LII:Choosing and Implementing a Cloud-based Service for Your Laboratory/RFI questions for cloud providers
Appendix 3. An RFI/RFP for evaluating cloud service providers (CSPs)
Whether conducting the request for information (RFI) or request for proposal (RFP) process, a quality set of questions for potential vendors to respond to provides a solid base for helping evaluate and narrow down a vendor for your service. The RFI in particular is good for this sort of "fact finding," acting as an ideal means for learning more about a potential solution and how it can solve your problems, or when you're not even sure how to solve your problem yet. However, the RFI should not be unduly long and tedious to complete for prospective vendors; it should be concise, direct, and honest. This means not only presenting a clear and humble vision of your own organization and its goals, but also asking just the right amount of questions to allow potential vendors to demonstrate their expertise and provide a clearer picture of who they are. Some take a technical approach to an RFI, using dense language and complicated spreadsheets for fact finding. However, vendors appreciate a slightly more inviting approach, with practical questions or requests that are carefully chosen because they matter to you.
What follows are a carefully selected set of "questions" for cloud computing and cloud-related providers posed as, well, requests for information. This collection of questions is admittedly long. Keeping with advice about maintaining a concise RFI, you may not use all of these as part of your RFI process. Remember that an RFI is not meant to answer all of your questions, but rather is meant as a means to help narrow down your search to a few quality candidates while learning more about each other. Feel free to narrow this list down to those questions that are most important to you as part of this fact finding mission.
Sources used to compile this selection of RFI questions include the six sources from section 6.4 (including APHL, Interfocus, Lab Manager, LBMC, and Thomson Reuters), the five sources from the managed security services provider (MSSP) RFI/RFP template included in Appendix 3 of this guide (there's a lot of crossover, actually), and the following:
- Cloud Security Alliance's Cloud Controls Matrix v4
- Ireland's Office of Government Procurement Cloud Services Procurement Guidance Note
- U.S. Internal Revenue Service RFI Cloud Response document
If you're conducting a full RFI or RFP, you're going to lead with the standard components of an RFI or RFP, including:
- a table of contents;
- an honest introduction and overview of your organization, its goals and problems, and the services sought to solve them;
- details on how the RFI or RFP evaluation process will be conducted;
- basis for award (if an RFP);
- the calendar schedule (including times) for related events;
- how to submit the document and any related questions about it, including response format; and
- your organization's background, business requirements, and current technical environment.
Primary business objectives
Please describe the primary business objectives for your organization.
Please give some background on your organization's history, including how long it has been offering cloud computing services.
Please provide information concerning the financial stability of your organization. If your organization is public, please include relevant documents such as annual reports and supporting financial statements. If private, please include documentation that supports the representation of your organization as a stable, profitable, and sustainable one. If not profitable, please provide details about your organization's path towards profitability.
Cloud services offered
Please describe the primary cloud computing or cloud-related services (e.g., software as a service or SaaS) offered by your organization, particularly any of which may be relevant based upon our company's stated needs. If the services are tiered, explain the different levels of service and any significant exceptions and differences separating the levels. Don't forget to describe the capabilities of your hybrid and multicloud offerings.
Expected level of integration or interoperability
Please describe how you anticipate your cloud solutions being able to readily integrate or have base interoperability with a client's systems and business processes, while making it easier for the client to perform their tasks in the cloud.
Details about those cloud services
Please provide details about:
- number of clients specifically using your organization's cloud computing or cloud-related services;
- how long each of those services has been offered;
- the growth rate of those services over the prior fiscal year;
- the average historical downtime of a given cloud service;
- how those services or your organization overall are ranked by top research firms such as Gartner and Forrester; and
- any awards received for your organization's cloud computing or cloud-related services.
Vision and investment in those cloud services
Please provide details about the vision and future direction for choosing, developing, and implementing new in-house or third-party technologies as part of your organization's cloud computing initiative. Additionally, discuss the level of investment made by your organization towards researching, adopting, and integrating newer, more secure technologies and processes into your organization's operations.
Experience and references
Please provide details on:
- how many clients you provide (or have provided) cloud computing and cloud-related services to in our organization's industry;
- whether any of them are willing to act as references for your services;
- what experience your organization has in meeting the unique regulatory requirements of our industry;
- any examples of clients being a learning source for improving your service; and
- any whitepapers, reports, etc. authored by your organization that are relevant to our industry.
