Difference between revisions of "User:Shawndouglas/sandbox/sublevel12"

From LIMSWiki
Jump to navigationJump to search
Tag: Reverted
 
(3 intermediate revisions by the same user not shown)
Line 8: Line 8:
==Sandbox begins below==
==Sandbox begins below==
<div class="nonumtoc">__TOC__</div>
<div class="nonumtoc">__TOC__</div>
==5. Develop and create the cybersecurity plan==
What follows is a template to help guide you in developing your own [[cybersecurity]] plan. Remember that this is a template and strategy for developing the cybersecurity plan for your organization, not a regulatory guidance document. This template has at its core a modified version of the template structure suggested in the late 2018 ''Cybersecurity Strategy Development Guide'' created for the National Association of Regulatory Utility Commissioners (NARUC).<ref name="NARUCCyber18">{{cite web |url=https://pubs.naruc.org/pub/8C1D5CDD-A2C8-DA11-6DF8-FCC89B5A3204 |format=PDF |title=Cybersecurity Strategy Development Guide |author=Cadmus Group, LLC |publisher=National Association of Regulatory Utility Commissioners |date=30 October 2018 |accessdate=10 March 2023}}</ref> While their document focuses on cybersecurity for utility cooperatives and commissions, much of what NARUC suggests can still be more broadly applied to all but the tiniest of businesses. Additional resources such as the American Health Information Management Association's ''AHIMA Guidelines: The Cybersecurity Plan''<ref name="DowningAHIMA17">{{cite web |url=https://journal.ahima.org/wp-content/uploads/2017/12/AHIMA-Guidelines-Cybersecurity-Plan.pdf |archiveurl=https://web.archive.org/web/20220119204903/https://journal.ahima.org/wp-content/uploads/2017/12/AHIMA-Guidelines-Cybersecurity-Plan.pdf |format=PDF |title=AHIMA Guidelines: The Cybersecurity Plan |author=Downing, K. |publisher=American Health Information Management Association |date=December 2017 |archivedate=19 January 2022 |accessdate=10 March 2023}}</ref>; National Rural Electric Cooperative Association (NRECA), Cooperative Research Network's ''Guide to Developing a Cyber Security and Risk Mitigation Plan''<ref name="LebanidzeGuide11">{{cite web |url=https://www.cooperative.com/programs-services/bts/documents/guide-cybersecurity-mitigation-plan.pdf |format=PDF |title=Guide to Developing a Cyber Security and Risk Mitigation Plan |author=Lebanidze, E. |publisher=National Rural Electric Cooperative Association, Cooperative Research Network |date=2011 |accessdate=10 March 2023}}</ref>; and various cybersecurity experts' articles<ref name="LagoHowTo19">{{cite web |url=https://www.cio.com/article/222076/how-to-implement-a-successful-security-plan.html |title=How to implement a successful cybersecurity plan |author=Lago, C. |work=CIO |publisher=IDG Communications, Inc |date=10 July 2019 |accessdate=10 March 2023}}</ref><ref name="NortonSimilar18">{{cite web |url=https://intraprisehealth.com/similar-but-different-gap-assessment-vs-risk-assessment/ |title=Similar but Different: Gap Assessment vs Risk Analysis |author=Norton, K. |publisher=IntrapriseHEALTH |date=21 June 2018 |accessdate=10 March 2023}}</ref><ref name="EwingFourWays17">{{cite web |url=https://deltarisk.com/blog/4-ways-to-integrate-your-cyber-security-incident-response-and-business-continuity-plans/ |title=4 Ways to Integrate Your Cyber Security Incident Response and Business Continuity Plans |author=Ewing, S. |publisher=Delta Risk |date=12 July 2017 |accessdate=10 March 2023}}</ref><ref name="KrasnowCyber17">{{cite web |url=https://www.irmi.com/articles/expert-commentary/cyber-security-event-recovery-plans |title=Cyber-Security Event Recovery Plans |author=Krasnow, M.J. |publisher=International Risk Management Institute, Inc |date=February 2017 |accessdate=10 March 2023}}</ref><ref name="CopelandHowToDev18">{{cite web |url=https://www.copelanddata.com/blog/how-to-develop-a-cybersecurity-plan/ |title=How to Develop A Cybersecurity Plan For Your Company (checklist included) |publisher=Copeland Technology Solutions |date=17 July 2018 |accessdate=10 March 2023}}</ref><ref name="TalamantesDoesYour17">{{cite web |url=https://www.redteamsecure.com/blog/does-your-cybersecurity-plan-need-an-update |title=Does Your Cybersecurity Plan Need an Update? |author=Talamantes, J. |work=RedTeam Knowledge Base |publisher=RedTeam Security Corporation |date=06 September 2017 |accessdate=10 March 2023}}</ref> have been reviewed to further supplement the template. This template covers 10 main cybersecurity planning steps, each with multiple sub-steps. Additional commentary, guidance, and citation is included with those sub-steps.


