketing<\/span><\/h3>\n<p>Please indicate what help desk or ticketing functionality is available for clients having MSS-related incident and troubleshooting issues. How should clients go about using such tools to initiate the support process?\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span id=\"rdp-ebb-Availability,_provisioning,_and_responsiveness\"><\/span><span class=\"mw-headline\" id=\"Availability.2C_provisioning.2C_and_responsiveness\">Availability, provisioning, and responsiveness<\/span><\/h3>\n<p>Please indicate the availability of your organization's support services, including hours offered. Also indicate who is provisioning the service, whether it's in-house or a third party, and from where the service is provisioned. Note whether or not support services change hands at any point. Finally, describe how support quality is guaranteed at all times, including any guarantees on responsiveness.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Client_satisfaction\">Client satisfaction<\/span><\/h3>\n<p>Please describe how your organization measures and reports (including frequency) client satisfaction with support and account services. Describe how deficiencies in client satisfaction are addressed and resolved within the organization.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Ancillary_services_2\">Ancillary services<\/span><\/h3>\n<p>Please indicate whether or not your organization provides value-added support services, and if so what type. Can a dedicated account manager with sufficient technical knowledge be provided, and if so, at what cost?\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h2><span id=\"rdp-ebb-Service_level_agreements_(SLAs)_and_contracts\"><\/span><span class=\"mw-headline\" id=\"Service_level_agreements_.28SLAs.29_and_contracts\">Service level agreements (SLAs) and contracts<\/span><\/h2>\n<h3><span class=\"mw-headline\" id=\"SLA_basics\">SLA basics<\/span><\/h3>\n<p>Please describe the details of your SLAs for the various services you provide, including any negotiable aspects of the SLAs. Provide examples. Any relevant measurements and ranges for work performed by you (e.g., service speed, response times, and accuracy) should also be clearly defined and stated. Explain what the cost implications related to any differing service levels are. Finally, explain whether or not your organization provides clients with a 30-day proof of concept test of the services to ensure your organization can prove its marketing and operational claims.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"SLA_failure\">SLA failure<\/span><\/h3>\n<p>Please explain how your organization monitors and measures its compliance with an SLA. Describe what options are available to clients upon your organization failing to meet an agreed-upon SLA.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Contract_termination\">Contract termination<\/span><\/h3>\n<p>Please describe your policy on archiving, deleting, and helping transition client data from any of your systems upon contract termination, including particulars about data formats, deletion methodologies, and transfer methods. Any explanation should include the respective termination rights of both the organization and the client.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Service_implementation\">Service implementation<\/span><\/h2>\n<h3><span class=\"mw-headline\" id=\"Implementation_basics\">Implementation basics<\/span><\/h3>\n<p>Please describe your approach to implementing your MSS for clients. You should address:\n<\/p>\n<ul><li>the standard timeframe for implementation and onboarding (overall average or last 10 customers);<\/li>\n<li>whether or not a dedicated point of contact will be maintained throughout implementation, to the end of the contract;<\/li>\n<li>what resources clients will require to support the implementation and throughout the contract's duration;<\/li>\n<li>what device and database integrations are supported in an implementation;<\/li>\n<li>whether or not unsupported devices and databases can be added for support;<\/li>\n<li>how the impact or disruption of client resources is minimized during implementation; and<\/li>\n<li>what your normalization and fine-tuning procedures are.<\/li><\/ul>\n<p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Completion_and_handoff\">Completion and handoff<\/span><\/h3>\n<p>Please describe what steps are taken to ensure the implementation is complete, as well as how the service is handed off to the client afterwards. If your organization provides training and documentation at handoff, describe how this training and documentation is administered, and at what additional cost, if any.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Multi-site_implementations\">Multi-site implementations<\/span><\/h3>\n<p>Please describe the process used when implementing a service to a client with many geographically dispersed facilities.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Pricing\">Pricing<\/span><\/h2>\n<h3><span class=\"mw-headline\" id=\"Pricing_basics\">Pricing basics<\/span><\/h3>\n<p>Please describe how your company's pricing and payment models meet industry standard practices (e.g., payment per actual services consumed, per GB of storage, per server, per annual subscription, etc.). Provide pricing estimates and examples based upon the various services provided using a current published catalog, standard market pricing, and\/or web enabled price calculators. Explain how any metered services are clearly reported and billed. Ensure all costs are accurately reflected, including any:\n<\/p>\n<ul><li>underlying \"implied\" costs,<\/li>\n<li>initial \"stand up\" costs,<\/li>\n<li>ongoing maintenance or subscription costs,<\/li>\n<li>renewal-related price increases<\/li>\n<li>data download costs, and<\/li>\n<li>termination costs.<\/li><\/ul>\n<p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h2><span class=\"mw-headline\" id=\"References\">References<\/span><\/h2>\n<div class=\"reflist references-column-width\" style=\"-moz-column-width: 30em; -webkit-column-width: 30em; column-width: 30em; list-style-type: decimal;\">\n<div class=\"mw-references-wrap\"><ol class=\"references\">\n<li id=\"cite_note-HolmesItsAMatch-1\"><span class=\"mw-cite-backlink\">\u2191 <sup><a href=\"#cite_ref-HolmesItsAMatch_1-0\">1.0<\/a><\/sup> <sup><a href=\"#cite_ref-HolmesItsAMatch_1-1\">1.1<\/a><\/sup><\/span> <span class=\"reference-text\"><span class=\"citation web\">Holmes, T. (11 February 2022). <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/allcloud.io\/blog\/its-a-match-how-to-run-a-good-rfi-rfp-or-rfq-and-find-the-right-partner\/\" target=\"_blank\">\"It's a Match: How to Run a Good RFI, RFP, or RFQ and Find the Right Partner\"<\/a>. <i>AllCloud Blog<\/i><span class=\"printonly\">. <a rel=\"external_link\" class=\"external free\" href=\"https:\/\/allcloud.io\/blog\/its-a-match-how-to-run-a-good-rfi-rfp-or-rfq-and-find-the-right-partner\/\" target=\"_blank\">https:\/\/allcloud.io\/blog\/its-a-match-how-to-run-a-good-rfi-rfp-or-rfq-and-find-the-right-partner\/<\/a><\/span><span class=\"reference-accessdate\">. Retrieved 21 August 2021<\/span>.<\/span><span class=\"Z3988\" title=\"ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=bookitem&rft.btitle=It%27s+a+Match%3A+How+to+Run+a+Good+RFI%2C+RFP%2C+or+RFQ+and+Find+the+Right+Partner&rft.atitle=AllCloud+Blog&rft.aulast=Holmes%2C+T.&rft.au=Holmes%2C+T.&rft.date=11+February+2022&rft_id=https%3A%2F%2Fallcloud.io%2Fblog%2Fits-a-match-how-to-run-a-good-rfi-rfp-or-rfq-and-find-the-right-partner%2F&rfr_id=info:sid\/en.wikipedia.org:Book:Choosing_and_Implementing_a_Cloud-based_Service_for_Your_Laboratory\/RFI_questions_for_MSSPs\"><span style=\"display: none;\"> <\/span><\/span>\n<\/span>\n<\/li>\n<li id=\"cite_note-Korff12Rev19-2\"><span class=\"mw-cite-backlink\"><a href=\"#cite_ref-Korff12Rev19_2-0\">\u2191<\/a><\/span> <span class=\"reference-text\"><span class=\"citation web\">Korff, Y. (19 February 2019). <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/expel.io\/blog\/12-revealing-questions-when-evaluating-mssp-mdr-vendor\/\" target=\"_blank\">\"12 revealing questions to ask when evaluating an MSSP or MDR vendor\"<\/a>. <i>Expel blog<\/i>. Expel, Inc<span class=\"printonly\">. <a rel=\"external_link\" class=\"external free\" href=\"https:\/\/expel.io\/blog\/12-revealing-questions-when-evaluating-mssp-mdr-vendor\/\" target=\"_blank\">https:\/\/expel.io\/blog\/12-revealing-questions-when-evaluating-mssp-mdr-vendor\/<\/a><\/span><span class=\"reference-accessdate\">. Retrieved 21 August 2021<\/span>.<\/span><span class=\"Z3988\" title=\"ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=bookitem&rft.btitle=12+revealing+questions+to+ask+when+evaluating+an+MSSP+or+MDR+vendor&rft.atitle=Expel+blog&rft.aulast=Korff%2C+Y.&rft.au=Korff%2C+Y.&rft.date=19+February+2019&rft.pub=Expel%2C+Inc&rft_id=https%3A%2F%2Fexpel.io%2Fblog%2F12-revealing-questions-when-evaluating-mssp-mdr-vendor%2F&rfr_id=info:sid\/en.wikipedia.org:Book:Choosing_and_Implementing_a_Cloud-based_Service_for_Your_Laboratory\/RFI_questions_for_MSSPs\"><span style=\"display: none;\"> <\/span><\/span>\n<\/span>\n<\/li>\n<li id=\"cite_note-NTTSHowTo16-3\"><span class=\"mw-cite-backlink\"><a href=\"#cite_ref-NTTSHowTo16_3-0\">\u2191<\/a><\/span> <span class=\"reference-text\"><span class=\"citation web\"><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/www.nttsecurity.com\/docs\/librariesprovider3\/resources\/us_whitepaper_mssp_rfp_uea_v1\" target=\"_blank\">\"How to Write an MSSP RDP\"<\/a>. NTT Security. September 2016<span class=\"printonly\">. <a rel=\"external_link\" class=\"external free\" href=\"https:\/\/www.nttsecurity.com\/docs\/librariesprovider3\/resources\/us_whitepaper_mssp_rfp_uea_v1\" target=\"_blank\">https:\/\/www.nttsecurity.com\/docs\/librariesprovider3\/resources\/us_whitepaper_mssp_rfp_uea_v1<\/a><\/span><span class=\"reference-accessdate\">. Retrieved 21 August 2021<\/span>.<\/span><span class=\"Z3988\" title=\"ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=bookitem&rft.btitle=How+to+Write+an+MSSP+RDP&rft.atitle=&rft.date=September+2016&rft.pub=NTT+Security&rft_id=https%3A%2F%2Fwww.nttsecurity.com%2Fdocs%2Flibrariesprovider3%2Fresources%2Fus_whitepaper_mssp_rfp_uea_v1&rfr_id=info:sid\/en.wikipedia.org:Book:Choosing_and_Implementing_a_Cloud-based_Service_for_Your_Laboratory\/RFI_questions_for_MSSPs\"><span style=\"display: none;\"> <\/span><\/span>\n<\/span>\n<\/li>\n<li id=\"cite_note-SWGuideToBuild-4\"><span class=\"mw-cite-backlink\"><a href=\"#cite_ref-SWGuideToBuild_4-0\">\u2191<\/a><\/span> <span class=\"reference-text\"><span class=\"citation web\"><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/web.archive.org\/web\/20210508225741\/https:\/\/pcdnscwx001.azureedge.net\/~\/media\/Files\/US\/White%20Papers\/SecureWorksNCO411PGuidetoBuildingaCloudRFPTemplate.ashx?modified=20170714201638\" target=\"_blank\">\"Secureworks Guide to Building a Cloud MSSP RFP Template\"<\/a> (DOCX). Secureworks. Archived from <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/pcdnscwx001.azureedge.net\/~\/media\/Files\/US\/White%20Papers\/SecureWorksNCO411PGuidetoBuildingaCloudRFPTemplate.ashx?modified=20170714201638\" target=\"_blank\">the original<\/a> on 08 May 2021<span class=\"printonly\">. <a rel=\"external_link\" class=\"external free\" href=\"https:\/\/web.archive.org\/web\/20210508225741\/https:\/\/pcdnscwx001.azureedge.net\/~\/media\/Files\/US\/White%20Papers\/SecureWorksNCO411PGuidetoBuildingaCloudRFPTemplate.ashx?modified=20170714201638\" target=\"_blank\">https:\/\/web.archive.org\/web\/20210508225741\/https:\/\/pcdnscwx001.azureedge.net\/~\/media\/Files\/US\/White%20Papers\/SecureWorksNCO411PGuidetoBuildingaCloudRFPTemplate.ashx?modified=20170714201638<\/a><\/span><span class=\"reference-accessdate\">. Retrieved 21 August 2021<\/span>.<\/span><span class=\"Z3988\" title=\"ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=bookitem&rft.btitle=Secureworks+Guide+to+Building+a+Cloud+MSSP+RFP+Template&rft.atitle=&rft.pub=Secureworks&rft_id=https%3A%2F%2Fweb.archive.org%2Fweb%2F20210508225741%2Fhttps%3A%2F%2Fpcdnscwx001.azureedge.net%2F%7E%2Fmedia%2FFiles%2FUS%2FWhite%2520Papers%2FSecureWorksNCO411PGuidetoBuildingaCloudRFPTemplate.ashx%3Fmodified%3D20170714201638&rfr_id=info:sid\/en.wikipedia.org:Book:Choosing_and_Implementing_a_Cloud-based_Service_for_Your_Laboratory\/RFI_questions_for_MSSPs\"><span style=\"display: none;\"> <\/span><\/span>\n<\/span>\n<\/li>\n<li id=\"cite_note-SolutionaryRFP15-5\"><span class=\"mw-cite-backlink\"><a href=\"#cite_ref-SolutionaryRFP15_5-0\">\u2191<\/a><\/span> <span class=\"reference-text\"><span class=\"citation web\"><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/docecity.com\/rfp-sample-questions-for-managed-security-services.html\" target=\"_blank\">\"RFP\/RFI Questions for Managed Security Services: Sample MSSP RFP Template\"<\/a>. Solutionary, Inc. September 2015<span class=\"printonly\">. <a rel=\"external_link\" class=\"external free\" href=\"https:\/\/docecity.com\/rfp-sample-questions-for-managed-security-services.html\" target=\"_blank\">https:\/\/docecity.com\/rfp-sample-questions-for-managed-security-services.html<\/a><\/span><span class=\"reference-accessdate\">. Retrieved 21 August 2021<\/span>.<\/span><span class=\"Z3988\" title=\"ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=bookitem&rft.btitle=RFP%2FRFI+Questions+for+Managed+Security+Services%3A+Sample+MSSP+RFP+Template&rft.atitle=&rft.date=September+2015&rft.pub=Solutionary%2C+Inc&rft_id=https%3A%2F%2Fdocecity.com%2Frfp-sample-questions-for-managed-security-services.html&rfr_id=info:sid\/en.wikipedia.org:Book:Choosing_and_Implementing_a_Cloud-based_Service_for_Your_Laboratory\/RFI_questions_for_MSSPs\"><span style=\"display: none;\"> <\/span><\/span>\n<\/span>\n<\/li>\n<li id=\"cite_note-SAMCloudMiss20-6\"><span class=\"mw-cite-backlink\"><a href=\"#cite_ref-SAMCloudMiss20_6-0\">\u2191<\/a><\/span> <span class=\"reference-text\"><span class=\"citation web\">U.S. Department of State (24 October 2020). <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/beta.sam.gov\/opp\/91dc7217b32b459695b27339f4b5d9aa\/view\" target=\"_blank\">\"Cloud Mission Support Request for Information\"<\/a>. <i>SAM.gov<\/i><span class=\"printonly\">. <a rel=\"external_link\" class=\"external free\" href=\"https:\/\/beta.sam.gov\/opp\/91dc7217b32b459695b27339f4b5d9aa\/view\" target=\"_blank\">https:\/\/beta.sam.gov\/opp\/91dc7217b32b459695b27339f4b5d9aa\/view<\/a><\/span><span class=\"reference-accessdate\">. Retrieved 21 August 2021<\/span>.<\/span><span class=\"Z3988\" title=\"ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=bookitem&rft.btitle=Cloud+Mission+Support+Request+for+Information&rft.atitle=SAM.gov&rft.aulast=U.S.