|
|
| Line 1: |
Line 1: |
| '''Note''': This section applies only to those vendors offering their cannabis testing LIMS using the software as a service (SaaS) model, providing it via the cloud using their own cloud infrastructure or a third party's cloud infrastructure.
| | ===Account management basics=== |
| | Please describe how accounts are established with your organization and what level of visibility clients and their authorized users will have into account details, including service metrics, security metrics, and various account logs. |
|
| |
|
| ===Cloud host security policy and procedures===
| |
| Please describe the cloud host's—whether it be your organization or a third-party organization—internal policy and procedure (P&P) regarding in-house security, including any standards the organization has adopted as part of that P&P. Address any ancillary security policies regarding, e.g., acceptable use of technology, remote and from-home work, and security awareness training.
| |
|
| |
|
|
| |
|
| Line 9: |
Line 8: |
|
| |
|
|
| |
|
| | ===Support basics=== |
| | Please describe your organizational approach to client support and how that support is structured, including the processes and mechanisms for handling client inquiries and issues. Describe the communication mechanisms primarily and secondarily used for support, including mailed documentation, phone calls, electronic communication, and face-to-face communication. Explain how the escalation process for inquiries and reported issues should be handled. |
|
| |
|
| ===Business continuity and disaster recovery policy===
| |
| Please describe the cloud host's—whether it be your organization or a third-party organization—P&P regarding business continuity and disaster recovery.
| |
|
| |
|
|
| |
|
| Line 18: |
Line 17: |
|
| |
|
|
| |
|
| | ===Help desk and support ticketing=== |
| | Please indicate what help desk or ticketing functionality is available for clients having issues with the LIMS solution and any related services (e.g., if SaaS). Describe how clients should go about using such tools to initiate the support process. Do clients receive comprehensive downtime support in the case of solution or service downtime? |
|
| |
|
| ===Data centers and related infrastructure===
| |
| Please describe how the cloud host—whether it be your organization or a third-party organization—organizes its data centers and related infrastructure to optimally provide its cloud computing and cloud-related services. Additionally, address concerns about:
| |
|
| |
|
| * whether or not the organization owns and manages the data centers;
| |
| * where those data centers are located;
| |
| * where our data will be located;
| |
| * what specifications and encryption types are used for in-transit and at-rest data;
| |
| * what level of availability is guaranteed for each data center;
| |
| * what level of redundancy is implemented within the data centers;
| |
| * what disposal and data destruction policies are in place for end-of-life equipment;
| |
| * how that redundancy limits service interruptions should a particular data center go offline;
| |
| * what level of cloud-based scalability is available to clients with growth or contraction states; and
| |
| * what qualifications and certifications apply to each data center.
| |
|
| |
|
|
| |
|
| Line 37: |
Line 26: |
|
| |
|
|
| |
|
| | ===Availability, provisioning, and responsiveness=== |
| | Please indicate the availability of your organization's support services, including hours offered. Also indicate who is provisioning the service, whether it's in-house or a third party, and from where the service is provisioned. Note whether or not support services change hands at any point. Finally, describe how support quality is guaranteed at all times, including any guarantees on responsiveness. |
|
| |
|
|
| |
|
| ===Physical security at data centers===
| |
| Please describe the physical security (e.g., locks, badges, physical security perimeters, surveillance systems, etc.) and continuity (e.g., fire suppression, backup power, etc.) measures put in place at the cloud host's—whether it be your organization or a third-party organization—data centers. Also address visitor procedures and how they are conducted. How are unauthorized access attempts at data centers responded to?