Internal security policy and procedure
Please describe your internal policy and procedure (P&P) regarding security within your organization, including any standards your organization has adopted as part of that P&P. Address any ancillary security policies regarding, e.g., acceptable use of technology, remote and from-home work, and security awareness training.
Business continuity and disaster recovery policy
Please describe your organization's P&P regarding business continuity and disaster recovery.
Please describe how your organization organizes its data centers and related infrastructure to optimally provide its cloud computing and cloud-related services. Additionally, address concerns about:
- whether or not your organization owns and manages the data centers;
- where those data centers are located;
- where our data will be located;
- what specifications and encryption types are used for in-transit and at-rest data;
- what level of availability is guaranteed for each data center;
- what level of redundancy is implemented within the data centers;
- what disposal and data destruction policies are in place for end-of-life equipment;
- how that redundancy limits service interruptions should a particular data center go offline;
- what level of cloud-based scalability is available to clients with growth or contraction states; and
- what qualifications and certifications apply to each data center.
Physical security at data centers
Please describe the physical security (e.g., locks, badges, physical security perimeters, surveillance systems, etc.) and continuity (e.g., fire suppression, backup power, etc.) measures put in place at your organization's data centers. Also address visitor procedures and how they are conducted. How are unauthorized access attempts at data centers responded to?
Staffing at data centers
Please describe the staffing procedures at these data centers, including what percentage of overall staff will actually have authorized access to client data. Clearly define any implemented classifications of staff based on level of support or data sensitivity, as well as any related certifications and training required at each support or data sensitivity level. Are contractors treated any differently? Finally, describe what background checks or screening procedures, if any, are implemented towards any organizational personnel and third-parties (e.g., contractors, service technicians) interacting with systems containing client data.
Independent infrastructure review
If your organization has received an independent review of its cloud infrastructure and services (e.g., SOC 2), please provide details of this review, preferably with the full report, but if not, with critical details such as who, what, when, where, scope, frequency of testing, and a summary. If your organization has not completed such an independent review, please provide details of any plans or ongoing efforts towards such a review.
Internal infrastructure review
If your organization has performed an internal review of its cloud infrastructure and services, please provide details of this review, with critical details such as who, what, when, where, scope, frequency of testing, and a summary. If your organization has not completed such an internal review, please provide details of any plans or ongoing efforts towards such a review. If your organization conducts internal "red team" or "attack-and-defense" exercises, describe them, their frequency, and how resulting information is acted upon.
Auditing of your operations
If the results of your independent and/or internal review cannot be shared, will your organization allow us to—on our own or through a third party—audit your operations, with the goal of determining the appropriateness of your organization's implemented safeguards?
Auditing of client data
Please describe how your organization handles requests from outside entities for client data and notifies clients when such requests are made. If subpoenas, court orders, search warrants, or other law enforcement actions were to take place, describe how you would maintain any privileged, confidential, or otherwise sensitive information as being protected. Do you have legal representation should these issues arise?
Extraction of client data
Please explain how clients may extract data from your cloud service (i.e., address data portability) on-demand, including particulars about data formats and transfer methods.
Base cloud security
Company philosophy or approach
Please describe how your cloud services address the ephemeral nature of cloud computing while at the same time helping clients maintain their overall security posture. Explain your organization's approach to its security team, including whether or not a dedicated team of security researchers are utilized. If such a team exists, also explain how that research from that team is incorporated into protecting your organization's cloud solution or infrastructure. Finally, describe your team's overall approach to monitoring, analysis, and correlation of security threats, including how automated and human-based analyses are balanced in their approaches and in their handoff to each other.
Philosophy or approach to client security
Please provide relevant considerations a client should have—and primary risks a client should mitigate—when securing information in your organization's cloud infrastructure. Does a clear "shared responsibility" model exist, and if so, how is it effectively communicated to potential and existing clients? If you have documented data security policies, please describe how new and existing clients may access them. Additionally, explain how those policies better ensure client data integrity.