+Department+of+State&rft.au=U.S.+Department+of+State&rft.date=24+October+2020&rft_id=https%3A%2F%2Fbeta.sam.gov%2Fopp%2F91dc7217b32b459695b27339f4b5d9aa%2Fview&rfr_id=info:sid\/en.wikipedia.org:Book:Choosing_and_Implementing_a_Cloud-based_Service_for_Your_Laboratory\/RFI_questions_for_MSSPs\"><span style=\"display: none;\"> <\/span><\/span>\n<\/span>\n<\/li>\n<\/ol><\/div><\/div>\n<p><br \/>\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Citation_information_for_this_chapter\">Citation information for this chapter<\/span><\/h2>\n<p><b>Chapter<\/b>: Appendix 3. RFI questions for MSSPs\n<\/p><p><b>Title<\/b>: <i>Choosing and Implementing a Cloud-based Service for Your Laboratory<\/i>\n<\/p><p><b>Edition<\/b>: First edition\n<\/p><p><b>Author for citation<\/b>: Shawn E. Douglas\n<\/p><p><b>License for content<\/b>: <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/creativecommons.org\/licenses\/by-sa\/4.0\/\" target=\"_blank\">Creative Commons Attribution-ShareAlike 4.0 International<\/a>\n<\/p><p><b>Publication date<\/b>: August 2021\n<\/p><p><br \/>\n<\/p>\n<!-- \nNewPP limit report\nCached time: 20220211034527\nCache expiry: 86400\nDynamic content: false\nComplications: []\nCPU time usage: 0.107 seconds\nReal time usage: 0.131 seconds\nPreprocessor visited node count: 4273\/1000000\nPost\u2010expand include size: 58830\/2097152 bytes\nTemplate argument size: 14011\/2097152 bytes\nHighest expansion depth: 19\/40\nExpensive parser function count: 0\/100\nUnstrip recursion depth: 0\/20\nUnstrip post\u2010expand size: 9916\/5000000 bytes\n-->\n<!--\nTransclusion expansion time report (%,ms,calls,template)\n100.00% 85.431 1 Template:Choosing_and_Implementing_a_Cloud-based_Service_for_Your_Laboratory\/RFI_questions_for_MSSPs\n100.00% 85.431 1 -total\n 79.58% 67.986 1 Template:Reflist\n 64.76% 55.327 6 Template:Cite_web\n 57.05% 48.741 6 Template:Citation\/core\n 15.22% 13.000 5 Template:Date\n 5.18% 4.428 10 Template:Citation\/make_link\n 3.47% 2.966 1 Template:Column-width\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:12985-0!canonical and timestamp 20220211034527 and revision id 46280. Serialized with JSON.\n -->\n<\/div><\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Book:Choosing_and_Implementing_a_Cloud-based_Service_for_Your_Laboratory\/RFI_questions_for_MSSPs\">https:\/\/www.limswiki.org\/index.php\/Book:Choosing_and_Implementing_a_Cloud-based_Service_for_Your_Laboratory\/RFI_questions_for_MSSPs<\/a><\/div>\n<!-- end content --><div class=\"visualClear\"><\/div><\/div><\/div><div class=\"visualClear\"><\/div><\/div><!-- end of the left (by default at least) column --><div class=\"visualClear\"><\/div><\/div>\n\n\n\n<\/body>","9cc8b0dd65d5032d00360743f6ef5b8c_images":[],"9cc8b0dd65d5032d00360743f6ef5b8c_timestamp":1644616901,"ed9df165f2657d5bb145909d714c2690_type":"article","ed9df165f2657d5bb145909d714c2690_title":"RFI questions for cloud providers","ed9df165f2657d5bb145909d714c2690_url":"https:\/\/www.limswiki.org\/index.php\/Book:Choosing_and_Implementing_a_Cloud-based_Service_for_Your_Laboratory\/RFI_questions_for_cloud_providers","ed9df165f2657d5bb145909d714c2690_plaintext":"\n\nBook:Choosing and Implementing a Cloud-based Service for Your Laboratory\/RFI questions for cloud providersFrom LIMSWikiJump to navigationJump to search-----Return to the beginning of this guide-----\n\r\n\n\n Appendix 3. An RFI\/RFP for evaluating cloud service providers (CSPs) \nWhether conducting the request for information (RFI) or request for proposal (RFP) process, a quality set of questions for potential vendors to respond to provides a solid base for helping evaluate and narrow down a vendor for your service. The RFI in particular is good for this sort of \"fact finding,\" acting as an ideal means for learning more about a potential solution and how it can solve your problems, or when you're not even sure how to solve your problem yet. However, the RFI should not be unduly long and tedious to complete for prospective vendors; it should be concise, direct, and honest. This means not only presenting a clear and humble vision of your own organization and its goals, but also asking just the right amount of questions to allow potential vendors to demonstrate their expertise and provide a clearer picture of who they are. Some take a technical approach to an RFI, using dense language and complicated spreadsheets for fact finding. However, vendors appreciate a slightly more inviting approach, with practical questions or requests that are carefully chosen because they matter to you.[1]\nWhat follows are a carefully selected set of \"questions\" for cloud computing and cloud-related providers posed as, well, requests for information. This collection of questions is admittedly long. Keeping with advice about maintaining a concise RFI, you may not use all of these as part of your RFI process. Remember that an RFI is not meant to answer all of your questions, but rather is meant as a means to help narrow down your search to a few quality candidates while learning more about each other.[1] Feel free to narrow this list down to those questions that are most important to you as part of this fact finding mission.\nSources used to compile this selection of RFI questions include the six sources from section 6.4 (including APHL, Interfocus, Lab Manager, LBMC, and Thomson Reuters)[2][3][4][5][6][7], the five sources from the managed security services provider (MSSP) RFI\/RFP template included in Appendix 3 of this guide (there's a lot of crossover, actually)[8][9][10][11][12], and the following:\n\nCloud Security Alliance's Cloud Controls Matrix v4[13]\nIreland's Office of Government Procurement Cloud Services Procurement Guidance Note[14]\nU.S. Internal Revenue Service RFI Cloud Response document[15]\n\r\n\n\n RFI\/RFP introduction \nIf you're conducting a full RFI or RFP, you're going to lead with the standard components of an RFI or RFP, including:\n\na table of contents;\nan honest introduction and overview of your organization, its goals and problems, and the services sought to solve them;\ndetails on how the RFI or RFP evaluation process will be conducted;\nbasis for award (if an RFP);\nthe calendar schedule (including times) for related events;\nhow to submit the document and any related questions about it, including response format; and\nyour organization's background, business requirements, and current technical environment.\n\r\n\n\nOrganization basics \nPrimary business objectives \nPlease describe the primary business objectives for your organization.\n\r\n\n\r\n\n\r\n\n\nOrganization history \nPlease give some background on your organization's history, including how long it has been offering cloud computing services.\n\r\n\n\r\n\n\r\n\n\nFinancial stability \nPlease provide information concerning the financial stability of your organization. If your organization is public, please include relevant documents such as annual reports and supporting financial statements. If private, please include documentation that supports the representation of your organization as a stable, profitable, and sustainable one. If not profitable, please provide details about your organization's path towards profitability. \n\r\n\n\r\n\n\r\n\n\nCloud services offered \nPlease describe the primary cloud computing or cloud-related services (e.g., software as a service or SaaS) offered by your organization, particularly any of which may be relevant based upon our company's stated needs. If the services are tiered, explain the different levels of service and any significant exceptions and differences separating the levels. Don't forget to describe the capabilities of your hybrid and multicloud offerings.\n\r\n\n\r\n\n\r\n\n\nExpected level of integration or interoperability \nPlease describe how you anticipate your cloud solutions being able to readily integrate or have base interoperability with a client's systems and business processes, while making it easier for the client to perform their tasks in the cloud.\n\r\n\n\r\n\n\r\n\n\nDetails about those cloud services \nPlease provide details about:\n\nnumber of clients specifically using your organization's cloud computing or cloud-related services;\nhow long each of those services has been offered;\nthe growth rate of those services over the prior fiscal year;\nthe average historical downtime of a given cloud service;\nhow those services or your organization overall are ranked by top research firms such as Gartner and Forrester; and\nany awards received for your organization's cloud computing or cloud-related services.\n\r\n\n\r\n\n\r\n\n\nVision and investment in those cloud services \nPlease provide details about the vision and future direction for choosing, developing, and implementing new in-house or third-party technologies as part of your organization's cloud computing initiative. Additionally, discuss the level of investment made by your organization towards researching, adopting, and integrating newer, more secure technologies and processes into your organization's operations.\n\r\n\n\r\n\n\r\n\n\nExperience and references \nPlease provide details on:\n\nhow many clients you provide (or have provided) cloud computing and cloud-related services to in our organization's industry;\nwhether any of them are willing to act as references for your services;\nwhat experience your organization has in meeting the unique regulatory requirements of our industry;\nany examples of clients being a learning source for improving your service; and\nany whitepapers, reports, etc. authored by your organization that are relevant to our industry.\n\r\n\n\r\n\n\r\n\n\n Infrastructure, security, and related policies \nInternal security policy and procedure \nPlease describe your internal policy and procedure (P&P) regarding security within your organization, including any standards your organization has adopted as part of that P&P. Address any ancillary security policies regarding, e.g., acceptable use of technology, remote and from-home work, and security awareness training.\n\r\n\n\r\n\n\r\n\n\nBusiness continuity and disaster recovery policy \nPlease describe your organization's P&P regarding business continuity and disaster recovery.\n\r\n\n\r\n\n\r\n\n\nData centers and related infrastructure \nPlease describe how your organization organizes its data centers and related infrastructure to optimally provide its cloud computing and cloud-related services. Additionally, address concerns about:\n\nwhether or not your organization owns and manages the data centers;\nwhere those data centers are located;\nwhere our data will be located;\nwhat specifications and encryption types are used for in-transit and at-rest data;\nwhat level of availability is guaranteed for each data center;\nwhat level of redundancy is implemented within the data centers;\nwhat disposal and data destruction policies are in place for end-of-life equipment;\nhow that redundancy limits service interruptions should a particular data center go offline;\nwhat level of cloud-based scalability is available to clients with growth or contraction states; and\nwhat qualifications and certifications apply to each data center.\n\r\n\n\r\n\n\r\n\n\nPhysical security at data centers \nPlease describe the physical security (e.g., locks, badges, physical security perimeters, surveillance systems, etc.) and continuity (e.g., fire suppression, backup power, etc.) measures put in place at your organization's data centers. Also address visitor procedures and how they are conducted. How are unauthorized access attempts at data centers responded to?\n\r\n\n\r\n\n\r\n\n\nStaffing at data centers \nPlease describe the staffing procedures at these data centers, including what percentage of overall staff will actually have authorized access to client data. Clearly define any implemented classifications of staff based on level of support or data sensitivity, as well as any related certifications and training required at each support or data sensitivity level. Are contractors treated any differently? Finally, describe what background checks or screening procedures, if any, are implemented towards any organizational personnel and third-parties (e.g., contractors, service technicians) interacting with systems containing client data.\n\r\n\n\r\n\n\r\n\n\nIndependent infrastructure review \nIf your organization has received an independent review of its cloud infrastructure and services (e.g., SOC 2), please provide details of this review, preferably with the full report, but if not, with critical details such as who, what, when, where, scope, frequency of testing, and a summary. If your organization has not completed such an independent review, please provide details of any plans or ongoing efforts towards such a review.\n\r\n\n\r\n\n\r\n\n\nInternal infrastructure review \nIf your organization has performed an internal review of its cloud infrastructure and services, please provide details of this review, with critical details such as who, what, when, where, scope, frequency of testing, and a summary. If your organization has not completed such an internal review, please provide details of any plans or ongoing efforts towards such a review. If your organization conducts internal \"red team\" or \"attack-and-defense\" exercises, describe them, their frequency, and how resulting information is acted upon.\n\r\n\n\r\n\n\r\n\n\nAuditing of your operations \nIf the results of your independent and\/or internal review cannot be shared, will your organization allow us to\u2014on our own or through a third party\u2014audit your operations, with the goal of determining the appropriateness of your organization's implemented safeguards?\n\r\n\n\r\n\n\r\n\n\nAuditing of client data \nPlease describe how your organization handles requests from outside entities for client data and notifies clients when such requests are made. If subpoenas, court orders, search warrants, or other law enforcement actions were to take place, describe how you would maintain any privileged, confidential, or otherwise sensitive information as being protected. Do you have legal representation should these issues arise?\n\r\n\n\r\n\n\r\n\n\nExtraction of client data \nPlease explain how clients may extract data from your cloud service (i.e., address data portability) on-demand, including particulars about data formats and transfer methods.