| |
|
| |
|
|
| |
|
| Line 46: |
Line 35: |
|
| |
|
|
| |
|
| | ===Client satisfaction=== |
| | Please describe how your organization measures and reports (including frequency) client satisfaction with support, account, and overall services. Describe how deficiencies in client satisfaction are addressed and resolved within the organization. |
|
| |
|
|
| |
|
| ===Staffing at data centers===
| |
| Please describe the staffing procedures at these data centers, including what percentage of overall staff will actually have authorized access to client data. Clearly define any implemented classifications of staff based on level of support or data sensitivity, as well as any related certifications and training required at each support or data sensitivity level. Are contractors treated any differently? Finally, describe what background checks or screening procedures, if any, are implemented towards any organizational personnel and third-parties (e.g., contractors, service technicians) interacting with systems containing client data.
| |
|
| |
|
|
| |
|
| Line 55: |
Line 44: |
|
| |
|
|
| |
|
| | | ===Ancillary services=== |
| | | Please indicate whether or not your organization provides value-added support services, and if so what type. Can a dedicated account manager with sufficient technical knowledge be provided, and if so, at what cost? |
| ===Independent infrastructure review=== | |
| If the cloud host—whether it be your organization or a third-party organization—has received an independent review of its cloud infrastructure and services (e.g., SOC 2), please provide details of this review, preferably with the full report, but if not, with critical details such as who, what, when, where, scope, frequency of testing, and a summary. If the cloud host has not completed such an independent review, please provide details of any plans or ongoing efforts towards such a review.
| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| ===Internal infrastructure review===
| |
| If the cloud host—whether it be your organization or a third-party organization—has performed an internal review of its cloud infrastructure and services, please provide details of this review, with critical details such as who, what, when, where, scope, frequency of testing, and a summary. If the cloud host has not completed such an internal review, please provide details of any plans or ongoing efforts towards such a review. If the cloud host conducts internal "red team" or "attack-and-defense" exercises, describe them, their frequency, and how resulting information is acted upon.
| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| ===Auditing of your operations===
| |
| If the results of the cloud host's—whether it be your organization or a third-party organization—independent and/or internal review cannot be shared, will the cloud host allow us to—on our own or through a third party—audit cloud host operations, with the goal of determining the appropriateness of the cloud host's implemented safeguards?
| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| ===Auditing of client data===
| |
| Please describe how the cloud host—whether it be your organization or a third-party organization—handles requests from outside entities for client data and notifies clients when such requests are made. If subpoenas, court orders, search warrants, or other law enforcement actions were to take place, describe how the cloud host would maintain any privileged, confidential, or otherwise sensitive information as being protected. Does the cloud host have legal representation should these issues arise?
| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| ===Extraction of client data===
| |
| Please explain how clients may extract data from the cloud host's—whether it be your organization or a third-party organization—service (i.e., address data portability) on-demand, including particulars about data formats and transfer methods.
| |
Account management basics
Please describe how accounts are established with your organization and what level of visibility clients and their authorized users will have into account details, including service metrics, security metrics, and various account logs.
Support basics
Please describe your organizational approach to client support and how that support is structured, including the processes and mechanisms for handling client inquiries and issues. Describe the communication mechanisms primarily and secondarily used for support, including mailed documentation, phone calls, electronic communication, and face-to-face communication. Explain how the escalation process for inquiries and reported issues should be handled.
Help desk and support ticketing
Please indicate what help desk or ticketing functionality is available for clients having issues with the LIMS solution and any related services (e.g., if SaaS). Describe how clients should go about using such tools to initiate the support process. Do clients receive comprehensive downtime support in the case of solution or service downtime?
Availability, provisioning, and responsiveness
Please indicate the availability of your organization's support services, including hours offered. Also indicate who is provisioning the service, whether it's in-house or a third party, and from where the service is provisioned. Note whether or not support services change hands at any point. Finally, describe how support quality is guaranteed at all times, including any guarantees on responsiveness.
Client satisfaction
Please describe how your organization measures and reports (including frequency) client satisfaction with support, account, and overall services. Describe how deficiencies in client satisfaction are addressed and resolved within the organization.
Ancillary services
Please indicate whether or not your organization provides value-added support services, and if so what type. Can a dedicated account manager with sufficient technical knowledge be provided, and if so, at what cost?