Technology and security
Please describe the organizational and client-based availability and use of cloud security technologies such as:
- device management tools,
- firewalls and related performance monitoring tools,
- identity and access management mechanisms,
- intrusion prevention and detection systems,
- integration tools, and
- any other security-related analysis and prevention tools (e.g., rules engines).
Please describe how sensitive and regulated data is able to be stored on a machine dedicated to complying with the laws and regulations relevant to the data owner. How is that type of data segregated from other clients' data, and will lapses in security of other clients' data affect our own?
Data transmission, sharing, and transfer
Please describe how your cloud services allow for secure transmission and sharing of data across network boundaries, including across other cloud provider environments. Additionally, provide details about any dependencies or technical challenges associated with seamlessly transferring an application, system, or database 1. from a client or third-party cloud environment to your cloud environment and 2. from your cloud environment to another cloud environment. What solutions do you provide towards this seamless transfer?
Please describe your approach to collecting, analyzing, correlating, and acting upon cloud log and event data, particularly in relation to client data and services. Describe how thorough those logs are and provide background on your organizational policy in regards to retaining and making available collected log and event data to clients on-demand. Finally, explain how long those logs and associated data are accessible after creation, as well as whether or not any of that information is kept in secure retention.
If your organization has its own cloud infrastructure, please describe how your organization monitors that infrastructure for security purposes. What self-monitoring services and tools are made available to clients, if any?
Incident response and reporting
Should a security threat be identified by your monitoring activities, please explain how your incident response team cooperates with the monitoring team for efficiency. Additionally, describe how your incident response team works together with clients during a security incident. Provide details on how your organization handles reporting of intrusions, hacks, or other types of breaches to effected clients. Also explain how teams associated with incident response and threat remediation use their capabilities to provide value to the client.
Hybrid and multicloud security
Please explain how your cloud services and their associated technology enable and improve secure integrations and activities in hybrid and multicloud scenarios.
If your organization has a research team dedicated to discovering cloud threats and vulnerabilities, please describe the team, how it's integrated with the organization's operations, and what services that team supports beyond research. If the research team has a mission, please state that mission.
Please describe the information sources the research team (or, if no research team, the overall security team) uses to gather threat intelligence. Provide specifics about any anomaly detection, behavioral analysis, malicious host detection, signature analysis, and volume analysis detection methods.
Use of and access to threat intelligence
Please describe how gathered threat intelligence is analyzed and validated. Additionally, describe how that analyzed and validated threat intelligence is used in the management and monitoring of your cloud services and infrastructure. Also describe what level of visibility and access a client has into this intelligence, as well as the research team itself. If any bug bounty programs or the like exist, please explain them here as well.
Examples of action on threat intelligence
Please provide examples of how threat intelligence generated by your organization's research team (or someone else) has been effectively used to protect clients. Also provide examples of organization white papers, use cases, threat reports, or internal write-ups (if available) regarding threat intelligence and its effective use in the organizational cloud infrastructure.
Vulnerability testing basics
Please describe the extent of vulnerability testing your organization may conduct on its cloud infrastructure, including the origin of any testing protocols.
Vulnerability identification and confirmation
Please describe how vulnerabilities are identified and confirmed within your cloud infrastructure. If your organization has a process for identifying and reporting false positives, provide details. Is vulnerability data incorporated into overall cloud security monitoring processes, and if so, in what ways?
Client-based vulnerability testing
If a client or a representative third party of a client is allowed to perform vulnerability testing on your organization's cloud infrastructure, provide details. If your cloud services support web application scanning and testing for database vulnerabilities, please provide important details.
Additional cloud security
Please describe any managed service, software solution, hardware solution, or other mechanism your organization provides or makes available to clients in regard to helping clients maintain endpoint security in the cloud. If such a service or tool is offered, describe what types of alerts are given in association with it and what, if any, remediation recommendations are provided. Be sure to address whether or not threat intelligence is integrated into the service or tool and what operating system (OS) endpoints are covered.
Please describe any managed service, software solution, or other mechanism your organization provides or makes available to clients in regard to helping clients with malware protection. If such a service or tool is offered, describe whether or not it uses sandboxing technology, and if so, what type. Be sure to address whether or not threat intelligence is integrated into the service or tool and what zero-day threat capabilities it may have.