Note that before development begins, you'll want to consider the knowledge resources available and key stakeholders involved. Do you have the expertise available in-house to address all 10 planning steps, or will you need to acquire help from one or more third parties? Who are the key individuals providing critical support to the business and its operations? Having the critical expertise and stakeholders involved with the plan's development process early on can enhance the overall plan and provide for more effective strategic outcomes.<ref name="NARUCCyber18" />
<!--{{LIMS Selection Guide for Manufacturing Quality Control/Resources for selecting and implementing informatics solutions/LIMS vendors}}//-->
==4. Resources for selecting and implementing informatics solutions==


Also remind yourself that completing this plan will likely not require a straightforward, by-the-numbers approach. The most feasible outcome will have you jumping around a few steps and filling in blanks or revising statements in previous portions of the plan. While the ordering of these steps is deliberate, completing them in order may not make the best sense for your organization. Don't be afraid to jump around or go back and update sections you've worked on previously using new-found knowledge. For example, some organizations with limited professional expertise in cybersecurity may find value in jumping to the end of section 5.3 and reviewing the wording of some of the cybersecurity controls early in the process in order to become more familiar with the related vocabulary.
The LIMS vendors and consultants lists are directly pulled from LIMSwiki's maintained tabular listings of these types of entities. The professional section addresses trade organizations, conferences, and more. The last section introduces LIMSpec, which will be addressed further in this guide.


Finally, the various steps of this plan will recommend the development of a variety of other policies, procedures, and documents, e.g., a communications plan and a response and continuity plan. As NIST notes in its SP 800-53 framework, effective security plans make reference to other policy and procedure documents and don't necessarily fully contain those actual policies and procedures themselves. Rather, the plan should "provide explicitly or by reference, sufficient [[information]] to define what needs to be accomplished" by those policies and procedures. All of that is to say that when going through the steps below, be cognizant of that advice. Recommendations to make a communications plan or response plan don't necessarily mean those plans should be an actual portion of your overall cybersecurity plan, but rather a component external to the plan yet referenced and detailed sufficiently within the plan.


'''''An Example Cybersecurity Plan'''''
===4.1 LIMS vendors===
NOTE: This listing represents all known active LIMS vendors. For a categorized listing of LIMS vendors who publicly indicate they serve a particular manufacturing-related industry, see the categorization of [[:Category:LIMS vendors by industry|LIMS vendors by industry]].


The following instructional template for developing a cybersecurity plan is admittedly a lot of information to take in at once. Some people are much better understanding a concept through examples. As such, what is modestly called ''An Example Cybersecurity Plan'' has been developed to accompany this guide. That example plan includes an introduction to provide more context concerning its creation, as well as a simple outline of the following steps 5.1 through 5.10. The example plan itself comes afterwards, presented from the perspective of fictional environmental laboratory company ABC123 Co. This example is slightly unorthodox in that it presents a cybersecurity plan in an iterative state of development, emphasizing the "living document" aspect of a cybersecurity plan. The document demonstrates the concepts emphasized in this guide, including the concept of referencing other relevant policies and documents without duplicating them within the cybersecurity plan. Note that while a separate document, ''An Example Cybersecurity Plan'' is released under the same Creative Commons license as this guide, and those license requirements should still be followed.


'''Link to file''': [[:File:An Example Cybersecurity Plan - Shawn Douglas - v1.0.pdf|''An Example Cybersecurity Plan'']]
{{All active LIMS vendors}}


'''Instructions''': After clicking the above link, click the link (underneath the PDF icon) at the top of the resulting page to view in browser, or right-click and "save as" to save a copy.)


