Difference between revisions of "User:Shawndouglas/sandbox/sublevel9"

From CannaQAWiki
Jump to navigationJump to search
Line 1: Line 1:
===Internal security policy and procedures===
'''Note''': This section applies only to those vendors offering their cannabis testing LIMS using the software as a service (SaaS) model, providing it via the cloud using their own cloud infrastructure or a third party's cloud infrastructure.
Please describe your internal policy and procedure (P&P) regarding security within your organization, including any standards your organization has adopted as part of that P&P. Address any ancillary security policies regarding, e.g., acceptable use of technology, remote and from-home work, and security awareness training.


===Cloud host security policy and procedures===
Please describe the cloud host's—whether it be your organization or a third-party organization—internal policy and procedure (P&P) regarding in-house security, including any standards the organization has adopted as part of that P&P. Address any ancillary security policies regarding, e.g., acceptable use of technology, remote and from-home work, and security awareness training.




Line 8: Line 9:




===Software security policy and procedures===
Please describe your organization's P&P regarding implementing security and data integrity mechanisms within the software it develops, particularly in regards to your cannabis testing LIMS solution. Address any ancillary security policies regarding, e.g., system validation and commission and information privacy for the LIMS and its development and implementation. Be sure to address system characteristics such as audit trails and versioning, as well as how that and other related functionality support ALCOA principles.


===Business continuity and disaster recovery policy===
Please describe the cloud host's—whether it be your organization or a third-party organization—P&P regarding business continuity and disaster recovery.




Line 17: Line 18:




===Administrational security configurations===
Please provide details regarding how your organization's cannabis testing LIMS allows for flexible yet robust configuration of security controls within system. Be sure to address configurable elements such as granular access controls, inactivity timeouts, password requirements, authentication rules, validation rules, etc. as they relate to the LIMS.


===Data centers and related infrastructure===
Please describe how the cloud host—whether it be your organization or a third-party organization—organizes its data centers and related infrastructure to optimally provide its cloud computing and cloud-related services. Additionally, address concerns about:


* whether or not the organization owns and manages the data centers;
* where those data centers are located;
* where our data will be located;
* what specifications and encryption types are used for in-transit and at-rest data;
* what level of availability is guaranteed for each data center;
* what level of redundancy is implemented within the data centers;
* what disposal and data destruction policies are in place for end-of-life equipment;
* how that redundancy limits service interruptions should a particular data center go offline;
* what level of cloud-based scalability is available to clients with growth or contraction states; and
* what qualifications and certifications apply to each data center.




Line 26: Line 37:




===Cybersecurity and information privacy===
 
Please describe how your cannabis testing LIMS helps users better meet their organizational cybersecurity requirements. Discuss any relevant communication and encryption protocols, authentication mechanisms, access prevention mechanisms, de-identification tools, etc. that are embedded into the offering. If an organization stores personal health information or other sensitive data in your LIMS, how is its reception and transmission protected using these and other mechanisms, particularly in light of the regulatory requirements affecting cannabis testing labs?
 
===Physical security at data centers===
Please describe the physical security (e.g., locks, badges, physical security perimeters, surveillance systems, etc.) and continuity (e.g., fire suppression, backup power, etc.) measures put in place at the cloud host's—whether it be your organization or a third-party organization—data centers. Also address visitor procedures and how they are conducted. How are unauthorized access attempts at data centers responded to?
 
 
 
 
 
 
 
===Staffing at data centers===
Please describe the staffing procedures at these data centers, including what percentage of overall staff will actually have authorized access to client data. Clearly define any implemented classifications of staff based on level of support or data sensitivity, as well as any related certifications and training required at each support or data sensitivity level. Are contractors treated any differently? Finally, describe what background checks or screening procedures, if any, are implemented towards any organizational personnel and third-parties (e.g., contractors, service technicians) interacting with systems containing client data.
 
 
 
 
 
 
 
===Independent infrastructure review===
If the cloud host—whether it be your organization or a third-party organization—has received an independent review of its cloud infrastructure and services (e.g., SOC 2), please provide details of this review, preferably with the full report, but if not, with critical details such as who, what, when, where, scope, frequency of testing, and a summary. If the cloud host has not completed such an independent review, please provide details of any plans or ongoing efforts towards such a review.
 
 
 
 
 
 
 
===Internal infrastructure review===
If the cloud host—whether it be your organization or a third-party organization—has performed an internal review of its cloud infrastructure and services, please provide details of this review, with critical details such as who, what, when, where, scope, frequency of testing, and a summary. If the cloud host has not completed such an internal review, please provide details of any plans or ongoing efforts towards such a review. If the cloud host conducts internal "red team" or "attack-and-defense" exercises, describe them, their frequency, and how resulting information is acted upon.
 