\n\r\n\n\r\n\n\r\n\n\nBase cloud security \nCompany philosophy or approach \nPlease describe how your cloud services address the ephemeral nature of cloud computing while at the same time helping clients maintain their overall security posture. Explain your organization's approach to its security team, including whether or not a dedicated team of security researchers are utilized. If such a team exists, also explain how that research from that team is incorporated into protecting your organization's cloud solution or infrastructure. Finally, describe your team's overall approach to monitoring, analysis, and correlation of security threats, including how automated and human-based analyses are balanced in their approaches and in their handoff to each other.\n\r\n\n\r\n\n\r\n\n\nPhilosophy or approach to client security \nPlease provide relevant considerations a client should have\u2014and primary risks a client should mitigate\u2014when securing information in your organization's cloud infrastructure. Does a clear \"shared responsibility\" model exist, and if so, how is it effectively communicated to potential and existing clients? If you have documented data security policies, please describe how new and existing clients may access them. Additionally, explain how those policies better ensure client data integrity.\n\r\n\n\r\n\n\r\n\n\nTechnology and security \nPlease describe the organizational and client-based availability and use of cloud security technologies such as:\n\ndevice management tools,\nfirewalls and related performance monitoring tools,\nidentity and access management mechanisms,\nintrusion prevention and detection systems,\nintegration tools, and\nany other security-related analysis and prevention tools (e.g., rules engines).\n\r\n\n\r\n\n\r\n\n\nData storage \nPlease describe how sensitive and regulated data is able to be stored on a machine dedicated to complying with the laws and regulations relevant to the data owner. How is that type of data segregated from other clients' data, and will lapses in security of other clients' data affect our own?\n\r\n\n\r\n\n\r\n\n\n Data transmission, sharing, and transfer \nPlease describe how your cloud services allow for secure transmission and sharing of data across network boundaries, including across other cloud provider environments. Additionally, provide details about any dependencies or technical challenges associated with seamlessly transferring an application, system, or database 1. from a client or third-party cloud environment to your cloud environment and 2. from your cloud environment to another cloud environment. What solutions do you provide towards this seamless transfer?\n\r\n\n\r\n\n\r\n\n\nLogging \nPlease describe your approach to collecting, analyzing, correlating, and acting upon cloud log and event data, particularly in relation to client data and services. Describe how thorough those logs are and provide background on your organizational policy in regards to retaining and making available collected log and event data to clients on-demand. Finally, explain how long those logs and associated data are accessible after creation, as well as whether or not any of that information is kept in secure retention.\n\r\n\n\r\n\n\r\n\n\nMonitoring \nIf your organization has its own cloud infrastructure, please describe how your organization monitors that infrastructure for security purposes. What self-monitoring services and tools are made available to clients, if any? \n\r\n\n\r\n\n\r\n\n\nIncident response and reporting \nShould a security threat be identified by your monitoring activities, please explain how your incident response team cooperates with the monitoring team for efficiency. Additionally, describe how your incident response team works together with clients during a security incident. Provide details on how your organization handles reporting of intrusions, hacks, or other types of breaches to effected clients. Also explain how teams associated with incident response and threat remediation use their capabilities to provide value to the client.\n\r\n\n\r\n\n\r\n\n\nHybrid and multicloud security \nPlease explain how your cloud services and their associated technology enable and improve secure integrations and activities in hybrid and multicloud scenarios.\n\r\n\n\r\n\n\r\n\n\nThreat intelligence \nResearch team \nIf your organization has a research team dedicated to discovering cloud threats and vulnerabilities, please describe the team, how it's integrated with the organization's operations, and what services that team supports beyond research. If the research team has a mission, please state that mission. \n\r\n\n\r\n\n\r\n\n\nThreat detection \nPlease describe the information sources the research team (or, if no research team, the overall security team) uses to gather threat intelligence. Provide specifics about any anomaly detection, behavioral analysis, malicious host detection, signature analysis, and volume analysis detection methods.\n\r\n\n\r\n\n\r\n\n\nUse of and access to threat intelligence \nPlease describe how gathered threat intelligence is analyzed and validated. Additionally, describe how that analyzed and validated threat intelligence is used in the management and monitoring of your cloud services and infrastructure. Also describe what level of visibility and access a client has into this intelligence, as well as the research team itself. If any bug bounty programs or the like exist, please explain them here as well.\n\r\n\n\r\n\n\r\n\n\nExamples of action on threat intelligence \nPlease provide examples of how threat intelligence generated by your organization's research team (or someone else) has been effectively used to protect clients. Also provide examples of organization white papers, use cases, threat reports, or internal write-ups (if available) regarding threat intelligence and its effective use in the organizational cloud infrastructure.\n\r\n\n\r\n\n\r\n\n\nVulnerability testing \nVulnerability testing basics \nPlease describe the extent of vulnerability testing your organization may conduct on its cloud infrastructure, including the origin of any testing protocols.\n\r\n\n\r\n\n\r\n\n\nVulnerability identification and confirmation \nPlease describe how vulnerabilities are identified and confirmed within your cloud infrastructure. If your organization has a process for identifying and reporting false positives, provide details. Is vulnerability data incorporated into overall cloud security monitoring processes, and if so, in what ways?\n\r\n\n\r\n\n\r\n\n\nClient-based vulnerability testing \nIf a client or a representative third party of a client is allowed to perform vulnerability testing on your organization's cloud infrastructure, provide details. If your cloud services support web application scanning and testing for database vulnerabilities, please provide important details.\n\r\n\n\r\n\n\r\n\n\nAdditional cloud security \nEndpoint protection \nPlease describe any managed service, software solution, hardware solution, or other mechanism your organization provides or makes available to clients in regard to helping clients maintain endpoint security in the cloud. If such a service or tool is offered, describe what types of alerts are given in association with it and what, if any, remediation recommendations are provided. Be sure to address whether or not threat intelligence is integrated into the service or tool and what operating system (OS) endpoints are covered.\n\r\n\n\r\n\n\r\n\n\nMalware protection \nPlease describe any managed service, software solution, or other mechanism your organization provides or makes available to clients in regard to helping clients with malware protection. If such a service or tool is offered, describe whether or not it uses sandboxing technology, and if so, what type. Be sure to address whether or not threat intelligence is integrated into the service or tool and what zero-day threat capabilities it may have.\n\r\n\n\r\n\n\r\n\n\nOther ancillary services \nPlease describe if your organization is capable of assisting clients with security audits and analyses of their own instances. If your organization also provides consulting, technical testing, penetration testing, forensic investigation, and threat remediation services, please describe them, as well as any associated service tiers. \n\r\n\n\r\n\n\r\n\n\nAccount management and support \nAccount management basics \nPlease describe how accounts are established on your organization's service and what level of visibility clients and their authorized users will have into the cloud services administered, including consumption metrics, security metrics, and various account logs.\n\r\n\n\r\n\n\r\n\n\nSupport basics \nPlease describe your organizational approach to client support and how that support is structured, including the processes and mechanisms for handling client inquiries and issues. Describe the communication mechanisms primarily and secondarily used for support, including mailed documentation, phone calls, electronic communication, and face-to-face communication. Explain how the escalation process for inquiries and reported issues should be handled.\n\r\n\n\r\n\n\r\n\n\nHelp desk and support ticketing \nPlease indicate what help desk or ticketing functionality is available for clients having cloud service issues. Describe how clients should go about using such tools to initiate the support process. Do clients receive comprehensive downtime support in the case of service downtime?\n\r\n\n\r\n\n\r\n\n\n Availability, provisioning, and responsiveness \nPlease indicate the availability of your organization's support services, including hours offered. Also indicate who is provisioning the service, whether it's in-house or a third party, and from where the service is provisioned. Note whether or not support services change hands at any point. Finally, describe how support quality is guaranteed at all times, including any guarantees on responsiveness.\n\r\n\n\r\n\n\r\n\n\nClient satisfaction \nPlease describe how your organization measures and reports (including frequency) client satisfaction with support, account, and overall services. Describe how deficiencies in client satisfaction are addressed and resolved within the organization.\n\r\n\n\r\n\n\r\n\n\nAncillary services \nPlease indicate whether or not your organization provides value-added support services, and if so what type. Can a dedicated account manager with sufficient technical knowledge be provided, and if so, at what cost?\n\r\n\n\r\n\n\r\n\n\n Service level agreements (SLAs) and contracts \nSLA basics \nPlease describe the details of your SLAs for the various services you provide, including any negotiable aspects of the SLAs. Provide examples. Any relevant measurements and ranges for work performed by you (e.g., service speed, response times, and accuracy) should also be clearly defined and stated. Explain what the cost implications related to any differing service levels are. Finally, explain whether or not your organization provides clients with a 30-day proof of concept test of the services to ensure your organization can prove its marketing and operational claims.\n\r\n\n\r\n\n\r\n\n\nSLAs for SaaS \nIn the case of SaaS-related cloud agreements (if applicable) with your organization, please explain how software customization, upgrades, testing, and versioning are addressed in such agreements.\n\r\n\n\r\n\n\r\n\n\nSLA failure \nPlease explain how your organization monitors and measures its compliance with an SLA. Describe what options are available to clients upon your organization failing to meet an agreed-upon SLA.\n\r\n\n\r\n\n\r\n\n\nBusiness associate agreements \nState whether or not your organization will sign a business associate agreement or addendum for purposes of ensuring your organization appropriately safeguards protected health information, as dictated by the Health Insurance Portability and Accountability Act (HIPAA).\n\r\n\n\r\n\n\r\n\n\nContract termination \nPlease describe your policy on archiving, deleting, and helping transition client data from any of your systems upon contract termination, including particulars about data formats, deletion methodologies, and transfer methods. Any explanation should include the respective termination rights of both the organization and the client.\n\r\n\n\r\n\n\r\n\n\nOrganization termination or catastrophic loss \nPlease describe what would happen to a client's data in the event of your organization going out of business or suffering a catastrophic loss.\n\r\n\n\r\n\n\r\n\n\nService implementation \nImplementation basics \nPlease describe your approach to implementing your cloud computing or cloud-based services for clients. You should address:\n\nthe standard timeframe for implementation and onboarding (overall average or last 10 customers);\nwhether or not a dedicated point of contact will be maintained throughout implementation, to the end of the contract;\nwhat resources clients will require to support the implementation and throughout the contract's duration;\nwhat client processes and procedures your organization has found to be vital to optimal cloud implementation and operation;\nwhat device and database integrations are supported in an implementation;\nwhether or not unsupported devices and databases can be added for support;\nhow the impact or disruption of client resources is minimized during implementation; and\nwhat your normalization and fine-tuning procedures are.\n\r\n\n\r\n\n\r\n\n\nCompletion and handoff \nPlease describe what steps are taken to ensure the implementation is complete, as well as how the service is handed off to the client afterwards. If your organization provides training and documentation at handoff, describe how this training and documentation is administered, and at what additional cost, if any.\n\r\n\n\r\n\n\r\n\n\nMulti-site implementations \nPlease describe the process used when implementing a service to a client with many geographically dispersed facilities.\n\r\n\n\r\n\n\r\n\n\nPricing \nPricing basics \nPlease describe how your company's pricing and payment models meet industry standard practices (e.g., payment per actual services consumed, per GB of storage, per server, per annual subscription, etc.). Provide pricing estimates and examples based upon the various services provided using a current published catalog, standard market pricing, and\/or web enabled price calculators. Explain how any metered services are clearly reported and billed. Ensure all costs are accurately reflected, including any:\n\nunderlying \"implied\" costs,\ninitial \"stand up\" costs,\nongoing maintenance or subscription costs,\nrenewal-related price increases\ndata download costs, and\ntermination costs.\n\r\n\n\r\n\n\r\n\n\nReferences \n\n\n\u2191 1.0 1.1 Holmes, T. (11 February 2022). \"It's a Match: How to Run a Good RFI, RFP, or RFQ and Find the Right Partner\". AllCloud Blog. https:\/\/allcloud.io\/blog\/its-a-match-how-to-run-a-good-rfi-rfp-or-rfq-and-find-the-right-partner\/ . Retrieved 21 August 2021 .   \n \n\n\u2191 Association of Public Health Laboratories (2017). \"Breaking Through the Cloud: A Laboratory Guide to Cloud Computing\" (PDF). Association of Public Health Laboratories. https:\/\/www.aphl.org\/aboutAPHL\/publications\/Documents\/INFO-2017Jun-Cloud-Computing.pdf . Retrieved 21 August 2021 .   \n \n\n\u2191 \"A Helpful Guide to Cloud Computing in a Laboratory\". InterFocus Blog. InterFocus Ltd. 5 October 2020. https:\/\/www.mynewlab.com\/blog\/a-helpful-guide-to-cloud-computing-in-a-laboratory\/ . Retrieved 21 August 2021 .   \n \n\n\u2191 LBMC (24 February 2021). \"Nine Due Diligence Questions to Ask Cloud Service Providers\". LBMC Blog. https:\/\/www.lbmc.com\/blog\/questions-cloud-service-providers\/ . Retrieved 21 August 2021 .   \n \n\n\u2191 Ward, S. (9 October 2019). \"Cloud Computing for the Laboratory: Using data in the cloud - What it means for data security\". Lab Manager. https:\/\/www.labmanager.com\/business-management\/cloud-computing-for-the-laboratory-736 . Retrieved 21 August 2021 .   \n \n\n\u2191 Eustice, J.C. (2018). \"Understand the intersection between data privacy laws and cloud computing\". Legal Technology, Products, and Services. Thomson Reuters. https:\/\/legal.thomsonreuters.com\/en\/insights\/articles\/understanding-data-privacy-and-cloud-computing . Retrieved 21 August 2021 .   \n \n\n\u2191 Thomson Reuters (3 March 2021). \"Three questions you need to ask your cloud vendors\". Thomson Reuters Legal Blog. https:\/\/legal.thomsonreuters.com\/blog\/3-questions-you-need-to-ask-your-cloud-vendors\/ . Retrieved 21 August 2021 .   \n \n\n\u2191 Korff, Y. (19 February 2019). \"12 revealing questions to ask when evaluating an MSSP or MDR vendor\". Expel blog. Expel, Inc. https:\/\/expel.io\/blog\/12-revealing-questions-when-evaluating-mssp-mdr-vendor\/ . Retrieved 21 August 2021 .   \n \n\n\u2191 \"How to Write an MSSP RDP\". NTT Security. September 2016. https:\/\/www.nttsecurity.com\/docs\/librariesprovider3\/resources\/us_whitepaper_mssp_rfp_uea_v1 . Retrieved 21 August 2021 .   \n \n\n\u2191 \"Secureworks Guide to Building a Cloud MSSP RFP Template\" (DOCX). Secureworks. Archived from the original on 08 May 2021. https:\/\/web.archive.org\/web\/20210508225741\/https:\/\/pcdnscwx001.azureedge.net\/~\/media\/Files\/US\/White%20Papers\/SecureWorksNCO411PGuidetoBuildingaCloudRFPTemplate.ashx?modified=20170714201638 . Retrieved 21 August 2021 .   \n \n\n\u2191 \"RFP\/RFI Questions for Managed Security Services: Sample MSSP RFP Template\". Solutionary, Inc. September 2015. https:\/\/docecity.com\/rfp-sample-questions-for-managed-security-services.html . Retrieved 21 August 2021 .   \n \n\n\u2191 U.S. Department of State (24 October 2020). \"Cloud Mission Support Request for Information\". SAM.gov. https:\/\/beta.sam.gov\/opp\/91dc7217b32b459695b27339f4b5d9aa\/view . Retrieved 21 August 2021 .   \n \n\n\u2191 \"Cloud Controls Matrix v4\" (xlsx). Cloud Security Alliance. 15 March 2021. https:\/\/cloudsecurityalliance.org\/artifacts\/cloud-controls-matrix-v4\/ . Retrieved 21 August 2021 .   \n \n\n\u2191 \"Cloud Services Procurement Guidance Note\". Ireland Office of Government Procurement. 9 February 2021. https:\/\/ogp.gov.ie\/information-notes\/ . Retrieved 21 August 2021 .   \n \n\n\u2191 \"IRS RFI Cloud Response\" (DOCX). Internal Revenue Service. January 2018. https:\/\/cic.gsa.gov\/documents\/IRS-Cloud-Services-RFI.docx . Retrieved 21 August 2021 .   \n \n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Book:Choosing_and_Implementing_a_Cloud-based_Service_for_Your_Laboratory\/RFI_questions_for_cloud_providers\">https:\/\/www.limswiki.org\/index.php\/Book:Choosing_and_Implementing_a_Cloud-based_Service_for_Your_Laboratory\/RFI_questions_for_cloud_providers<\/a>\nNavigation menuPage actionsBookDiscussionView sourceHistoryPage actionsBookDiscussionMoreToolsIn other languagesPersonal toolsLog inRequest accountNavigationMain pageRecent changesRandom pageHelp about MediaWikiSearch\u00a0 ToolsWhat links hereRelated changesSpecial pagesPermanent linkPage informationSponsors \r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n \n\t\n\t\n\t\r\n\n\t\r\n\n \n\t\n\t\r\n\n\t\r\n\n\t\n\t\n\t\r\n\n\t\n\t\n\t\r\n\n\t\r\n\n\t\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\nPrint\/exportCreate a bookDownload as PDFDownload as PDFDownload as Plain textPrintable version This page was last edited on 9 February 2022, at 20:46.Content is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.This page has been accessed 28 times.Privacy policyAbout LIMSWikiDisclaimers\n\n\n\n","ed9df165f2657d5bb145909d714c2690_html":"<body class=\"mediawiki ltr sitedir-ltr mw-hide-empty-elt ns-208 ns-subject page-Book_Choosing_and_Implementing_a_Cloud-based_Service_for_Your_Laboratory_RFI_questions_for_cloud_providers rootpage-Book_Choosing_and_Implementing_a_Cloud-based_Service_for_Your_Laboratory_RFI_questions_for_cloud_providers skin-monobook action-view skin--responsive\"><div id=\"rdp-ebb-globalWrapper\"><div id=\"rdp-ebb-column-content\"><div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\"><a id=\"rdp-ebb-top\"><\/a>\n<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">Book:Choosing and Implementing a Cloud-based Service for Your Laboratory\/RFI questions for cloud providers<\/h1><div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\"><!-- start content --><div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><div class=\"mw-parser-output\"><div align=\"center\">-----Return to <a href=\"https:\/\/www.limswiki.org\/index.php\/Book:Choosing_and_Implementing_a_Cloud-based_Service_for_Your_Laboratory\/Introduction\" title=\"Book:Choosing and Implementing a Cloud-based Service for Your Laboratory\/Introduction\" class=\"wiki-link\" data-key=\"a5122d160da552b7fab8ca62d4bc6155\">the beginning<\/a> of this guide-----<\/div>\n<p><br \/>\n<\/p>\n<h1><span id=\"rdp-ebb-Appendix_3._An_RFI\/RFP_for_evaluating_cloud_service_providers_(CSPs)\"><\/span><span class=\"mw-headline\" id=\"Appendix_3._An_RFI.2FRFP_for_evaluating_cloud_service_providers_.28CSPs.29\">Appendix 3. An RFI\/RFP for evaluating cloud service providers (CSPs)<\/span><\/h1>\n<p>Whether conducting the request for information (RFI) or request for proposal (RFP) process, a quality set of questions for potential vendors to respond to provides a solid base for helping evaluate and narrow down a vendor for your service. The RFI in particular is good for this sort of \"fact finding,\" acting as an ideal means for learning more about a potential solution and how it can solve your problems, or when you're not even sure how to solve your problem yet. However, the RFI should not be unduly long and tedious to complete for prospective vendors; it should be concise, direct, and honest. This means not only presenting a clear and humble vision of your own organization and its goals, but also asking just the right amount of questions to allow potential vendors to demonstrate their expertise and provide a clearer picture of who they are. Some take a technical approach to an RFI, using dense language and complicated spreadsheets for fact finding. However, vendors appreciate a slightly more inviting approach, with practical questions or requests that are carefully chosen because they matter to you.<sup id=\"rdp-ebb-cite_ref-HolmesItsAMatch_1-0\" class=\"reference\"><a href=\"#cite_note-HolmesItsAMatch-1\">[1]<\/a><\/sup>\n<\/p><p>What follows are a carefully selected set of \"questions\" for cloud computing and cloud-related providers posed as, well, requests for information. This collection of questions is admittedly long. Keeping with advice about maintaining a concise RFI, you may not use all of these as part of your RFI process. Remember that an RFI is not meant to answer all of your questions, but rather is meant as a means to help narrow down your search to a few quality candidates while learning more about each other.<sup id=\"rdp-ebb-cite_ref-HolmesItsAMatch_1-1\" class=\"reference\"><a href=\"#cite_note-HolmesItsAMatch-1\">[1]<\/a><\/sup> Feel free to narrow this list down to those questions that are most important to you as part of this fact finding mission.\n<\/p><p>Sources used to compile this selection of RFI questions include the six sources from section 6.4 (including APHL, Interfocus, <i>Lab Manager<\/i>, LBMC, and Thomson Reuters)<sup id=\"rdp-ebb-cite_ref-APHLBreaking17_2-0\" class=\"reference\"><a href=\"#cite_note-APHLBreaking17-2\">[2]<\/a><\/sup><sup id=\"rdp-ebb-cite_ref-IFAhelp20_3-0\" class=\"reference\"><a href=\"#cite_note-IFAhelp20-3\">[3]<\/a><\/sup><sup id=\"rdp-ebb-cite_ref-LBMCNine21_4-0\" class=\"reference\"><a href=\"#cite_note-LBMCNine21-4\">[4]<\/a><\/sup><sup id=\"rdp-ebb-cite_ref-WardCloud19_5-0\" class=\"reference\"><a href=\"#cite_note-WardCloud19-5\">[5]<\/a><\/sup><sup id=\"rdp-ebb-cite_ref-EusticeUnder18_6-0\" class=\"reference\"><a href=\"#cite_note-EusticeUnder18-6\">[6]<\/a><\/sup><sup id=\"rdp-ebb-cite_ref-TRThree21_7-0\" class=\"reference\"><a href=\"#cite_note-TRThree21-7\">[7]<\/a><\/sup>, the five sources from the managed security services provider (MSSP) RFI\/RFP template included in Appendix 3 of this guide (there's a lot of crossover, actually)<sup id=\"rdp-ebb-cite_ref-Korff12Rev19_8-0\" class=\"reference\"><a href=\"#cite_note-Korff12Rev19-8\">[8]<\/a><\/sup><sup id=\"rdp-ebb-cite_ref-NTTSHowTo16_9-0\" class=\"reference\"><a href=\"#cite_note-NTTSHowTo16-9\">[9]<\/a><\/sup><sup id=\"rdp-ebb-cite_ref-SWGuideToBuild_10-0\" class=\"reference\"><a href=\"#cite_note-SWGuideToBuild-10\">[10]<\/a><\/sup><sup id=\"rdp-ebb-cite_ref-SolutionaryRFP15_11-0\" class=\"reference\"><a href=\"#cite_note-SolutionaryRFP15-11\">[11]<\/a><\/sup><sup id=\"rdp-ebb-cite_ref-SAMCloudMiss20_12-0\" class=\"reference\"><a href=\"#cite_note-SAMCloudMiss20-12\">[12]<\/a><\/sup>, and the following:\n<\/p>\n<ul><li>Cloud Security Alliance's <i>Cloud Controls Matrix v4<\/i><sup id=\"rdp-ebb-cite_ref-CSACloudCont4_13-0\" class=\"reference\"><a href=\"#cite_note-CSACloudCont4-13\">[13]<\/a><\/sup><\/li>\n<li>Ireland's Office of Government Procurement <i>Cloud Services Procurement Guidance Note<\/i><sup id=\"rdp-ebb-cite_ref-OGPInform21_14-0\" class=\"reference\"><a href=\"#cite_note-OGPInform21-14\">[14]<\/a><\/sup><\/li>\n<li>U.S. Internal Revenue Service RFI Cloud Response document<sup id=\"rdp-ebb-cite_ref-IRSRFICloud18_15-0\" class=\"reference\"><a href=\"#cite_note-IRSRFICloud18-15\">[15]<\/a><\/sup><\/li><\/ul>\n<p><br \/>\n<\/p>\n<h2><span id=\"rdp-ebb-RFI\/RFP_introduction\"><\/span><span class=\"mw-headline\" id=\"RFI.2FRFP_introduction\">RFI\/RFP introduction<\/span><\/h2>\n<p>If you're conducting a full RFI or RFP, you're going to lead with the standard components of an RFI or RFP, including:\n<\/p>\n<ul><li>a table of contents;<\/li>\n<li>an honest introduction and overview of your organization, its goals and problems, and the services sought to solve them;<\/li>\n<li>details on how the RFI or RFP evaluation process will be conducted;<\/li>\n<li>basis for award (if an RFP);<\/li>\n<li>the calendar schedule (including times) for related events;<\/li>\n<li>how to submit the document and any related questions about it, including response format; and<\/li>\n<li>your organization's background, business requirements, and current technical environment.<\/li><\/ul>\n<p><br \/>\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Organization_basics\">Organization basics<\/span><\/h2>\n<h3><span class=\"mw-headline\" id=\"Primary_business_objectives\">Primary business objectives<\/span><\/h3>\n<p>Please describe the primary business objectives for your organization.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Organization_history\">Organization history<\/span><\/h3>\n<p>Please give some background on your organization's history, including how long it has been offering cloud computing services.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Financial_stability\">Financial stability<\/span><\/h3>\n<p>Please provide information concerning the financial stability of your organization. If your organization is public, please include relevant documents such as annual reports and supporting financial statements. If private, please include documentation that supports the representation of your organization as a stable, profitable, and sustainable one. If not profitable, please provide details about your organization's path towards profitability. \n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Cloud_services_offered\">Cloud services offered<\/span><\/h3>\n<p>Please describe the primary cloud computing or cloud-related services (e.g., software as a service or SaaS) offered by your organization, particularly any of which may be relevant based upon our company's stated needs. If the services are tiered, explain the different levels of service and any significant exceptions and differences separating the levels. Don't forget to describe the capabilities of your hybrid and multicloud offerings.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Expected_level_of_integration_or_interoperability\">Expected level of integration or interoperability<\/span><\/h3>\n<p>Please describe how you anticipate your cloud solutions being able to readily integrate or have base interoperability with a client's systems and business processes, while making it easier for the client to perform their tasks in the cloud.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Details_about_those_cloud_services\">Details about those cloud services<\/span><\/h3>\n<p>Please provide details about:\n<\/p>\n<ul><li>number of clients specifically using your organization's cloud computing or cloud-related services;<\/li>\n<li>how long each of those services has been offered;<\/li>\n<li>the growth rate of those services over the prior fiscal year;<\/li>\n<li>the average historical downtime of a given cloud service;<\/li>\n<li>how those services or your organization overall are ranked by top research firms such as Gartner and Forrester; and<\/li>\n<li>any awards received for your organization's cloud computing or cloud-related services.<\/li><\/ul>\n<p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Vision_and_investment_in_those_cloud_services\">Vision and investment in those cloud services<\/span><\/h3>\n<p>Please provide details about the vision and future direction for choosing, developing, and implementing new in-house or third-party technologies as part of your organization's cloud computing initiative. Additionally, discuss the level of investment made by your organization towards researching, adopting, and integrating newer, more secure technologies and processes into your organization's operations.