Difference between revisions of "User:Shawndouglas/sandbox/sublevel7"

5. An RFI for evaluating cannabis testing LIMS vendors

Whether conducting the request for information (RFI) or request for proposal (RFP) process, a quality set of questions for potential laboratory information management system (LIMS) vendors to respond to provides a solid base for helping evaluate and narrow down potential vendors. The RFI in particular is good for this sort of "fact finding," acting as an ideal means for learning more about a potential cannabis testing LIMS solution and how it can solve your laboratory's problems, or when you're not even sure how to solve those problem yet. However, the RFI should not be unduly long and tedious to complete for prospective vendors; it should be concise, direct, and honest. This means not only presenting a clear and humble vision of your own organization and its testing and informatics goals, but also asking just the right amount of questions to allow potential vendors to demonstrate their expertise and provide a clearer picture of who they are. Some take a technical approach to an RFI, using dense language and complicated spreadsheets for fact finding. However, vendors appreciate a slightly more inviting approach, with practical questions or requests that are carefully chosen because they matter to you and your laboratory.^[1]

What follows are a carefully selected set of "questions" for cannabis testing LIMS vendors posed as, well, requests for information. This collection of questions is admittedly long. Keeping with advice about maintaining a concise RFI, you may not use all of these as part of your RFI process. Remember that an RFI is not meant to answer all of your questions, but rather is meant as a means to help narrow down your search to a few quality candidates while learning more about each other.^[1] Feel free to narrow this list down to those questions that are most important to your laboratory as part of this fact finding mission.

The primary source used to compile this selection of RFI questions is the LIMSpec for Cannabis Testing. That specification document was designed specifically to take a regulatory-, standards-, and guidance-based approach to how laboratory informatics systems should address the needs of cannabis testing laboratories. As such, LIMSpec for Cannabis Testing turns to ASTM E1578-18 Standard Guide for Laboratory Informatics at its core, as well as more than 70 different regulations, standards, and guidance documents. Additionally, many elements from the "LIMS functionality requirements specific to cannabis testing" section of Chapter 1 are also tapped into. Other sources used to build this RFI include:

• The RFI questionnaire sources used in Appendix 3 of the upcoming Choosing and Implementing a Cloud-based Service for your Laboratory

RFI introduction

If you're conducting a full RFI, you're going to lead with the standard components of an RFI, including:

• a table of contents;
• an honest introduction and overview of your organization, its goals and problems, and the services sought to solve them;
• details on how the RFI evaluation process will be conducted;
• the calendar schedule (including times) for related events;
• how to submit the document and any related questions about it, including response format; and
• your organization's background, business requirements, and current technical environment.

Organization basics

Primary business objectives

Please describe the primary business objectives for your organization.

Organization history

Please give some background on your organization's history, including how long it has been offering a cannabis testing LIMS.

Financial stability

Please provide information concerning the financial stability of your organization. If your organization is public, please include relevant documents such as annual reports and supporting financial statements. If private, please include documentation that supports the representation of your organization as a stable, profitable, and sustainable one. If not profitable, please provide details about your organization's path towards profitability.

Software and services offered

Please describe the primary LIMS solution(s) offered by your organization, particularly those which may be relevant based upon our company's stated cannabis testing needs. If the software is offered as a service or the software functionality is unlocked based upon subscriber tiers, explain the different tiers of service or functionality provided and any significant exceptions and differences separating the tier levels.

Expected level of integration or interoperability

Please describe how you anticipate your LIMS solution(s) being able to readily integrate or have base interoperability with a client's systems and business processes, while making it easier for the client to perform their laboratory's tasks.

Details about those LIMS solutions and services

Please provide details about:

• number of clients specifically using your organization's LIMS solution(s) and related services;
• how long each of those solutions and services has been offered;
• the growth rate of those solutions and services over the prior fiscal year;
• the average historical downtime, if the LIMS is offered as a cloud-based service;
• how those solutions and services or your organization overall is ranked by market researchers and media organizations; and
• any awards received for your organization's LIMS solution(s) and related services.

Vision and investment in those LIMS solutions and services

Please provide details about the vision and future direction for choosing, developing, and implementing new technologies, development methods, and security protocols as part of your organization's product development and maintenance initiative. Additionally, discuss the level of investment made by your organization towards maintaining, updating, and upgrading those LIMS solutions and services going forward.

Experience and references

Please provide details on:

• how many clients you provide (or have provided) LIMS solutions and services to in the cannabis testing industry;
• whether any of them are willing to act as references for your solutions and services;
• what experience your organization has in meeting the unique regulatory requirements of the cannabis testing industry;
• any examples of clients being a learning source for improving your solutions and services; and
• any whitepapers, reports, etc. authored by your organization that are relevant to clients in the cannabis testing industry.

Software security, data integrity, and related policies

Internal security policy and procedures

Please describe your internal policy and procedure (P&P) regarding security within your organization, including any standards your organization has adopted as part of that P&P. Address any ancillary security policies regarding, e.g., acceptable use of technology, remote and from-home work, and security awareness training.