<!--{{LIMS Selection Guide for Manufacturing Quality Control/Resources for selecting and implementing informatics solutions/Consultants}}//-->
===4.2 Consultants===


===5.1. Develop strategic cybersecurity goals and define success===
{{LIMS, LIS, and laboratory}}
[[File:NICE Cybersecurity Workforce Framework.jpg|right|300px]]
====5.1.1 Broadly articulate business goals and how information technology relates====
Something should drive you to want to implement a cybersecurity plan. Sometimes the impetus may be external, such as a major breach at another company that affects millions of people. But more often than not, well-formulated business goals and the resources, regulations, and motivations tied to them will propel development of the plan. Business goals have, hopefully, already been developed by the time you consider a cybersecurity plan. Now is the time to identify the technology and data that are tied to those goals. A [[clinical laboratory]], for example, may have as a business goal "to provide prompt, accurate analysis of specimens submitted to the laboratory." Does the lab utilize [[information management]] systems as a means to better meet that goal? How secure are the systems? What are the consequences of having mission-critical data compromised in said systems?


====5.1.2 Articulate why cybersecurity is vital to achieving those goals====
Looking to your business goals for the technology, data, and other resources used to achieve those goals gives you an opportunity to turn the magnifying glass towards why the technology, data, and resources need to be secure. For example, the clinical testing lab will likely be dealing with [[protected health information]] (PHI), and an electric cooperative must reliably provide service practically 100 percent of the time. Both the data and the service must be protected from physical and cyber intrusion, at risk of significant and costly consequence. Be clear about what the potential consequences actually may be, as well as how business goals could be hindered without proper cybersecurity for critical assets. Or, conversely, clearly state what will be positively achieved by addressing cybersecurity for those assets.


====5.1.3 State the cybersecurity mission and define how to achieve it, based on the above====
<!--{{LIMS Selection Guide for Manufacturing Quality Control/Resources for selecting and implementing informatics solutions/Professional}}//-->
You've stated your business goals, how technology and data plays a role in them, and why it's vital to ensure their security. Now it's time to develop your strategic mission in regards to cybersecurity. You may wish to take a few extra steps before defining the goals of that mission, however. The NARUC has this to say in that regard<ref name="NARUCCyber18" />:
===4.3 Professional===
====4.3.1 Trade organizations====
* https://www.iqsdirectory.com/associations/manufacturing-associations.html
* https://www.fda.gov/cosmetics/resources-industry-cosmetics/cosmetic-trade-and-professional-associations
* [https://www.themanufacturinginstitute.org/ Manufacturing Institute (MI)]
* [https://www.nam.org/ National Association of Manufacturers (NAM)]
* [https://phrma.org/ Pharmaceutical Research and Manufacturers of America (PhRMA)]


<blockquote>Establishing a strategic [mission] is a critical first step that sets the tone for the entire process of drafting the strategy. Before developing [the mission], a commission may want to do an internal inventory of key stakeholders; conduct blue-sky thinking exercises; and do an environmental assessment and literature review to identify near-, mid-, and long-term drivers of change that may affect its goals.</blockquote>
====4.3.2 Conferences and trade shows====


Whatever cybersecurity mission goals you inevitably declare, you'll want to be sure they "provide a sense of purpose, identity, and long-term direction" and clearly communicate what's most important in regards to cybersecurity to internal and external customers. Also consider adding concise points that paint the overall mission as one dedicated to limiting vulnerabilities and keeping risks mitigated.<ref name="NARUCCyber18" />


====5.1.4 Gain and promote active and visible support from executive management in achieving the cybersecurity mission====
Ensuring executive management is fully on-board with your stated cybersecurity mission is vital. If key business leaders have not been intimately involved with the process as of yet, it is now time to gain their input and full support. As NARUC notes, "with leadership buy-in, it will be easier to institutionalize the idea that cybersecurity is a priority and can result in more readily available resources."<ref name="NARUCCyber18" /> Consider what AHIMA calls a "State of the Union" approach to presenting the cybersecurity mission goals to leadership, being prepared to answer questions from them about responsible parties, communication policies, and "cyber insurance."<ref name="DowningAHIMA17" /> (Answers to such questions are addressed further into this template. You may wish to have some of what follows informally addressed before taking it to leadership. Or perhaps have an agreement to keep leadership appraised throughout cybersecurity plan development, gaining their feedback and overall acceptance of the plan as development comes to a close.)


