User:Shawndouglas/sandbox/sublevel9

From CannaQAWiki
Jump to navigationJump to search

Note: This section applies only to those vendors offering their cannabis testing LIMS using the software as a service (SaaS) model, providing it via the cloud using their own cloud infrastructure or a third party's cloud infrastructure.

Cloud host security policy and procedures

Please describe the cloud host's—whether it be your organization or a third-party organization—internal policy and procedure (P&P) regarding in-house security, including any standards the organization has adopted as part of that P&P. Address any ancillary security policies regarding, e.g., acceptable use of technology, remote and from-home work, and security awareness training.




Business continuity and disaster recovery policy

Please describe the cloud host's—whether it be your organization or a third-party organization—P&P regarding business continuity and disaster recovery.




Data centers and related infrastructure

Please describe how the cloud host—whether it be your organization or a third-party organization—organizes its data centers and related infrastructure to optimally provide its cloud computing and cloud-related services. Additionally, address concerns about:

  • whether or not the organization owns and manages the data centers;
  • where those data centers are located;
  • where our data will be located;
  • what specifications and encryption types are used for in-transit and at-rest data;
  • what level of availability is guaranteed for each data center;
  • what level of redundancy is implemented within the data centers;
  • what disposal and data destruction policies are in place for end-of-life equipment;
  • how that redundancy limits service interruptions should a particular data center go offline;
  • what level of cloud-based scalability is available to clients with growth or contraction states; and
  • what qualifications and certifications apply to each data center.




Physical security at data centers

Please describe the physical security (e.g., locks, badges, physical security perimeters, surveillance systems, etc.) and continuity (e.g., fire suppression, backup power, etc.) measures put in place at the cloud host's—whether it be your organization or a third-party organization—data centers. Also address visitor procedures and how they are conducted. How are unauthorized access attempts at data centers responded to?




Staffing at data centers

Please describe the staffing procedures at these data centers, including what percentage of overall staff will actually have authorized access to client data. Clearly define any implemented classifications of staff based on level of support or data sensitivity, as well as any related certifications and training required at each support or data sensitivity level. Are contractors treated any differently? Finally, describe what background checks or screening procedures, if any, are implemented towards any organizational personnel and third-parties (e.g., contractors, service technicians) interacting with systems containing client data.




Independent infrastructure review

If the cloud host—whether it be your organization or a third-party organization—has received an independent review of its cloud infrastructure and services (e.g., SOC 2), please provide details of this review, preferably with the full report, but if not, with critical details such as who, what, when, where, scope, frequency of testing, and a summary. If the cloud host has not completed such an independent review, please provide details of any plans or ongoing efforts towards such a review.




Internal infrastructure review

If the cloud host—whether it be your organization or a third-party organization—has performed an internal review of its cloud infrastructure and services, please provide details of this review, with critical details such as who, what, when, where, scope, frequency of testing, and a summary. If the cloud host has not completed such an internal review, please provide details of any plans or ongoing efforts towards such a review. If the cloud host conducts internal "red team" or "attack-and-defense" exercises, describe them, their frequency, and how resulting information is acted upon.




Auditing of your operations

If the results of the cloud host's—whether it be your organization or a third-party organization—independent and/or internal review cannot be shared, will the cloud host allow us to—on our own or through a third party—audit cloud host operations, with the goal of determining the appropriateness of the cloud host's implemented safeguards?




Auditing of client data

Please describe how the cloud host—whether it be your organization or a third-party organization—handles requests from outside entities for client data and notifies clients when such requests are made. If subpoenas, court orders, search warrants, or other law enforcement actions were to take place, describe how the cloud host would maintain any privileged, confidential, or otherwise sensitive information as being protected. Does the cloud host have legal representation should these issues arise?




Extraction of client data

Please explain how clients may extract data from the cloud host's—whether it be your organization or a third-party organization—service (i.e., address data portability) on-demand, including particulars about data formats and transfer methods.

Retrieved from "https://www.cannaqa.wiki/index.php?title=User:Shawndouglas/sandbox/sublevel9&oldid=17137"