Other ancillary services
Please describe if your organization is capable of assisting clients with security audits and analyses of their own instances. If your organization also provides consulting, technical testing, penetration testing, forensic investigation, and threat remediation services, please describe them, as well as any associated service tiers.
Account management and support
Account management basics
Please describe how accounts are established on your organization's service and what level of visibility clients and their authorized users will have into the cloud services administered, including consumption metrics, security metrics, and various account logs.
Please describe your organizational approach to client support and how that support is structured, including the processes and mechanisms for handling client inquiries and issues. Describe the communication mechanisms primarily and secondarily used for support, including mailed documentation, phone calls, electronic communication, and face-to-face communication. Explain how the escalation process for inquiries and reported issues should be handled.
Help desk and support ticketing
Please indicate what help desk or ticketing functionality is available for clients having cloud service issues. Describe how clients should go about using such tools to initiate the support process. Do clients receive comprehensive downtime support in the case of service downtime?
Availability, provisioning, and responsiveness
Please indicate the availability of your organization's support services, including hours offered. Also indicate who is provisioning the service, whether it's in-house or a third party, and from where the service is provisioned. Note whether or not support services change hands at any point. Finally, describe how support quality is guaranteed at all times, including any guarantees on responsiveness.
Please describe how your organization measures and reports (including frequency) client satisfaction with support, account, and overall services. Describe how deficiencies in client satisfaction are addressed and resolved within the organization.
Please indicate whether or not your organization provides value-added support services, and if so what type. Can a dedicated account manager with sufficient technical knowledge be provided, and if so, at what cost?
Service level agreements (SLAs) and contracts
Please describe the details of your SLAs for the various services you provide, including any negotiable aspects of the SLAs. Provide examples. Any relevant measurements and ranges for work performed by you (e.g., service speed, response times, and accuracy) should also be clearly defined and stated. Explain what the cost implications related to any differing service levels are. Finally, explain whether or not your organization provides clients with a 30-day proof of concept test of the services to ensure your organization can prove its marketing and operational claims.
SLAs for SaaS
In the case of SaaS-related cloud agreements (if applicable) with your organization, please explain how software customization, upgrades, testing, and versioning are addressed in such agreements.
Please explain how your organization monitors and measures its compliance with an SLA. Describe what options are available to clients upon your organization failing to meet an agreed-upon SLA.
Business associate agreements
State whether or not your organization will sign a business associate agreement or addendum for purposes of ensuring your organization appropriately safeguards protected health information, as dictated by the Health Insurance Portability and Accountability Act (HIPAA).
Please describe your policy on archiving, deleting, and helping transition client data from any of your systems upon contract termination, including particulars about data formats, deletion methodologies, and transfer methods. Any explanation should include the respective termination rights of both the organization and the client.
Organization termination or catastrophic loss
Please describe what would happen to a client's data in the event of your organization going out of business or suffering a catastrophic loss.
Please describe your approach to implementing your cloud computing or cloud-based services for clients. You should address:
- the standard timeframe for implementation and onboarding (overall average or last 10 customers);
- whether or not a dedicated point of contact will be maintained throughout implementation, to the end of the contract;
- what resources clients will require to support the implementation and throughout the contract's duration;
- what client processes and procedures your organization has found to be vital to optimal cloud implementation and operation;
- what device and database integrations are supported in an implementation;
- whether or not unsupported devices and databases can be added for support;
- how the impact or disruption of client resources is minimized during implementation; and
- what your normalization and fine-tuning procedures are.
Completion and handoff
Please describe what steps are taken to ensure the implementation is complete, as well as how the service is handed off to the client afterwards. If your organization provides training and documentation at handoff, describe how this training and documentation is administered, and at what additional cost, if any.
Please describe the process used when implementing a service to a client with many geographically dispersed facilities.
Please describe how your company's pricing and payment models meet industry standard practices (e.g., payment per actual services consumed, per GB of storage, per server, per annual subscription, etc.). Provide pricing estimates and examples based upon the various services provided using a current published catalog, standard market pricing, and/or web enabled price calculators. Explain how any metered services are clearly reported and billed. Ensure all costs are accurately reflected, including any:
- underlying "implied" costs,
- initial "stand up" costs,
- ongoing maintenance or subscription costs,
- renewal-related price increases
- data download costs, and
- termination costs.