<div class="nonumtoc">__TOC__</div>
<!--{{LIMS Selection Guide for Manufacturing Quality Control/Resources for selecting and implementing informatics solutions/LIMSpec}}//-->
===5.2 Define scope and responsibilities===
===4.4 LIMSpec===
[[File:Innovation & Research Symposium Cisco and Ecole Polytechnique 9-10 April 2018 Artificial Intelligence & Cybersecurity (40631791164).jpg|right|400px]]
[[File:LIMSpec.png|right]][[Book:LIMSpec 2022 R2|LIMSpec]] is an ever-evolving set of software user requirements specifications for laboratory informatics systems. The specification has grown significantly from its humble origins over a decade ago. Earlier versions of LIMSpec focused on a mix of both regulatory requirements and clients' "wishlist" features for a given system. The wishlist items haven't necessarily been ignored by developers, but they do in fact have to be prioritized by the potential buyer as "nice to have" or "essential to system operation," or something in between.<ref name="AasemAnalysis10">{{cite journal |title=Analysis and optimization of software requirements prioritization techniques |author=Aasem, M.; Ramzan, M.; Jaffar, A. |journal=Proceedings from the 2010 International Conference on Information and Emerging Technologies |pages=1–6 |year=2010 |doi=10.1109/ICIET.2010.5625687}}</ref><ref name="Hirsch10Steps13">{{cite web |url=https://www.phase2technology.com/blog/successful-requirements-gathering |title=10 Steps To Successful Requirements Gathering |author=Hirsch, J. |publisher=Phase2 Technology, LLC |date=22 November 2013 |accessdate=07 December 2022}}</ref><ref name="BurrissSoftware07">{{cite web |url=http://sce2.umkc.edu/BIT/burrise/pl/requirements/ |archiveurl=https://web.archive.org/web/20190724173601/http://sce2.umkc.edu/BIT/burrise/pl/requirements/ |title=Requirements Specification |work=CS451R, University of Missouri–Kansas City |author=Burris, E. |publisher=University of Missouri–Kansas City |date=2007 |archivedate=24 July 2019 |accessdate=07 December 2022}}</ref> This latest version is different, focusing strictly on a regulatory-, standards-, and guidance-based approach to building a specification document for laboratory informatics systems.  
====5.2.1 Define the scope and applicability through key requirements and boundaries====
Now that the cybersecurity mission goals are clear and supported by leadership, it's time to tailor strategies based on those stated goals.  


How broad of scope will the mission goals take you across your business assets? Information technology (IT) and data will surely be at the forefront, but don't forget to also address operational technology (OT) assets as well.<ref name="NARUCCyber18">{{cite web |url=https://pubs.naruc.org/pub/8C1D5CDD-A2C8-DA11-6DF8-FCC89B5A3204 |format=PDF |title=Cybersecurity Strategy Development Guide |author=Cadmus Group, LLC |publisher=National Association of Regulatory Utility Commissioners |date=30 October 2018 |accessdate=10 March 2023}}</ref> One helpful tool in determining the strategies and requirements needed to meet mission goals is to clearly define the logical and physical boundaries of your information system.<ref name="NARUCCyber18" /><ref name="LebanidzeGuide11">{{cite web |url=https://www.cooperative.com/programs-services/bts/documents/guide-cybersecurity-mitigation-plan.pdf |format=PDF |title=Guide to Developing a Cyber Security and Risk Mitigation Plan |author=Lebanidze, E. |publisher=National Rural Electric Cooperative Association, Cooperative Research Network |date=2011 |accessdate=10 March 2023}}</ref> When considering those boundaries, remember the following<ref name="LebanidzeGuide11" />:
At its core, LIMSpec is rooted in [[ASTM E1578|ASTM E1578-18]] ''Standard Guide for Laboratory Informatics''. With the latest version released in 2018, the standard includes an updated Laboratory Informatics Functional Requirements checklist, which "covers functionality common to the various laboratory informatics systems discussed throughout [the] guide as well as requirements recommended as part of [the] guide." It goes on to state that the checklist "is an example of typical requirements that can be used to guide the purchase, upgrade, or development of a laboratory informatics system," though it is certainly "not meant to be exhaustive."