Software security policy and procedures

Please describe your organization's P&P regarding implementing security and data integrity mechanisms within the software it develops, particularly in regards to your cannabis testing LIMS solution. Address any ancillary security policies regarding, e.g., system validation and commission and information privacy for the LIMS and its development and implementation. Be sure to address system characteristics such as audit trails and versioning, as well as how that and other related functionality support ALCOA principles.

Administrational security configurations

Please provide details regarding how your organization's cannabis testing LIMS allows for flexible yet robust configuration of security controls within system. Be sure to address configurable elements such as granular access controls, inactivity timeouts, password requirements, authentication rules, validation rules, etc. as they relate to the LIMS.

Cloud infrastructure, security, and related policies

Note: This section applies only to those vendors offering their cannabis testing LIMS using the software as a service (SaaS) model, providing it via the cloud using their own cloud infrastructure or a third party's cloud infrastructure.

Cloud host security policy and procedures

Please describe the cloud host's—whether it be your organization or a third-party organization—internal policy and procedure (P&P) regarding in-house security, including any standards the organization has adopted as part of that P&P. Address any ancillary security policies regarding, e.g., acceptable use of technology, remote and from-home work, and security awareness training.

Business continuity and disaster recovery policy

Please describe the cloud host's—whether it be your organization or a third-party organization—P&P regarding business continuity and disaster recovery.

Data centers and related infrastructure

Please describe how the cloud host—whether it be your organization or a third-party organization—organizes its data centers and related infrastructure to optimally provide its cloud computing and cloud-related services. Additionally, address concerns about:

• whether or not the organization owns and manages the data centers;
• where those data centers are located;
• where our data will be located;
• what specifications and encryption types are used for in-transit and at-rest data;
• what level of availability is guaranteed for each data center;
• what level of redundancy is implemented within the data centers;
• what disposal and data destruction policies are in place for end-of-life equipment;
• how that redundancy limits service interruptions should a particular data center go offline;
• what level of cloud-based scalability is available to clients with growth or contraction states; and
• what qualifications and certifications apply to each data center.

Physical security at data centers

Please describe the physical security (e.g., locks, badges, physical security perimeters, surveillance systems, etc.) and continuity (e.g., fire suppression, backup power, etc.) measures put in place at the cloud host's—whether it be your organization or a third-party organization—data centers. Also address visitor procedures and how they are conducted. How are unauthorized access attempts at data centers responded to?

Staffing at data centers

Please describe the staffing procedures at these data centers, including what percentage of overall staff will actually have authorized access to client data. Clearly define any implemented classifications of staff based on level of support or data sensitivity, as well as any related certifications and training required at each support or data sensitivity level. Are contractors treated any differently? Finally, describe what background checks or screening procedures, if any, are implemented towards any organizational personnel and third-parties (e.g., contractors, service technicians) interacting with systems containing client data.

Independent infrastructure review

If the cloud host—whether it be your organization or a third-party organization—has received an independent review of its cloud infrastructure and services (e.g., SOC 2), please provide details of this review, preferably with the full report, but if not, with critical details such as who, what, when, where, scope, frequency of testing, and a summary. If the cloud host has not completed such an independent review, please provide details of any plans or ongoing efforts towards such a review.

Internal infrastructure review

If the cloud host—whether it be your organization or a third-party organization—has performed an internal review of its cloud infrastructure and services, please provide details of this review, with critical details such as who, what, when, where, scope, frequency of testing, and a summary. If the cloud host has not completed such an internal review, please provide details of any plans or ongoing efforts towards such a review. If the cloud host conducts internal "red team" or "attack-and-defense" exercises, describe them, their frequency, and how resulting information is acted upon.

Auditing of your operations

If the results of the cloud host's—whether it be your organization or a third-party organization—independent and/or internal review cannot be shared, will the cloud host allow us to—on our own or through a third party—audit cloud host operations, with the goal of determining the appropriateness of the cloud host's implemented safeguards?

Auditing of client data

Please describe how the cloud host—whether it be your organization or a third-party organization—handles requests from outside entities for client data and notifies clients when such requests are made. If subpoenas, court orders, search warrants, or other law enforcement actions were to take place, describe how the cloud host would maintain any privileged, confidential, or otherwise sensitive information as being protected. Does the cloud host have legal representation should these issues arise?

Extraction of client data

Please explain how clients may extract data from the cloud host's—whether it be your organization or a third-party organization—service (i.e., address data portability) on-demand, including particulars about data formats and transfer methods.

Citation information for this chapter

Chapter: 5. An RFI for evaluating cannabis testing LIMS vendors

Edition: Winter 2020

Title: LIMS Buyer’s Guide for Cannabis Testing Laboratories

Author for citation: Shawn E. Douglas

License for content: Creative Commons Attribution-ShareAlike 4.0 International

Publication date: TBD