 
 
 
 
 
 
===Auditing of your operations===
If the results of the cloud host's—whether it be your organization or a third-party organization—independent and/or internal review cannot be shared, will the cloud host allow us to—on our own or through a third party—audit cloud host operations, with the goal of determining the appropriateness of the cloud host's implemented safeguards?
 
 
 
 
 
 
 
===Auditing of client data===
Please describe how the cloud host—whether it be your organization or a third-party organization—handles requests from outside entities for client data and notifies clients when such requests are made. If subpoenas, court orders, search warrants, or other law enforcement actions were to take place, describe how the cloud host would maintain any privileged, confidential, or otherwise sensitive information as being protected. Does the cloud host have legal representation should these issues arise?
 
 
 
 
 
 
 
===Extraction of client data===
Please explain how clients may extract data from the cloud host's—whether it be your organization or a third-party organization—service (i.e., address data portability) on-demand, including particulars about data formats and transfer methods.

Revision as of 14:00, 21 August 2021

Note: This section applies only to those vendors offering their cannabis testing LIMS using the software as a service (SaaS) model, providing it via the cloud using their own cloud infrastructure or a third party's cloud infrastructure.

Cloud host security policy and procedures

Please describe the cloud host's—whether it be your organization or a third-party organization—internal policy and procedure (P&P) regarding in-house security, including any standards the organization has adopted as part of that P&P. Address any ancillary security policies regarding, e.g., acceptable use of technology, remote and from-home work, and security awareness training.




Business continuity and disaster recovery policy

Please describe the cloud host's—whether it be your organization or a third-party organization—P&P regarding business continuity and disaster recovery.




Data centers and related infrastructure

Please describe how the cloud host—whether it be your organization or a third-party organization—organizes its data centers and related infrastructure to optimally provide its cloud computing and cloud-related services. Additionally, address concerns about:

  • whether or not the organization owns and manages the data centers;
  • where those data centers are located;
  • where our data will be located;
  • what specifications and encryption types are used for in-transit and at-rest data;
  • what level of availability is guaranteed for each data center;
  • what level of redundancy is implemented within the data centers;
  • what disposal and data destruction policies are in place for end-of-life equipment;
  • how that redundancy limits service interruptions should a particular data center go offline;
  • what level of cloud-based scalability is available to clients with growth or contraction states; and
  • what qualifications and certifications apply to each data center.




Physical security at data centers

Please describe the physical security (e.g., locks, badges, physical security perimeters, surveillance systems, etc.) and continuity (e.g., fire suppression, backup power, etc.) measures put in place at the cloud host's—whether it be your organization or a third-party organization—data centers. Also address visitor procedures and how they are conducted. How are unauthorized access attempts at data centers responded to?




Staffing at data centers

Please describe the staffing procedures at these data centers, including what percentage of overall staff will actually have authorized access to client data. Clearly define any implemented classifications of staff based on level of support or data sensitivity, as well as any related certifications and training required at each support or data sensitivity level. Are contractors treated any differently? Finally, describe what background checks or screening procedures, if any, are implemented towards any organizational personnel and third-parties (e.g., contractors, service technicians) interacting with systems containing client data.




Independent infrastructure review

If the cloud host—whether it be your organization or a third-party organization—has received an independent review of its cloud infrastructure and services (e.g., SOC 2), please provide details of this review, preferably with the full report, but if not, with critical details such as who, what, when, where, scope, frequency of testing, and a summary. If the cloud host has not completed such an independent review, please provide details of any plans or ongoing efforts towards such a review.




Internal infrastructure review

If the cloud host—whether it be your organization or a third-party organization—has performed an internal review of its cloud infrastructure and services, please provide details of this review, with critical details such as who, what, when, where, scope, frequency of testing, and a summary. If the cloud host has not completed such an internal review, please provide details of any plans or ongoing efforts towards such a review. If the cloud host conducts internal "red team" or "attack-and-defense" exercises, describe them, their frequency, and how resulting information is acted upon.




Auditing of your operations

If the results of the cloud host's—whether it be your organization or a third-party organization—independent and/or internal review cannot be shared, will the cloud host allow us to—on our own or through a third party—audit cloud host operations, with the goal of determining the appropriateness of the cloud host's implemented safeguards?




Auditing of client data

Please describe how the cloud host—whether it be your organization or a third-party organization—handles requests from outside entities for client data and notifies clients when such requests are made. If subpoenas, court orders, search warrants, or other law enforcement actions were to take place, describe how the cloud host would maintain any privileged, confidential, or otherwise sensitive information as being protected. Does the cloud host have legal representation should these issues arise?




Extraction of client data

Please explain how clients may extract data from the cloud host's—whether it be your organization or a third-party organization—service (i.e., address data portability) on-demand, including particulars about data formats and transfer methods.

Retrieved from "https://www.cannaqa.wiki/index.php?title=User:Shawndouglas/sandbox/sublevel9&oldid=17137"