* An information system is more than a piece of software; it's a collection of all the components and other resources within the system's environment. Some of those will be internal and some external.
LIMSpec borrows from that requirements checklist and then adds more to it from a wide variety of sources. An attempt has been made to find the most relevant regulations, standards, and guidance that shape how a compliant laboratory informatics system is developed and maintained. However, the LIMSpec should also definitely be considered a continual work in progress, with more to be added as new pertinent regulations, standards, and guidance are discovered.
* The system is more than just hardware; the interfaces—physical and logical—as well as communication protocols also make up the system.
* The system has physical, logical, and security control boundaries, as well as data flows tied to those boundaries.
* The data housed and transmitted in the system is likely composed of varying degrees of sensitivity, further shaping boundaries.
* The information system's primary functions are directly tied to the goals of the business.


Additionally, when considering the scope of the plan, you'll also want to take into account advancements in both technology and cyber threats. "Unprecedented cybersecurity challenges loom just beyond the horizon," states CNA, a nonprofit research and analysis organization located in Arlington, Virginia. But we have to focus on more than just the "now." CNA adds that "today's operational security agenda is too narrow in scope to address the wide range of issues likely to emerge in the coming years."<ref name="CNACyber19">{{cite web |url=https://www.cna.org/centers/ipr/safety-security/cyber-security-project |archiveurl=https://web.archive.org/web/20220109120854/https://www.cna.org/centers/ipr/safety-security/cyber-security-project |title=Cybersecurity Futures 2025 |work=Institute for Public Research |publisher=CNA |date=2019 |archivedate=09 January 2022 |accessdate=10 March 2023}}</ref> Just as CNA is preparing a global initiative to shape policy on future cybersecurity challenges, so should you apply some focus to what potential technology upgrades may be made and what new cyber threats may appear.  
If you've never worked with a user requirements specification document, the concept remains relatively simple to grasp. Merriam-Webster defines a "specification" as "a detailed precise presentation of something or of a plan or proposal for something."<ref name="MWSpec">{{cite web |url=https://www.merriam-webster.com/dictionary/specification |title=specification |work=Merriam-Webster |publisher=Merriam-Webster, Inc |accessdate=07 December 2022}}</ref> Within this organized "plan or proposal" are requirements. A requirement typically comes in the form of a statement that begins with "the system/user/vendor shall/should ..." and focuses on a provided service, reaction to input, or expected behavior in a given situation. The statement may be abstract (high-level), or it may be specific and detailed to a precise function. The statement may also be of a functional nature, describing functionality or services in detail, or of a non-functional nature, describing the constraints of a given functionality or service and how it's rendered.  


Finally, some of the plan's scope may be dictated by prioritized assessment of risks to critical assets—addressed in the next section—and other assessments. It's important to keep this in mind when developing the scope; it may be affected by other parts of the plan. As you develop further sections of the plan, you may need to update previous sections with what you've learned.
An example of a functional software requirement could be "the user shall be able to query either all of the initial set of databases or select a subset from it." This statement describes specific functionality the system should have. On the other hand, a non-functional requirement, for example, may state "the system's query tool shall conform to the ABC 123-2014 standard." The statement describes a constraint placed upon the system's query functionality. Once compiled, a set of requirements can serve not only to strengthen the software requirements specification, but the requirements set can also be used for bidding on a contract or serve as the basis for a specific contract that is being finalized.<ref name="MemonSoftware10">{{cite web |url=https://www.cs.umd.edu/~atif/Teaching/Spring2010/Slides/3.pdf |format=PDF |title=Software Requirements: Descriptions and specifications of a system |author=Memon, A. |publisher=University of Maryland |date=Spring 2010 |accessdate=07 December 2022}}</ref>