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Experience_and_references\">Experience and references<\/span><\/h3>\n<p>Please provide details on:\n<\/p>\n<ul><li>how many clients you provide (or have provided) cloud computing and cloud-related services to in our organization's industry;<\/li>\n<li>whether any of them are willing to act as references for your services;<\/li>\n<li>what experience your organization has in meeting the unique regulatory requirements of our industry;<\/li>\n<li>any examples of clients being a learning source for improving your service; and<\/li>\n<li>any whitepapers, reports, etc. authored by your organization that are relevant to our industry.<\/li><\/ul>\n<p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h2><span id=\"rdp-ebb-Infrastructure,_security,_and_related_policies\"><\/span><span class=\"mw-headline\" id=\"Infrastructure.2C_security.2C_and_related_policies\">Infrastructure, security, and related policies<\/span><\/h2>\n<h3><span class=\"mw-headline\" id=\"Internal_security_policy_and_procedure\">Internal security policy and procedure<\/span><\/h3>\n<p>Please describe your internal policy and procedure (P&P) regarding security within your organization, including any standards your organization has adopted as part of that P&P. Address any ancillary security policies regarding, e.g., acceptable use of technology, remote and from-home work, and security awareness training.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Business_continuity_and_disaster_recovery_policy\">Business continuity and disaster recovery policy<\/span><\/h3>\n<p>Please describe your organization's P&P regarding business continuity and disaster recovery.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Data_centers_and_related_infrastructure\">Data centers and related infrastructure<\/span><\/h3>\n<p>Please describe how your organization organizes its data centers and related infrastructure to optimally provide its cloud computing and cloud-related services. Additionally, address concerns about:\n<\/p>\n<ul><li>whether or not your organization owns and manages the data centers;<\/li>\n<li>where those data centers are located;<\/li>\n<li>where our data will be located;<\/li>\n<li>what specifications and encryption types are used for in-transit and at-rest data;<\/li>\n<li>what level of availability is guaranteed for each data center;<\/li>\n<li>what level of redundancy is implemented within the data centers;<\/li>\n<li>what disposal and data destruction policies are in place for end-of-life equipment;<\/li>\n<li>how that redundancy limits service interruptions should a particular data center go offline;<\/li>\n<li>what level of cloud-based scalability is available to clients with growth or contraction states; and<\/li>\n<li>what qualifications and certifications apply to each data center.<\/li><\/ul>\n<p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Physical_security_at_data_centers\">Physical security at data centers<\/span><\/h3>\n<p>Please describe the physical security (e.g., locks, badges, physical security perimeters, surveillance systems, etc.) and continuity (e.g., fire suppression, backup power, etc.) measures put in place at your organization's data centers. Also address visitor procedures and how they are conducted. How are unauthorized access attempts at data centers responded to?\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Staffing_at_data_centers\">Staffing at data centers<\/span><\/h3>\n<p>Please describe the staffing procedures at these data centers, including what percentage of overall staff will actually have authorized access to client data. Clearly define any implemented classifications of staff based on level of support or data sensitivity, as well as any related certifications and training required at each support or data sensitivity level. Are contractors treated any differently? Finally, describe what background checks or screening procedures, if any, are implemented towards any organizational personnel and third-parties (e.g., contractors, service technicians) interacting with systems containing client data.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Independent_infrastructure_review\">Independent infrastructure review<\/span><\/h3>\n<p>If your organization has received an independent review of its cloud infrastructure and services (e.g., SOC 2), please provide details of this review, preferably with the full report, but if not, with critical details such as who, what, when, where, scope, frequency of testing, and a summary. If your organization has not completed such an independent review, please provide details of any plans or ongoing efforts towards such a review.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Internal_infrastructure_review\">Internal infrastructure review<\/span><\/h3>\n<p>If your organization has performed an internal review of its cloud infrastructure and services, please provide details of this review, with critical details such as who, what, when, where, scope, frequency of testing, and a summary. If your organization has not completed such an internal review, please provide details of any plans or ongoing efforts towards such a review. If your organization conducts internal \"red team\" or \"attack-and-defense\" exercises, describe them, their frequency, and how resulting information is acted upon.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Auditing_of_your_operations\">Auditing of your operations<\/span><\/h3>\n<p>If the results of your independent and\/or internal review cannot be shared, will your organization allow us to\u2014on our own or through a third party\u2014audit your operations, with the goal of determining the appropriateness of your organization's implemented safeguards?\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Auditing_of_client_data\">Auditing of client data<\/span><\/h3>\n<p>Please describe how your organization handles requests from outside entities for client data and notifies clients when such requests are made. If subpoenas, court orders, search warrants, or other law enforcement actions were to take place, describe how you would maintain any privileged, confidential, or otherwise sensitive information as being protected. Do you have legal representation should these issues arise?\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Extraction_of_client_data\">Extraction of client data<\/span><\/h3>\n<p>Please explain how clients may extract data from your cloud service (i.e., address data portability) on-demand, including particulars about data formats and transfer methods.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Base_cloud_security\">Base cloud security<\/span><\/h2>\n<h3><span class=\"mw-headline\" id=\"Company_philosophy_or_approach\">Company philosophy or approach<\/span><\/h3>\n<p>Please describe how your cloud services address the ephemeral nature of cloud computing while at the same time helping clients maintain their overall security posture. Explain your organization's approach to its security team, including whether or not a dedicated team of security researchers are utilized. If such a team exists, also explain how that research from that team is incorporated into protecting your organization's cloud solution or infrastructure. Finally, describe your team's overall approach to monitoring, analysis, and correlation of security threats, including how automated and human-based analyses are balanced in their approaches and in their handoff to each other.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Philosophy_or_approach_to_client_security\">Philosophy or approach to client security<\/span><\/h3>\n<p>Please provide relevant considerations a client should have\u2014and primary risks a client should mitigate\u2014when securing information in your organization's cloud infrastructure. Does a clear \"shared responsibility\" model exist, and if so, how is it effectively communicated to potential and existing clients? If you have documented data security policies, please describe how new and existing clients may access them. Additionally, explain how those policies better ensure client data integrity.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Technology_and_security\">Technology and security<\/span><\/h3>\n<p>Please describe the organizational and client-based availability and use of cloud security technologies such as:\n<\/p>\n<ul><li>device management tools,<\/li>\n<li>firewalls and related performance monitoring tools,<\/li>\n<li>identity and access management mechanisms,<\/li>\n<li>intrusion prevention and detection systems,<\/li>\n<li>integration tools, and<\/li>\n<li>any other security-related analysis and prevention tools (e.g., rules engines).<\/li><\/ul>\n<p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Data_storage\">Data storage<\/span><\/h3>\n<p>Please describe how sensitive and regulated data is able to be stored on a machine dedicated to complying with the laws and regulations relevant to the data owner. How is that type of data segregated from other clients' data, and will lapses in security of other clients' data affect our own?\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span id=\"rdp-ebb-Data_transmission,_sharing,_and_transfer\"><\/span><span class=\"mw-headline\" id=\"Data_transmission.2C_sharing.2C_and_transfer\">Data transmission, sharing, and transfer<\/span><\/h3>\n<p>Please describe how your cloud services allow for secure transmission and sharing of data across network boundaries, including across other cloud provider environments. Additionally, provide details about any dependencies or technical challenges associated with seamlessly transferring an application, system, or database 1. from a client or third-party cloud environment to your cloud environment and 2. from your cloud environment to another cloud environment. What solutions do you provide towards this seamless transfer?\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Logging\">Logging<\/span><\/h3>\n<p>Please describe your approach to collecting, analyzing, correlating, and acting upon cloud log and event data, particularly in relation to client data and services. Describe how thorough those logs are and provide background on your organizational policy in regards to retaining and making available collected log and event data to clients on-demand. Finally, explain how long those logs and associated data are accessible after creation, as well as whether or not any of that information is kept in secure retention.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Monitoring\">Monitoring<\/span><\/h3>\n<p>If your organization has its own cloud infrastructure, please describe how your organization monitors that infrastructure for security purposes. What self-monitoring services and tools are made available to clients, if any? \n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Incident_response_and_reporting\">Incident response and reporting<\/span><\/h3>\n<p>Should a security threat be identified by your monitoring activities, please explain how your incident response team cooperates with the monitoring team for efficiency. Additionally, describe how your incident response team works together with clients during a security incident. Provide details on how your organization handles reporting of intrusions, hacks, or other types of breaches to effected clients. Also explain how teams associated with incident response and threat remediation use their capabilities to provide value to the client.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Hybrid_and_multicloud_security\">Hybrid and multicloud security<\/span><\/h3>\n<p>Please explain how your cloud services and their associated technology enable and improve secure integrations and activities in hybrid and multicloud scenarios.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Threat_intelligence\">Threat intelligence<\/span><\/h2>\n<h3><span class=\"mw-headline\" id=\"Research_team\">Research team<\/span><\/h3>\n<p>If your organization has a research team dedicated to discovering cloud threats and vulnerabilities, please describe the team, how it's integrated with the organization's operations, and what services that team supports beyond research. If the research team has a mission, please state that mission. \n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Threat_detection\">Threat detection<\/span><\/h3>\n<p>Please describe the information sources the research team (or, if no research team, the overall security team) uses to gather threat intelligence. Provide specifics about any anomaly detection, behavioral analysis, malicious host detection, signature analysis, and volume analysis detection methods.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Use_of_and_access_to_threat_intelligence\">Use of and access to threat intelligence<\/span><\/h3>\n<p>Please describe how gathered threat intelligence is analyzed and validated. Additionally, describe how that analyzed and validated threat intelligence is used in the management and monitoring of your cloud services and infrastructure. Also describe what level of visibility and access a client has into this intelligence, as well as the research team itself. If any bug bounty programs or the like exist, please explain them here as well.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Examples_of_action_on_threat_intelligence\">Examples of action on threat intelligence<\/span><\/h3>\n<p>Please provide examples of how threat intelligence generated by your organization's research team (or someone else) has been effectively used to protect clients. Also provide examples of organization white papers, use cases, threat reports, or internal write-ups (if available) regarding threat intelligence and its effective use in the organizational cloud infrastructure.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Vulnerability_testing\">Vulnerability testing<\/span><\/h2>\n<h3><span class=\"mw-headline\" id=\"Vulnerability_testing_basics\">Vulnerability testing basics<\/span><\/h3>\n<p>Please describe the extent of vulnerability testing your organization may conduct on its cloud infrastructure, including the origin of any testing protocols.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Vulnerability_identification_and_confirmation\">Vulnerability identification and confirmation<\/span><\/h3>\n<p>Please describe how vulnerabilities are identified and confirmed within your cloud infrastructure. If your organization has a process for identifying and reporting false positives, provide details. Is vulnerability data incorporated into overall cloud security monitoring processes, and if so, in what ways?