- Holmes, T. (2 October 2022). "It's a Match: How to Run a Good RFI, RFP, or RFQ and Find the Right Partner". AllCloud Blog. https://allcloud.io/blog/its-a-match-how-to-run-a-good-rfi-rfp-or-rfq-and-find-the-right-partner/. Retrieved 21 August 2021.
- Association of Public Health Laboratories (2017). "Breaking Through the Cloud: A Laboratory Guide to Cloud Computing" (PDF). Association of Public Health Laboratories. https://www.aphl.org/aboutAPHL/publications/Documents/INFO-2017Jun-Cloud-Computing.pdf. Retrieved 21 August 2021.
- "A Helpful Guide to Cloud Computing in a Laboratory". InterFocus Blog. InterFocus Ltd. 5 October 2020. https://www.mynewlab.com/blog/a-helpful-guide-to-cloud-computing-in-a-laboratory/. Retrieved 21 August 2021.
- LBMC (24 February 2021). "Nine Due Diligence Questions to Ask Cloud Service Providers". LBMC Blog. https://www.lbmc.com/blog/questions-cloud-service-providers/. Retrieved 21 August 2021.
- Ward, S. (9 October 2019). "Cloud Computing for the Laboratory: Using data in the cloud - What it means for data security". Lab Manager. https://www.labmanager.com/business-management/cloud-computing-for-the-laboratory-736. Retrieved 21 August 2021.
- Eustice, J.C. (2018). "Understand the intersection between data privacy laws and cloud computing". Legal Technology, Products, and Services. Thomson Reuters. https://legal.thomsonreuters.com/en/insights/articles/understanding-data-privacy-and-cloud-computing. Retrieved 21 August 2021.
- Thomson Reuters (3 March 2021). "Three questions you need to ask your cloud vendors". Thomson Reuters Legal Blog. https://legal.thomsonreuters.com/blog/3-questions-you-need-to-ask-your-cloud-vendors/. Retrieved 21 August 2021.
- Korff, Y. (19 February 2019). "12 revealing questions to ask when evaluating an MSSP or MDR vendor". Expel blog. Expel, Inc. https://expel.io/blog/12-revealing-questions-when-evaluating-mssp-mdr-vendor/. Retrieved 21 August 2021.
- "How to Write an MSSP RDP". NTT Security. September 2016. https://www.nttsecurity.com/docs/librariesprovider3/resources/us_whitepaper_mssp_rfp_uea_v1. Retrieved 21 August 2021.
- "Secureworks Guide to Building a Cloud MSSP RFP Template" (DOCX). Secureworks. Archived from the original on 08 May 2021. https://web.archive.org/web/20210508225741/https://pcdnscwx001.azureedge.net/~/media/Files/US/White%20Papers/SecureWorksNCO411PGuidetoBuildingaCloudRFPTemplate.ashx?modified=20170714201638. Retrieved 21 August 2021.
- "RFP/RFI Questions for Managed Security Services: Sample MSSP RFP Template". Solutionary, Inc. September 2015. https://docecity.com/rfp-sample-questions-for-managed-security-services.html. Retrieved 21 August 2021.
- U.S. Department of State (24 October 2020). "Cloud Mission Support Request for Information". SAM.gov. https://beta.sam.gov/opp/91dc7217b32b459695b27339f4b5d9aa/view. Retrieved 21 August 2021.
- "Cloud Controls Matrix v4" (xlsx). Cloud Security Alliance. 15 March 2021. https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4/. Retrieved 21 August 2021.
- "Cloud Services Procurement Guidance Note". Ireland Office of Government Procurement. 9 February 2021. https://ogp.gov.ie/information-notes/. Retrieved 21 August 2021.
- "IRS RFI Cloud Response" (DOCX). Internal Revenue Service. January 2018. https://cic.gsa.gov/documents/IRS-Cloud-Services-RFI.docx. Retrieved 21 August 2021.
Citation information for this chapter
Chapter: Appendix 3. RFI questions for cloud providers
Title: Choosing and Implementing a Cloud-based Service for Your Laboratory
Edition: First edition
Author for citation: Shawn E. Douglas
License for content: Creative Commons Attribution-ShareAlike 4.0 International
Publication date: August 2021