====5.2.2 Define the roles, responsibilities, and chain of command of those enacting and updating the cybersecurity plan====
The next chapter discusses the user requirements specification, using LIMSpec as an example. You'll learn how to shape such a specification to your laboratory's needs, how to issue the specification as a request for information (RFI), and how to get the most out of it when getting decision-related information from vendors. Additionally, in Appendix 1, you'll find a blank version of LIMSpec for practical use.
You'll also want to define who will fill what roles, what responsibilities they will have, and who reports to who as part of the scope of your plan. This will include not only who's responsible for developing the cybersecurity plan (which you'll have hopefully determined early on) but also implementing, enforcing, and updating it. Having a senior manager who's able to oversee these responsibilities, make decisions, and enforce requirements will improve the plan's chance of success. Having clearly defined security-related roles and responsibilities (including security risk management) at one or more organizational levels (depending on how big your organization is) will also improve success rates.<ref name="NARUCCyber18" /><ref name="LebanidzeGuide11" /><ref name="CopelandHowToDev18">{{cite web |url=https://www.copelanddata.com/blog/how-to-develop-a-cybersecurity-plan/ |title=How to Develop A Cybersecurity Plan For Your Company (checklist included) |publisher=Copeland Technology Solutions |date=17 July 2018 |accessdate=10 March 2023}}</ref><ref name="TalamantesDoesYour17">{{cite web |url=https://www.redteamsecure.com/blog/does-your-cybersecurity-plan-need-an-update |title=Does Your Cybersecurity Plan Need an Update? |author=Talamantes, J. |work=RedTeam Knowledge Base |publisher=RedTeam Security Corporation |date=06 September 2017 |accessdate=10 March 2023}}</ref>


====5.2.3 Ensure that roles and responsibility for security (the “who” of it) are clear====
==References==
Defining roles, responsibilities, and chain of command isn't enough. Effectively communicating these roles and responsibilities to everyone inside and outside the organization—including third parties such as contractors and [[Cloud computing|cloud providers]]—is vital. This typically involves encouraging transparency of cybersecurity and responsibility goals of the organization, as well as addressing everyday communications and education of everyone affected by the cybersecurity plan.<ref name="NARUCCyber18" /><ref name="LebanidzeGuide11" /><ref name="CopelandHowToDev18" /> However, through it all, keep in mind for future communications and training that ultimately security is everyone's responsibility, from employees to contractors, not just those enacting and updating the plan.
{{Reflist|colwidth=30em}}
 
<div class="nonumtoc">__TOC__</div>
===5.3 Identify cybersecurity requirements and objectives===
[[File:Cybersecurity Strategy 5 Layer CS5L.png|right|450px]]
====5.3.1 Detail the existing system and classify its critical and non-critical cyber assets====
AHIMA recommends you "create an information asset inventory as a base for risk analysis that defines where all data and information are stored across the entire organization."<ref name="DowningAHIMA17">{{cite web |url=https://journal.ahima.org/wp-content/uploads/2017/12/AHIMA-Guidelines-Cybersecurity-Plan.pdf |archiveurl=https://web.archive.org/web/20220119204903/https://journal.ahima.org/wp-content/uploads/2017/12/AHIMA-Guidelines-Cybersecurity-Plan.pdf |format=PDF |title=AHIMA Guidelines: The Cybersecurity Plan |author=Downing, K. |publisher=American Health Information Management Association |date=December 2017 |archivedate=19 January 2022 |accessdate=10 March 2023}}</ref> Consider any applications and systems used within the periphery of your operations, including business intelligence software, mobile devices, and legacy systems. Remember that any networked application or system could potentially be compromised and turned into a vector of attack. Additionally, classify and gauge those assets' based on type, risk, and criticality. What are their essential functions? How can they be grouped? How do they communicate: internally, externally, or not at all?<ref name="LebanidzeGuide11">{{cite web |url=https://www.cooperative.com/programs-services/bts/documents/guide-cybersecurity-mitigation-plan.pdf |format=PDF |title=Guide to Developing a Cyber Security and Risk Mitigation Plan |author=Lebanidze, E. |publisher=National Rural Electric Cooperative Association, Cooperative Research Network |date=2011 |accessdate=10 March 2023}}</ref> As AHIMA notes, you'll be able to use this asset inventory, in combination with a variety of additional assessments described below, as a base for your risk assessment.
 