\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Client-based_vulnerability_testing\">Client-based vulnerability testing<\/span><\/h3>\n<p>If a client or a representative third party of a client is allowed to perform vulnerability testing on your organization's cloud infrastructure, provide details. If your cloud services support web application scanning and testing for database vulnerabilities, please provide important details.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Additional_cloud_security\">Additional cloud security<\/span><\/h2>\n<h3><span class=\"mw-headline\" id=\"Endpoint_protection\">Endpoint protection<\/span><\/h3>\n<p>Please describe any managed service, software solution, hardware solution, or other mechanism your organization provides or makes available to clients in regard to helping clients maintain endpoint security in the cloud. If such a service or tool is offered, describe what types of alerts are given in association with it and what, if any, remediation recommendations are provided. Be sure to address whether or not threat intelligence is integrated into the service or tool and what operating system (OS) endpoints are covered.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Malware_protection\">Malware protection<\/span><\/h3>\n<p>Please describe any managed service, software solution, or other mechanism your organization provides or makes available to clients in regard to helping clients with malware protection. If such a service or tool is offered, describe whether or not it uses sandboxing technology, and if so, what type. Be sure to address whether or not threat intelligence is integrated into the service or tool and what zero-day threat capabilities it may have.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Other_ancillary_services\">Other ancillary services<\/span><\/h3>\n<p>Please describe if your organization is capable of assisting clients with security audits and analyses of their own instances. If your organization also provides consulting, technical testing, penetration testing, forensic investigation, and threat remediation services, please describe them, as well as any associated service tiers. \n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Account_management_and_support\">Account management and support<\/span><\/h2>\n<h3><span class=\"mw-headline\" id=\"Account_management_basics\">Account management basics<\/span><\/h3>\n<p>Please describe how accounts are established on your organization's service and what level of visibility clients and their authorized users will have into the cloud services administered, including consumption metrics, security metrics, and various account logs.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Support_basics\">Support basics<\/span><\/h3>\n<p>Please describe your organizational approach to client support and how that support is structured, including the processes and mechanisms for handling client inquiries and issues. Describe the communication mechanisms primarily and secondarily used for support, including mailed documentation, phone calls, electronic communication, and face-to-face communication. Explain how the escalation process for inquiries and reported issues should be handled.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Help_desk_and_support_ticketing\">Help desk and support ticketing<\/span><\/h3>\n<p>Please indicate what help desk or ticketing functionality is available for clients having cloud service issues. Describe how clients should go about using such tools to initiate the support process. Do clients receive comprehensive downtime support in the case of service downtime?\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span id=\"rdp-ebb-Availability,_provisioning,_and_responsiveness\"><\/span><span class=\"mw-headline\" id=\"Availability.2C_provisioning.2C_and_responsiveness\">Availability, provisioning, and responsiveness<\/span><\/h3>\n<p>Please indicate the availability of your organization's support services, including hours offered. Also indicate who is provisioning the service, whether it's in-house or a third party, and from where the service is provisioned. Note whether or not support services change hands at any point. Finally, describe how support quality is guaranteed at all times, including any guarantees on responsiveness.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Client_satisfaction\">Client satisfaction<\/span><\/h3>\n<p>Please describe how your organization measures and reports (including frequency) client satisfaction with support, account, and overall services. Describe how deficiencies in client satisfaction are addressed and resolved within the organization.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Ancillary_services\">Ancillary services<\/span><\/h3>\n<p>Please indicate whether or not your organization provides value-added support services, and if so what type. Can a dedicated account manager with sufficient technical knowledge be provided, and if so, at what cost?\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h2><span id=\"rdp-ebb-Service_level_agreements_(SLAs)_and_contracts\"><\/span><span class=\"mw-headline\" id=\"Service_level_agreements_.28SLAs.29_and_contracts\">Service level agreements (SLAs) and contracts<\/span><\/h2>\n<h3><span class=\"mw-headline\" id=\"SLA_basics\">SLA basics<\/span><\/h3>\n<p>Please describe the details of your SLAs for the various services you provide, including any negotiable aspects of the SLAs. Provide examples. Any relevant measurements and ranges for work performed by you (e.g., service speed, response times, and accuracy) should also be clearly defined and stated. Explain what the cost implications related to any differing service levels are. Finally, explain whether or not your organization provides clients with a 30-day proof of concept test of the services to ensure your organization can prove its marketing and operational claims.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"SLAs_for_SaaS\">SLAs for SaaS<\/span><\/h3>\n<p>In the case of SaaS-related cloud agreements (if applicable) with your organization, please explain how software customization, upgrades, testing, and versioning are addressed in such agreements.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"SLA_failure\">SLA failure<\/span><\/h3>\n<p>Please explain how your organization monitors and measures its compliance with an SLA. Describe what options are available to clients upon your organization failing to meet an agreed-upon SLA.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Business_associate_agreements\">Business associate agreements<\/span><\/h3>\n<p>State whether or not your organization will sign a business associate agreement or addendum for purposes of ensuring your organization appropriately safeguards protected health information, as dictated by the Health Insurance Portability and Accountability Act (HIPAA).\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Contract_termination\">Contract termination<\/span><\/h3>\n<p>Please describe your policy on archiving, deleting, and helping transition client data from any of your systems upon contract termination, including particulars about data formats, deletion methodologies, and transfer methods. Any explanation should include the respective termination rights of both the organization and the client.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Organization_termination_or_catastrophic_loss\">Organization termination or catastrophic loss<\/span><\/h3>\n<p>Please describe what would happen to a client's data in the event of your organization going out of business or suffering a catastrophic loss.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Service_implementation\">Service implementation<\/span><\/h2>\n<h3><span class=\"mw-headline\" id=\"Implementation_basics\">Implementation basics<\/span><\/h3>\n<p>Please describe your approach to implementing your cloud computing or cloud-based services for clients. You should address:\n<\/p>\n<ul><li>the standard timeframe for implementation and onboarding (overall average or last 10 customers);<\/li>\n<li>whether or not a dedicated point of contact will be maintained throughout implementation, to the end of the contract;<\/li>\n<li>what resources clients will require to support the implementation and throughout the contract's duration;<\/li>\n<li>what client processes and procedures your organization has found to be vital to optimal cloud implementation and operation;<\/li>\n<li>what device and database integrations are supported in an implementation;<\/li>\n<li>whether or not unsupported devices and databases can be added for support;<\/li>\n<li>how the impact or disruption of client resources is minimized during implementation; and<\/li>\n<li>what your normalization and fine-tuning procedures are.<\/li><\/ul>\n<p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Completion_and_handoff\">Completion and handoff<\/span><\/h3>\n<p>Please describe what steps are taken to ensure the implementation is complete, as well as how the service is handed off to the client afterwards. If your organization provides training and documentation at handoff, describe how this training and documentation is administered, and at what additional cost, if any.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h3><span class=\"mw-headline\" id=\"Multi-site_implementations\">Multi-site implementations<\/span><\/h3>\n<p>Please describe the process used when implementing a service to a client with many geographically dispersed facilities.\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Pricing\">Pricing<\/span><\/h2>\n<h3><span class=\"mw-headline\" id=\"Pricing_basics\">Pricing basics<\/span><\/h3>\n<p>Please describe how your company's pricing and payment models meet industry standard practices (e.g., payment per actual services consumed, per GB of storage, per server, per annual subscription, etc.). Provide pricing estimates and examples based upon the various services provided using a current published catalog, standard market pricing, and\/or web enabled price calculators. Explain how any metered services are clearly reported and billed. Ensure all costs are accurately reflected, including any:\n<\/p>\n<ul><li>underlying \"implied\" costs,<\/li>\n<li>initial \"stand up\" costs,<\/li>\n<li>ongoing maintenance or subscription costs,<\/li>\n<li>renewal-related price increases<\/li>\n<li>data download costs, and<\/li>\n<li>termination costs.<\/li><\/ul>\n<p><br \/>\n<\/p><p><br \/>\n<\/p><p><br \/>\n<\/p>\n<h2><span class=\"mw-headline\" id=\"References\">References<\/span><\/h2>\n<div class=\"reflist references-column-width\" style=\"-moz-column-width: 30em; -webkit-column-width: 30em; column-width: 30em; list-style-type: decimal;\">\n<div class=\"mw-references-wrap mw-references-columns\"><ol class=\"references\">\n<li id=\"cite_note-HolmesItsAMatch-1\"><span class=\"mw-cite-backlink\">\u2191 <sup><a href=\"#cite_ref-HolmesItsAMatch_1-0\">1.0<\/a><\/sup> <sup><a href=\"#cite_ref-HolmesItsAMatch_1-1\">1.1<\/a><\/sup><\/span> <span class=\"reference-text\"><span class=\"citation web\">Holmes, T. (11 February 2022). <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/allcloud.io\/blog\/its-a-match-how-to-run-a-good-rfi-rfp-or-rfq-and-find-the-right-partner\/\" target=\"_blank\">\"It's a Match: How to Run a Good RFI, RFP, or RFQ and Find the Right Partner\"<\/a>. <i>AllCloud Blog<\/i><span class=\"printonly\">. <a rel=\"external_link\" class=\"external free\" href=\"https:\/\/allcloud.io\/blog\/its-a-match-how-to-run-a-good-rfi-rfp-or-rfq-and-find-the-right-partner\/\" target=\"_blank\">https:\/\/allcloud.io\/blog\/its-a-match-how-to-run-a-good-rfi-rfp-or-rfq-and-find-the-right-partner\/<\/a><\/span><span class=\"reference-accessdate\">. Retrieved 21 August 2021<\/span>.<\/span><span class=\"Z3988\" title=\"ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=bookitem&rft.btitle=It%27s+a+Match%3A+How+to+Run+a+Good+RFI%2C+RFP%2C+or+RFQ+and+Find+the+Right+Partner&rft.atitle=AllCloud+Blog&rft.aulast=Holmes%2C+T.&rft.au=Holmes%2C+T.&rft.date=11+February+2022&rft_id=https%3A%2F%2Fallcloud.io%2Fblog%2Fits-a-match-how-to-run-a-good-rfi-rfp-or-rfq-and-find-the-right-partner%2F&rfr_id=info:sid\/en.wikipedia.org:Book:Choosing_and_Implementing_a_Cloud-based_Service_for_Your_Laboratory\/RFI_questions_for_cloud_providers\"><span style=\"display: none;\"> <\/span><\/span>\n<\/span>\n<\/li>\n<li id=\"cite_note-APHLBreaking17-2\"><span class=\"mw-cite-backlink\"><a href=\"#cite_ref-APHLBreaking17_2-0\">\u2191<\/a><\/span> <span class=\"reference-text\"><span class=\"citation web\">Association of Public Health Laboratories (2017). <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/www.aphl.org\/aboutAPHL\/publications\/Documents\/INFO-2017Jun-Cloud-Computing.pdf\" target=\"_blank\">\"Breaking Through the Cloud: A Laboratory Guide to Cloud Computing\"<\/a> (PDF). Association of Public Health Laboratories<span class=\"printonly\">. <a rel=\"external_link\" class=\"external free\" href=\"https:\/\/www.aphl.org\/aboutAPHL\/publications\/Documents\/INFO-2017Jun-Cloud-Computing.pdf\" target=\"_blank\">https:\/\/www.aphl.org\/aboutAPHL\/publications\/Documents\/INFO-2017Jun-Cloud-Computing.pdf<\/a><\/span><span class=\"reference-accessdate\">. Retrieved 21 August 2021<\/span>.<\/span><span class=\"Z3988\" title=\"ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=bookitem&rft.btitle=Breaking+Through+the+Cloud%3A+A+Laboratory+Guide+to+Cloud+Computing&rft.atitle=&rft.aulast=Association+of+Public+Health+Laboratories&rft.au=Association+of+Public+Health+Laboratories&rft.date=2017&rft.pub=Association+of+Public+Health+Laboratories&rft_id=https%3A%2F%2Fwww.aphl.org%2FaboutAPHL%2Fpublications%2FDocuments%2FINFO-2017Jun-Cloud-Computing.pdf&rfr_id=info:sid\/en.wikipedia.org:Book:Choosing_and_Implementing_a_Cloud-based_Service_for_Your_Laboratory\/RFI_questions_for_cloud_providers\"><span style=\"display: none;\"> <\/span><\/span>\n<\/span>\n<\/li>\n<li id=\"cite_note-IFAhelp20-3\"><span class=\"mw-cite-backlink\"><a href=\"#cite_ref-IFAhelp20_3-0\">\u2191<\/a><\/span> <span class=\"reference-text\"><span class=\"citation web\"><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/www.mynewlab.com\/blog\/a-helpful-guide-to-cloud-computing-in-a-laboratory\/\" target=\"_blank\">\"A Helpful Guide to Cloud Computing in a Laboratory\"<\/a>. <i>InterFocus Blog<\/i>. InterFocus Ltd. 5 October 2020<span class=\"printonly\">. <a rel=\"external_link\" class=\"external free\" href=\"https:\/\/www.mynewlab.com\/blog\/a-helpful-guide-to-cloud-computing-in-a-laboratory\/\" target=\"_blank\">https:\/\/www.mynewlab.com\/blog\/a-helpful-guide-to-cloud-computing-in-a-laboratory\/<\/a><\/span><span class=\"reference-accessdate\">. Retrieved 21 August 2021<\/span>.