====5.3.2 Define the contained data and classify its criticality====
During the asset inventory, you'll also want to address classifying the type of data contained or transported by the cyber asset, which aids in decision-making regarding the controls you'll need to adequately protect the assets.<ref name="LebanidzeGuide11" /> Use a consistent set of nomenclature to define the data. For example, if you look at universities such as the University of Illinois and Carnagie Mellon University, they provide guidance on how to classify institutional data based on characteristics such as criticality, sensitivity, and risk. The University of Illinois has a defined set of standardized terms such as "high-risk," "sensitive," "internal," and "public,"<ref name="UoIData19">{{cite web |url=https://cybersecurity.uillinois.edu/data_classification |title=Data Classification Overview |work=Cybersecurity |publisher=University of Illinois System |date=2019 |accessdate=10 March 2023}}</ref> whereas Carnagie Mellon uses "restricted," "private," and "public."<ref name="CMUGuidelines18">{{cite web |url=https://www.cmu.edu/data/guidelines/data-classification.html |title=Guidelines for Data Classification |work=Information Security Office Guidelines |publisher=Carnegie Mellon University |date=16 November 2022 |accessdate=10 March 2023}}</ref> You don't necessarily need to use anyone's classification system verbatim; however, do use a consistent set of terminology to define and classify data.<ref name="LebanidzeGuide11" /> Consider also adding additional details about whether the data is in-motion, in-use, or at-rest.<ref name="BowieSEC19">{{cite web |url=https://adeliarisk.com/sec-cybersecurity-guidance-data-loss-prevention/ |archiveurl=https://web.archive.org/web/20191130181159/https://adeliarisk.com/sec-cybersecurity-guidance-data-loss-prevention/ |title=SEC Cybersecurity Guidance: Data Loss Prevention |author=Bowie, K. |publisher=Adelia Associates, LLC |date=09 April 2019 |archivedate=30 November 2019 |accessdate=10 March 2023}}</ref>
 
If you have difficulties classifying the data, pose a series of data protection questions concerning the data's characteristics. One such baseline for questions could be the European Union's definition of what constitutes personal data. For example<ref name="LebanidzeGuide11" /><ref name="KochWhatIs19">{{cite web |url=https://gdpr.eu/eu-gdpr-personal-data/ |title=What is considered personal data under the EU GDPR? |author=Koch, R. |publisher=Proton Technologies AG |date=01 February 2019 |accessdate=10 March 2023}}</ref>:
 
* Does the data identify an individual directly?
* Does the data relate specifically to an identifiable person?
* Could the data—when processed, lost, or misused—have an impact on an individual?
 
====5.3.3 Identify current and previous cybersecurity policy and tools, as well as their effectiveness====
Unless your business is in the formative stages, some type of technology infrastructure and policy likely exists. What, if any, cybersecurity policies and tools have you implemented in the past? Review any current access control protocols (e.g., role-based and "least privilege" policies) and security policies. Have they been updated to take into consideration recent changes in threats, risks, criticality, technology, or regulation?<ref name="DowningAHIMA17" /><ref name="LagoHowTo19">{{cite web |url=https://www.cio.com/article/222076/how-to-implement-a-successful-security-plan.html |title=How to implement a successful cybersecurity plan |author=Lago, C. |work=CIO |publisher=IDG Communications, Inc |date=10 July 2019 |accessdate=10 March 2023}}</ref><ref name="CopelandHowToDev18">{{cite web |url=https://www.copelanddata.com/blog/how-to-develop-a-cybersecurity-plan/ |title=How to Develop A Cybersecurity Plan For Your Company (checklist included) |publisher=Copeland Technology Solutions |date=17 July 2018 |accessdate=10 March 2023}}</ref> In the same way, identify any past security policies and why they were discontinued. It may be convenient to track all these security protocols and policies in a master sheet, rather than spread out across multiple documents. Also, now might be a good time to identify how security-aware personnel are overall.<ref name="LagoHowTo19" /> Of course, if protocols and policies aren't in place, create them, remembering to include proper communication, scheduled policy reviews, and training into the equation.
 
====5.3.4 Identify the regulations, standards, and best practices affecting your assets and data====
Arguably, most business types will be impacted by [[Regulatory compliance|regulations]], standards, or best practices. Even niche professions like cinema editors are guided by best practices set forth by professional organizations.<ref name="ACEBest17">{{cite web |url=https://americancinemaeditors.org/best-practices-guide/ |title=ACE Best Practices Guide for Post Production |publisher=American Cinema Editors |date=2017 |accessdate=10 March 2023}}</ref> In the case of laboratories, multiple regulations and standards apply to operations, including information management and privacy practices. Presumably one or more executives in your business are familiar with the legal and professional aspects of how the business should be run. If not, significant research and outside consultant help may be required. Regardless, when approaching this task, ensure everyone understands the distinctions among "regulation," "standard," and "best practice."
 