<\/span><span class=\"Z3988\" title=\"ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=bookitem&rft.btitle=A+Helpful+Guide+to+Cloud+Computing+in+a+Laboratory&rft.atitle=InterFocus+Blog&rft.date=5+October+2020&rft.pub=InterFocus+Ltd&rft_id=https%3A%2F%2Fwww.mynewlab.com%2Fblog%2Fa-helpful-guide-to-cloud-computing-in-a-laboratory%2F&rfr_id=info:sid\/en.wikipedia.org:Book:Choosing_and_Implementing_a_Cloud-based_Service_for_Your_Laboratory\/RFI_questions_for_cloud_providers\"><span style=\"display: none;\"> <\/span><\/span>\n<\/span>\n<\/li>\n<li id=\"cite_note-LBMCNine21-4\"><span class=\"mw-cite-backlink\"><a href=\"#cite_ref-LBMCNine21_4-0\">\u2191<\/a><\/span> <span class=\"reference-text\"><span class=\"citation web\">LBMC (24 February 2021). <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/www.lbmc.com\/blog\/questions-cloud-service-providers\/\" target=\"_blank\">\"Nine Due Diligence Questions to Ask Cloud Service Providers\"<\/a>. <i>LBMC Blog<\/i><span class=\"printonly\">. <a rel=\"external_link\" class=\"external free\" href=\"https:\/\/www.lbmc.com\/blog\/questions-cloud-service-providers\/\" target=\"_blank\">https:\/\/www.lbmc.com\/blog\/questions-cloud-service-providers\/<\/a><\/span><span class=\"reference-accessdate\">. Retrieved 21 August 2021<\/span>.<\/span><span class=\"Z3988\" title=\"ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=bookitem&rft.btitle=Nine+Due+Diligence+Questions+to+Ask+Cloud+Service+Providers&rft.atitle=LBMC+Blog&rft.aulast=LBMC&rft.au=LBMC&rft.date=24+February+2021&rft_id=https%3A%2F%2Fwww.lbmc.com%2Fblog%2Fquestions-cloud-service-providers%2F&rfr_id=info:sid\/en.wikipedia.org:Book:Choosing_and_Implementing_a_Cloud-based_Service_for_Your_Laboratory\/RFI_questions_for_cloud_providers\"><span style=\"display: none;\"> <\/span><\/span>\n<\/span>\n<\/li>\n<li id=\"cite_note-WardCloud19-5\"><span class=\"mw-cite-backlink\"><a href=\"#cite_ref-WardCloud19_5-0\">\u2191<\/a><\/span> <span class=\"reference-text\"><span class=\"citation web\">Ward, S. (9 October 2019). <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/www.labmanager.com\/business-management\/cloud-computing-for-the-laboratory-736\" target=\"_blank\">\"Cloud Computing for the Laboratory: Using data in the cloud - What it means for data security\"<\/a>. <i>Lab Manager<\/i><span class=\"printonly\">. <a rel=\"external_link\" class=\"external free\" href=\"https:\/\/www.labmanager.com\/business-management\/cloud-computing-for-the-laboratory-736\" target=\"_blank\">https:\/\/www.labmanager.com\/business-management\/cloud-computing-for-the-laboratory-736<\/a><\/span><span class=\"reference-accessdate\">. Retrieved 21 August 2021<\/span>.<\/span><span class=\"Z3988\" title=\"ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=bookitem&rft.btitle=Cloud+Computing+for+the+Laboratory%3A+Using+data+in+the+cloud+-+What+it+means+for+data+security&rft.atitle=Lab+Manager&rft.aulast=Ward%2C+S.&rft.au=Ward%2C+S.&rft.date=9+October+2019&rft_id=https%3A%2F%2Fwww.labmanager.com%2Fbusiness-management%2Fcloud-computing-for-the-laboratory-736&rfr_id=info:sid\/en.wikipedia.org:Book:Choosing_and_Implementing_a_Cloud-based_Service_for_Your_Laboratory\/RFI_questions_for_cloud_providers\"><span style=\"display: none;\"> <\/span><\/span>\n<\/span>\n<\/li>\n<li id=\"cite_note-EusticeUnder18-6\"><span class=\"mw-cite-backlink\"><a href=\"#cite_ref-EusticeUnder18_6-0\">\u2191<\/a><\/span> <span class=\"reference-text\"><span class=\"citation web\">Eustice, J.C. (2018). <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/legal.thomsonreuters.com\/en\/insights\/articles\/understanding-data-privacy-and-cloud-computing\" target=\"_blank\">\"Understand the intersection between data privacy laws and cloud computing\"<\/a>. <i>Legal Technology, Products, and Services<\/i>. Thomson Reuters<span class=\"printonly\">. <a rel=\"external_link\" class=\"external free\" href=\"https:\/\/legal.thomsonreuters.com\/en\/insights\/articles\/understanding-data-privacy-and-cloud-computing\" target=\"_blank\">https:\/\/legal.thomsonreuters.com\/en\/insights\/articles\/understanding-data-privacy-and-cloud-computing<\/a><\/span><span class=\"reference-accessdate\">. Retrieved 21 August 2021<\/span>.<\/span><span class=\"Z3988\" title=\"ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=bookitem&rft.btitle=Understand+the+intersection+between+data+privacy+laws+and+cloud+computing&rft.atitle=Legal+Technology%2C+Products%2C+and+Services&rft.aulast=Eustice%2C+J.C.&rft.au=Eustice%2C+J.C.&rft.date=2018&rft.pub=Thomson+Reuters&rft_id=https%3A%2F%2Flegal.thomsonreuters.com%2Fen%2Finsights%2Farticles%2Funderstanding-data-privacy-and-cloud-computing&rfr_id=info:sid\/en.wikipedia.org:Book:Choosing_and_Implementing_a_Cloud-based_Service_for_Your_Laboratory\/RFI_questions_for_cloud_providers\"><span style=\"display: none;\"> <\/span><\/span>\n<\/span>\n<\/li>\n<li id=\"cite_note-TRThree21-7\"><span class=\"mw-cite-backlink\"><a href=\"#cite_ref-TRThree21_7-0\">\u2191<\/a><\/span> <span class=\"reference-text\"><span class=\"citation web\">Thomson Reuters (3 March 2021). <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/legal.thomsonreuters.com\/blog\/3-questions-you-need-to-ask-your-cloud-vendors\/\" target=\"_blank\">\"Three questions you need to ask your cloud vendors\"<\/a>. <i>Thomson Reuters Legal Blog<\/i><span class=\"printonly\">. <a rel=\"external_link\" class=\"external free\" href=\"https:\/\/legal.thomsonreuters.com\/blog\/3-questions-you-need-to-ask-your-cloud-vendors\/\" target=\"_blank\">https:\/\/legal.thomsonreuters.com\/blog\/3-questions-you-need-to-ask-your-cloud-vendors\/<\/a><\/span><span class=\"reference-accessdate\">. Retrieved 21 August 2021<\/span>.<\/span><span class=\"Z3988\" title=\"ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=bookitem&rft.btitle=Three+questions+you+need+to+ask+your+cloud+vendors&rft.atitle=Thomson+Reuters+Legal+Blog&rft.aulast=Thomson+Reuters&rft.au=Thomson+Reuters&rft.date=3+March+2021&rft_id=https%3A%2F%2Flegal.thomsonreuters.com%2Fblog%2F3-questions-you-need-to-ask-your-cloud-vendors%2F&rfr_id=info:sid\/en.wikipedia.org:Book:Choosing_and_Implementing_a_Cloud-based_Service_for_Your_Laboratory\/RFI_questions_for_cloud_providers\"><span style=\"display: none;\"> <\/span><\/span>\n<\/span>\n<\/li>\n<li id=\"cite_note-Korff12Rev19-8\"><span class=\"mw-cite-backlink\"><a href=\"#cite_ref-Korff12Rev19_8-0\">\u2191<\/a><\/span> <span class=\"reference-text\"><span class=\"citation web\">Korff, Y. (19 February 2019). <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/expel.io\/blog\/12-revealing-questions-when-evaluating-mssp-mdr-vendor\/\" target=\"_blank\">\"12 revealing questions to ask when evaluating an MSSP or MDR vendor\"<\/a>. <i>Expel blog<\/i>. Expel, Inc<span class=\"printonly\">. <a rel=\"external_link\" class=\"external free\" href=\"https:\/\/expel.io\/blog\/12-revealing-questions-when-evaluating-mssp-mdr-vendor\/\" target=\"_blank\">https:\/\/expel.io\/blog\/12-revealing-questions-when-evaluating-mssp-mdr-vendor\/<\/a><\/span><span class=\"reference-accessdate\">. Retrieved 21 August 2021<\/span>.<\/span><span class=\"Z3988\" title=\"ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=bookitem&rft.btitle=12+revealing+questions+to+ask+when+evaluating+an+MSSP+or+MDR+vendor&rft.atitle=Expel+blog&rft.aulast=Korff%2C+Y.&rft.au=Korff%2C+Y.&rft.date=19+February+2019&rft.pub=Expel%2C+Inc&rft_id=https%3A%2F%2Fexpel.io%2Fblog%2F12-revealing-questions-when-evaluating-mssp-mdr-vendor%2F&rfr_id=info:sid\/en.wikipedia.org:Book:Choosing_and_Implementing_a_Cloud-based_Service_for_Your_Laboratory\/RFI_questions_for_cloud_providers\"><span style=\"display: none;\"> <\/span><\/span>\n<\/span>\n<\/li>\n<li id=\"cite_note-NTTSHowTo16-9\"><span class=\"mw-cite-backlink\"><a href=\"#cite_ref-NTTSHowTo16_9-0\">\u2191<\/a><\/span> <span class=\"reference-text\"><span class=\"citation web\"><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/www.nttsecurity.com\/docs\/librariesprovider3\/resources\/us_whitepaper_mssp_rfp_uea_v1\" target=\"_blank\">\"How to Write an MSSP RDP\"<\/a>. NTT Security. September 2016<span class=\"printonly\">. <a rel=\"external_link\" class=\"external free\" href=\"https:\/\/www.nttsecurity.com\/docs\/librariesprovider3\/resources\/us_whitepaper_mssp_rfp_uea_v1\" target=\"_blank\">https:\/\/www.nttsecurity.com\/docs\/librariesprovider3\/resources\/us_whitepaper_mssp_rfp_uea_v1<\/a><\/span><span class=\"reference-accessdate\">. Retrieved 21 August 2021<\/span>.<\/span><span class=\"Z3988\" title=\"ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=bookitem&rft.btitle=How+to+Write+an+MSSP+RDP&rft.atitle=&rft.date=September+2016&rft.pub=NTT+Security&rft_id=https%3A%2F%2Fwww.nttsecurity.com%2Fdocs%2Flibrariesprovider3%2Fresources%2Fus_whitepaper_mssp_rfp_uea_v1&rfr_id=info:sid\/en.wikipedia.org:Book:Choosing_and_Implementing_a_Cloud-based_Service_for_Your_Laboratory\/RFI_questions_for_cloud_providers\"><span style=\"display: none;\"> <\/span><\/span>\n<\/span>\n<\/li>\n<li id=\"cite_note-SWGuideToBuild-10\"><span class=\"mw-cite-backlink\"><a href=\"#cite_ref-SWGuideToBuild_10-0\">\u2191<\/a><\/span> <span class=\"reference-text\"><span class=\"citation web\"><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/web.archive.org\/web\/20210508225741\/https:\/\/pcdnscwx001.azureedge.net\/~\/media\/Files\/US\/White%20Papers\/SecureWorksNCO411PGuidetoBuildingaCloudRFPTemplate.ashx?modified=20170714201638\" target=\"_blank\">\"Secureworks Guide to Building a Cloud MSSP RFP Template\"<\/a> (DOCX). Secureworks. Archived from <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/pcdnscwx001.azureedge.net\/~\/media\/Files\/US\/White%20Papers\/SecureWorksNCO411PGuidetoBuildingaCloudRFPTemplate.ashx?modified=20170714201638\" target=\"_blank\">the original<\/a> on 08 May 2021<span class=\"printonly\">. <a rel=\"external_link\" class=\"external free\" href=\"https:\/\/web.archive.org\/web\/20210508225741\/https:\/\/pcdnscwx001.azureedge.net\/~\/media\/Files\/US\/White%20Papers\/SecureWorksNCO411PGuidetoBuildingaCloudRFPTemplate.ashx?modified=20170714201638\" target=\"_blank\">https:\/\/web.archive.org\/web\/20210508225741\/https:\/\/pcdnscwx001.azureedge.net\/~\/media\/Files\/US\/White%20Papers\/SecureWorksNCO411PGuidetoBuildingaCloudRFPTemplate.ashx?modified=20170714201638<\/a><\/span><span class=\"reference-accessdate\">. Retrieved 21 August 2021<\/span>.<\/span><span class=\"Z3988\" title=\"ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=bookitem&rft.btitle=Secureworks+Guide+to+Building+a+Cloud+MSSP+RFP+Template&rft.atitle=&rft.pub=Secureworks&rft_id=https%3A%2F%2Fweb.archive.org%2Fweb%2F20210508225741%2Fhttps%3A%2F%2Fpcdnscwx001.azureedge.net%2F%7E%2Fmedia%2FFiles%2FUS%2FWhite%2520Papers%2FSecureWorksNCO411PGuidetoBuildingaCloudRFPTemplate.ashx%3Fmodified%3D20170714201638&rfr_id=info:sid\/en.wikipedia.org:Book:Choosing_and_Implementing_a_Cloud-based_Service_for_Your_Laboratory\/RFI_questions_for_cloud_providers\"><span style=\"display: none;\"> <\/span><\/span>\n<\/span>\n<\/li>\n<li id=\"cite_note-SolutionaryRFP15-11\"><span class=\"mw-cite-backlink\"><a href=\"#cite_ref-SolutionaryRFP15_11-0\">\u2191<\/a><\/span> <span class=\"reference-text\"><span class=\"citation web\"><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/docecity.com\/rfp-sample-questions-for-managed-security-services.html\" target=\"_blank\">\"RFP\/RFI Questions for Managed Security Services: Sample MSSP RFP Template\"<\/a>. Solutionary, Inc. September 2015<span class=\"printonly\">. <a rel=\"external_link\" class=\"external free\" href=\"https:\/\/docecity.com\/rfp-sample-questions-for-managed-security-services.html\" target=\"_blank\">https:\/\/docecity.com\/rfp-sample-questions-for-managed-security-services.html<\/a><\/span><span class=\"reference-accessdate\">. Retrieved 21 August 2021<\/span>.<\/span><span class=\"Z3988\" title=\"ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=bookitem&rft.btitle=RFP%2FRFI+Questions+for+Managed+Security+Services%3A+Sample+MSSP+RFP+Template&rft.atitle=&rft.date=September+2015&rft.pub=Solutionary%2C+Inc&rft_id=https%3A%2F%2Fdocecity.com%2Frfp-sample-questions-for-managed-security-services.html&rfr_id=info:sid\/en.wikipedia.org:Book:Choosing_and_Implementing_a_Cloud-based_Service_for_Your_Laboratory\/RFI_questions_for_cloud_providers\"><span style=\"display: none;\"> <\/span><\/span>\n<\/span>\n<\/li>\n<li id=\"cite_note-SAMCloudMiss20-12\"><span class=\"mw-cite-backlink\"><a href=\"#cite_ref-SAMCloudMiss20_12-0\">\u2191<\/a><\/span> <span class=\"reference-text\"><span class=\"citation web\">U.S. Department of State (24 October 2020). <a rel=\"external_link\" class=\"external text\" href=\"https:\/\/beta.sam.gov\/opp\/91dc7217b32b459695b27339f4b5d9aa\/view\" target=\"_blank\">\"Cloud Mission Support Request for Information\"<\/a>. <i>SAM.gov<\/i><span class=\"printonly\">. <a rel=\"external_link\" class=\"external free\" href=\"https:\/\/beta.sam.gov\/opp\/91dc7217b32b459695b27339f4b5d9aa\/view\" target=\"_blank\">https:\/\/beta.sam.gov\/opp\/91dc7217b32b459695b27339f4b5d9aa\/view<\/a><\/span><span class=\"reference-accessdate\">. Retrieved 21 August 2021<\/span>.<\/span><span class=\"Z3988\" title=\"ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=bookitem&rft.btitle=Cloud+Mission+Support+Request+for+Information&rft.atitle=SAM.gov&rft.aulast=U.S.+Department+of+State&rft.au=U.S.+Department+of+State&rft.date=24+October+2020&rft_id=https%3A%2F%2Fbeta.sam.gov%2Fopp%2F91dc7217b32b459695b27339f4b5d9aa%2Fview&rfr_id=info:sid\/en.wikipedia.org:Book:Choosing_and_Implementing_a_Cloud-based_Service_for_Your_Laboratory\/RFI_questions_for_cloud_providers\"><span style=\"display: none;\"> <\/span><\/span>\n<\/span>\n<\/li>\n<li id=\"cite_note-CSACloudCont4-13\"><span class=\"mw-cite-backlink\"><a href=\"#cite_ref-CSACloudCont4_13-0\">\u2191<\/a><\/span> <span class=\"reference-text\"><span class=\"citation web\"><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/cloudsecurityalliance.org\/artifacts\/cloud-controls-matrix-v4\/\" target=\"_blank\">\"Cloud Controls Matrix v4\"<\/a> (xlsx). Cloud Security Alliance. 15 March 2021<span class=\"printonly\">. <a rel=\"external_link\" class=\"external free\" href=\"https:\/\/cloudsecurityalliance.org\/artifacts\/cloud-controls-matrix-v4\/\" target=\"_blank\">https:\/\/cloudsecurityalliance.org\/artifacts\/cloud-controls-matrix-v4\/<\/a><\/span><span class=\"reference-accessdate\">. Retrieved 21 August 2021<\/span>.<\/span><span class=\"Z3988\" title=\"ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=bookitem&rft.btitle=Cloud+Controls+Matrix+v4&rft.atitle=&rft.date=15+March+2021&rft.pub=Cloud+Security+Alliance&rft_id=https%3A%2F%2Fcloudsecurityalliance.org%2Fartifacts%2Fcloud-controls-matrix-v4%2F&rfr_id=info:sid\/en.wikipedia.org:Book:Choosing_and_Implementing_a_Cloud-based_Service_for_Your_Laboratory\/RFI_questions_for_cloud_providers\"><span style=\"display: none;\"> <\/span><\/span>\n<\/span>\n<\/li>\n<li id=\"cite_note-OGPInform21-14\"><span class=\"mw-cite-backlink\"><a href=\"#cite_ref-OGPInform21_14-0\">\u2191<\/a><\/span> <span class=\"reference-text\"><span class=\"citation web\"><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/ogp.gov.ie\/information-notes\/\" target=\"_blank\">\"Cloud Services Procurement Guidance Note\"<\/a>. Ireland Office of Government Procurement. 9 February 2021<span class=\"printonly\">. <a rel=\"external_link\" class=\"external free\" href=\"https:\/\/ogp.gov.ie\/information-notes\/\" target=\"_blank\">https:\/\/ogp.gov.ie\/information-notes\/<\/a><\/span><span class=\"reference-accessdate\">. Retrieved 21 August 2021<\/span>.<\/span><span class=\"Z3988\" title=\"ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=bookitem&rft.btitle=Cloud+Services+Procurement+Guidance+Note&rft.atitle=&rft.date=9+February+2021&rft.pub=Ireland+Office+of+Government+Procurement&rft_id=https%3A%2F%2Fogp.gov.ie%2Finformation-notes%2F&rfr_id=info:sid\/en.wikipedia.org:Book:Choosing_and_Implementing_a_Cloud-based_Service_for_Your_Laboratory\/RFI_questions_for_cloud_providers\"><span style=\"display: none;\"> <\/span><\/span>\n<\/span>\n<\/li>\n<li id=\"cite_note-IRSRFICloud18-15\"><span class=\"mw-cite-backlink\"><a href=\"#cite_ref-IRSRFICloud18_15-0\">\u2191<\/a><\/span> <span class=\"reference-text\"><span class=\"citation web\"><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/cic.gsa.gov\/documents\/IRS-Cloud-Services-RFI.docx\" target=\"_blank\">\"IRS RFI Cloud Response\"<\/a> (DOCX). Internal Revenue Service. January 2018<span class=\"printonly\">. <a rel=\"external_link\" class=\"external free\" href=\"https:\/\/cic.gsa.gov\/documents\/IRS-Cloud-Services-RFI.docx\" target=\"_blank\">https:\/\/cic.gsa.gov\/documents\/IRS-Cloud-Services-RFI.docx<\/a><\/span><span class=\"reference-accessdate\">. Retrieved 21 August 2021<\/span>.<\/span><span class=\"Z3988\" title=\"ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=bookitem&rft.btitle=IRS+RFI+Cloud+Response&rft.atitle=&rft.date=January+2018&rft.pub=Internal+Revenue+Service&rft_id=https%3A%2F%2Fcic.gsa.gov%2Fdocuments%2FIRS-Cloud-Services-RFI.docx&rfr_id=info:sid\/en.wikipedia.org:Book:Choosing_and_Implementing_a_Cloud-based_Service_for_Your_Laboratory\/RFI_questions_for_cloud_providers\"><span style=\"display: none;\"> <\/span><\/span>\n<\/span>\n<\/li>\n<\/ol><\/div><\/div>\n<!-- \nNewPP limit report\nCached time: 20220211035642\nCache expiry: 86400\nDynamic content: false\nComplications: []\nCPU time usage: 0.157 seconds\nReal time usage: 0.219 seconds\nPreprocessor visited node count: 10547\/1000000\nPost\u2010expand include size: 99488\/2097152 bytes\nTemplate argument size: 30245\/2097152 bytes\nHighest expansion depth: 19\/40\nExpensive parser function count: 0\/100\nUnstrip recursion depth: 0\/20\nUnstrip post\u2010expand size: 23537\/5000000 bytes\n-->\n<!--\nTransclusion expansion time report (%,ms,calls,template)\n100.00% 151.615 1 Template:Choosing_and_Implementing_a_Cloud-based_Service_for_Your_Laboratory\/RFI_questions_for_cloud_providers\n100.00% 151.615 1 -total\n 77.71% 117.826 1 Template:Reflist\n 63.54% 96.344 15 Template:Cite_web\n 58.97% 89.414 15 Template:Citation\/core\n 14.93% 22.640 14 Template:Date\n 4.56% 6.917 24 Template:Citation\/make_link\n 1.81% 2.737 1 Template:Column-width\n-->\n\n<!-- Saved in parser cache with key limswiki:pcache:idhash:12984-0!canonical and timestamp 20220211035641 and revision id 46281. Serialized with JSON.\n -->\n<\/div><\/div><div class=\"printfooter\">Source: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Book:Choosing_and_Implementing_a_Cloud-based_Service_for_Your_Laboratory\/RFI_questions_for_cloud_providers\">https:\/\/www.limswiki.org\/index.php\/Book:Choosing_and_Implementing_a_Cloud-based_Service_for_Your_Laboratory\/RFI_questions_for_cloud_providers<\/a><\/div>\n<!-- end content --><div class=\"visualClear\"><\/div><\/div><\/div><div class=\"visualClear\"><\/div><\/div><!-- end of the left (by default at least) column --><div class=\"visualClear\"><\/div><\/div>\n\n\n\n<\/body>","ed9df165f2657d5bb145909d714c2690_images":[],"ed9df165f2657d5bb145909d714c2690_timestamp":1644616900,"76e792c8eba6e8589fc26cda5cb6f224_type":"article","76e792c8eba6e8589fc26cda5cb6f224_title":"Wipro Managed Security Services","76e792c8eba6e8589fc26cda5cb6f224_url":"https:\/\/www.limswiki.org\/index.php\/Wipro_Managed_Security_Services","76e792c8eba6e8589fc26cda5cb6f224_plaintext":"\n\nWipro Managed Security ServicesFrom LIMSWikiJump to navigationJump to searchWipro Managed Security Services\nFounder(s)\n \nMohamed PremjiHeadquarters\n \nDoddakannelli, Sarjapur Road, Bengaluru , India Number of locations\n \n159Area served\n \nWorldwideKey people\n \nThierry Delaporte (CEO)Services\n \nVulnerability scanning, asset visibility, security monitoring, compliance monitoring,\r\nthreat management, incident response, DDoS mitigation, intrusion detection\r\n and prevention, endpoint security, firewall managementRevenue\n \n$2.2 billion (2020, Q4)[1]Website\n \nwipro.com \n\n\r\n\nWipro Managed Security Services is a suite of managed security services (MSS) designed specifically for Amazon Web Services customers, offered by Wipro Limited, a multinational cybersecurity and managed security services provider (MSSP). Wipro describes its AWS-based MSS as being able to \"help reduce business risk, increase cloud security posture, fill cyber skills gaps, and span across the six security domains: vulnerability management, cloud security best practices and compliance, threat detection and response, network security, host and endpoint security, and application security.\"[2] As of May 2021, Wipro is listed among the top 12 MSSPs around the world by multiple entities.[3][4][5]\n\nContents \n\n1 Managed security services \n2 Additional information \n\n2.1 Documentation and other media \n2.2 External links \n\n\n3 References \n\n\n\nManaged security services \nSecureworks divides its MSS into ten categories[2]:\n\nVulnerability scanning: \"Regular and automated scanning of your AWS infrastructure assets for software vulnerabilities\"\nAsset visibility: \"Complete visibility across all customer accounts and regions is provided in a consolidated view\"\nSecurity monitoring: \"Provides visibility into cloud misconfigurations and their potential impact on application risk to avoid or reduce potential security breaches\"\nCompliance monitoring: Provides monitoring for regulatory compliance issues\nThreat management: \"Enables organizations to prepare for cyber incidents through effective threat management and defend against and reduce the impact of cyber-attacks for their AWS environment\"\nIncident response: \"Security intelligence services with a combination of automated tools and security experts monitoring AWS asset logs 24\/7\/365 to analyze and triage security events, providing remediation steps and guidance\"\nDDoS mitigation: \"DDoS protection solutions designed to protect everything on cloud and on-premise networks\"\nIntrusion detection and prevention: \"DS\/IPS solution is designed to identify and block malicious traffic, prevent lateral movement of malware, ensure network availability and resiliency, and enhance network performance\"\nEndpoint security: \"Cloud Endpoint Security solution is proficient to safeguard the data and instances on cloud\"\nFirewall management: \"AWS WAF and 3rd-Party WAF vendor solutions to safeguard your site from the latest threats\"\n\r\n\n\nAdditional information \nDocumentation and other media \nExternal links \nManaged security services page\n\r\n\n\nReferences \n\n\n\u2191 \"Results for the Quarter and Year ended March 31, 2021 under IFRS\" (PDF). Wipro. 15 April 2021. https:\/\/www.wipro.com\/content\/dam\/nexus\/en\/investor\/quarterly-results\/2020-2021\/q4fy21\/press-release-q4-21.pdf . Retrieved 30 May 2021 .   \n \n\n\u2191 2.0 2.1 \"AWS Managed Security Services\". Wipro Limited. https:\/\/www.wipro.com\/cybersecurity\/aws-managed-security-services\/ . Retrieved 30 May 2021 .   \n \n\n\u2191 \"Top 250 MSSPs for 2020: Companies 10 to 01\". Top 250 MSSPs: Cybersecurity Company List and Research for 2020. MSSP Alert. September 2020. https:\/\/www.msspalert.com\/top250\/list-2020\/25\/ . Retrieved 29 May 2021 .   \n \n\n\u2191 \"Top 100 Managed Security Service Providers (MSSPs)\". Cyber Defense Magazine. Cyber Defense Media Group. 18 February 2021. https:\/\/www.cyberdefensemagazine.com\/top-100-managed-security-service-providers-mssps\/ . Retrieved 29 May 2021 .   \n \n\n\u2191 \"Top 15 Best Managed Security Service Providers (MSSPs) In 2021\". Software Testing Help. 30 April 2021. https:\/\/www.softwaretestinghelp.com\/managed-security-service-providers\/ . Retrieved 29 May 2021 .   \n \n\n\n\n\n\n\nSource: <a rel=\"external_link\" class=\"external\" href=\"https:\/\/www.limswiki.org\/index.php\/Wipro_Managed_Security_Services\">https:\/\/www.limswiki.org\/index.php\/Wipro_Managed_Security_Services<\/a>\nNavigation menuPage actionsPageDiscussionView sourceHistoryPage actionsPageDiscussionMoreToolsIn other languagesPersonal toolsLog inRequest accountNavigationMain pageRecent changesRandom pageHelp about MediaWikiSearch\u00a0 ToolsWhat links hereRelated changesSpecial pagesPermanent linkPage informationSponsors \r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\n\n\t\n\t\n\t\r\n\n\t\r\n\n\t\n\t\r\n\n\t\r\n\n \n\t\n\t\n\t\r\n\n\t\r\n\n \n\t\n\t\r\n\n\t\r\n\n\t\n\t\n\t\r\n\n\t\n\t\n\t\r\n\n\t\r\n\n\t\n\t\n\t\r\n\n\t\r\n\n\t\r\n\n\t\r\nPrint\/exportCreate a bookDownload as PDFDownload as PDFDownload as Plain textPrintable version This page was last edited on 30 May 2021, at 19:59.Content is available under a Creative Commons Attribution-ShareAlike 4.0 International License unless otherwise noted.This page has been accessed 150 times.Privacy policyAbout LIMSWikiDisclaimers\n\n\n\n","76e792c8eba6e8589fc26cda5cb6f224_html":"<body class=\"mediawiki ltr sitedir-ltr mw-hide-empty-elt ns-0 ns-subject page-Wipro_Managed_Security_Services rootpage-Wipro_Managed_Security_Services skin-monobook action-view skin--responsive\"><div id=\"rdp-ebb-globalWrapper\"><div id=\"rdp-ebb-column-content\"><div id=\"rdp-ebb-content\" class=\"mw-body\" role=\"main\"><a id=\"rdp-ebb-top\"><\/a>\n<h1 id=\"rdp-ebb-firstHeading\" class=\"firstHeading\" lang=\"en\">Wipro Managed Security Services<\/h1><div id=\"rdp-ebb-bodyContent\" class=\"mw-body-content\"><!-- start content --><div id=\"rdp-ebb-mw-content-text\" lang=\"en\" dir=\"ltr\" class=\"mw-content-ltr\"><div class=\"mw-parser-output\">\n<p><br \/>\n<b>Wipro Managed Security Services<\/b> is a suite of managed security services (MSS) designed specifically for <a href=\"https:\/\/www.limswiki.org\/index.php\/Amazon_Web_Services\" title=\"Amazon Web Services\" class=\"wiki-link\" data-key=\"aa59005d6d3f6c0608f84c7ec811f8d6\">Amazon Web Services<\/a> customers, offered by Wipro Limited, a multinational cybersecurity and managed security services provider (MSSP). Wipro describes its AWS-based MSS as being able to \"help reduce business risk, increase cloud security posture, fill cyber skills gaps, and span across the six security domains: vulnerability management, cloud security best practices and compliance, threat detection and response, network security, host and endpoint security, and application security.\"<sup id=\"rdp-ebb-cite_ref-WiproAWSMSS_2-0\" class=\"reference\"><a href=\"#cite_note-WiproAWSMSS-2\">[2]<\/a><\/sup> As of May 2021, Wipro is listed among the top 12 MSSPs around the world by multiple entities.<sup id=\"rdp-ebb-cite_ref-MSSPCyber20_3-0\" class=\"reference\"><a href=\"#cite_note-MSSPCyber20-3\">[3]<\/a><\/sup><sup id=\"rdp-ebb-cite_ref-CDMMSSPs21_4-0\" class=\"reference\"><a href=\"#cite_note-CDMMSSPs21-4\">[4]<\/a><\/sup><sup id=\"rdp-ebb-cite_ref-STHTop15_21_5-0\" class=\"reference\"><a href=\"#cite_note-STHTop15_21-5\">[5]<\/a><\/sup>\n<\/p>\n\n\n<h2><span class=\"mw-headline\" id=\"Managed_security_services\">Managed security services<\/span><\/h2>\n<p>Secureworks divides its MSS into ten categories<sup id=\"rdp-ebb-cite_ref-WiproAWSMSS_2-1\" class=\"reference\"><a href=\"#cite_note-WiproAWSMSS-2\">[2]<\/a><\/sup>:\n<\/p>\n<ul><li><b>Vulnerability scanning<\/b>: \"Regular and automated scanning of your AWS infrastructure assets for software vulnerabilities\"<\/li>\n<li><b>Asset visibility<\/b>: \"Complete visibility across all customer accounts and regions is provided in a consolidated view\"<\/li>\n<li><b>Security monitoring<\/b>: \"Provides visibility into cloud misconfigurations and their potential impact on application risk to avoid or reduce potential security breaches\"<\/li>\n<li><b>Compliance monitoring<\/b>: Provides monitoring for regulatory compliance issues<\/li>\n<li><b>Threat management<\/b>: \"Enables organizations to prepare for cyber incidents through effective threat management and defend against and reduce the impact of cyber-attacks for their AWS environment\"<\/li>\n<li><b>Incident response<\/b>: \"Security intelligence services with a combination of automated tools and security experts monitoring AWS asset logs 24\/7\/365 to analyze and triage security events, providing remediation steps and guidance\"<\/li>\n<li><b>DDoS mitigation<\/b>: \"DDoS protection solutions designed to protect everything on cloud and on-premise networks\"<\/li>\n<li><b>Intrusion detection and prevention<\/b>: \"DS\/IPS solution is designed to identify and block malicious traffic, prevent lateral movement of malware, ensure network availability and resiliency, and enhance network performance\"<\/li>\n<li><b>Endpoint security<\/b>: \"Cloud Endpoint Security solution is proficient to safeguard the data and instances on cloud\"<\/li>\n<li><b>Firewall management<\/b>: \"AWS WAF and 3rd-Party WAF vendor solutions to safeguard your site from the latest threats\"<\/li><\/ul>\n<p><br \/>\n<\/p>\n<h2><span class=\"mw-headline\" id=\"Additional_information\">Additional information<\/span><\/h2>\n<h3><span class=\"mw-headline\" id=\"Documentation_and_other_media\">Documentation and other media<\/span><\/h3>\n<h3><span class=\"mw-headline\" id=\"External_links\">External links<\/span><\/h3>\n<ul><li><a rel=\"external_link\" class=\"external text\" href=\"https:\/\/www.wipro.com\/cybersecurity\/aws-managed-security-services\/\" target=\"_blank\">Managed security services page<\/a><\/li><\/ul>\n<p><br \/>\n<\/p>\n<h2><span class=\"mw-headline\" id=\"References\">References<\/span><\/h2>\n<div class=\"reflist refer