Remember that while regulators may dictate how you manage your cybersecurity assets, setting policy that goes above and beyond regulation is occasionally detrimental to your business. [[Data retention]] requirements, for example, are important to consider, not only for regulatory purposes but also data management and security reasons. To be sure, numerous U.S. Code of Federal Regulations (e.g., [[21 CFR Part 11]], 40 CFR Part 141, and 45 CFR Part 164), European Union regulations (e.g., E.U. Annex 11 and E.U. Commission Directive 2003/94/EC), and even global entities (e.g., WHO Technical Report Series, #986, Annex 2) address the need for record retention. However, as AHIMA points out, records shouldn't be kept forever<ref name="DowningAHIMA17" />:
 
<blockquote>Healthcare organizations have been storing and maintaining records and information well beyond record retention requirements. This creates significant additional security risks as systems and records must be maintained, patched, backed up, and provisioned (access) for longer than necessary or required by law ...  In the era of big data the idea of keeping “everything forever” must end. It simply is not feasible, practical, or economical to secure legacy and older systems forever.</blockquote>
 
This example illustrates the idea that while regulatory compliance is imperative, going well beyond compliance limits has its own costs, not only financially but also by increasing cybersecurity risk.
 
====5.3.5 Identify and analyze logical and physical system entry points and configurations====
This step is actually closely tied to the next step concerning gap analysis. As such, you may wish to address both steps together. You've already identified your critical and non-critical assets, and performing a gap analysis on them may be a useful start in finding and analyzing the logical entry points of a system. But what are some of the most common entry points that attackers may use?<ref name="KumarDiscover16">{{cite web |url=https://resources.infosecinstitute.com/topic/discovering-entry-points/ |title=Discovering Entry Points |author=Kumar, A.J. |publisher=InfoSec Institute |date=06 September 2016 |accessdate=10 March 2023}}</ref><ref name="AhmedIndustrial19">{{cite web |url=https://www.controleng.com/articles/industrial-control-system-ics-cybersecurity-advice-best-practices/ |title=Industrial control system (ICS) cybersecurity advice, best practices |author=Ahmed, O.; Rehman, A.; Habib, A. |work=Control Engineering |publisher=CFE Media LLC |date=12 May 2019 |accessdate=10 March 2023}}</ref><ref name="BonderudPodcast19">{{cite web |url=https://securityintelligence.com/media/podcast-lateral-movement-combating-high-risk-low-noise-threats/ |title=Podcast: Lateral Movement: Combating High-Risk, Low-Noise Threats |author=Bonderud, D. |work=SecurityIntelligence |publisher=IBM |date=11 June 2019 |accessdate=10 March 2023}}</ref><ref name="VerizonIncident19">{{cite web |url=https://www.verizon.com/business/resources/reports/dbir/2019/incident-classification-patterns-subsets/ |title=Incident Classification Patterns and Subsets |work=2019 Data Breach Investigations Report |publisher=Verizon |date=2019 |accessdate=10 March 2023}}</ref>
 
* Inbound network-based attacks through software, network gateways, and online repositories
* Inbound network-based attacks through misconfigured firewalls and gateways
* Access to systems using stolen credentials (networked and physical)
* Access to peripheral systems via communication protocols, insecure credentials, etc. through lateral movement in the network
 
From email and [[enterprise resource planning]] (ERP) applications and servers to networking devices and tools, a wide variety of vectors for attack exist in the system, some more common than others. Analyzing these components and configurations takes significant expertise. If internal expertise is unavailable for this, it may require a third-party security assessment to gain a clearer picture of the entry points into your system. Even employees and their lack of cybersecurity knowledge may represent points of entry, via phishing schemes.<ref name="DowningAHIMA17" /><ref name="VerizonIncident19" /> This is where training and internal random testing (addressed later) come into play.<ref name="DowningAHIMA17" />
 
Physical access to system components and data also represent a significant attack vector, more so in particular industries and network set-ups. For example, industrial control systems in manufacturing plants may require extra consideration, with some control system vendors now offering an added layer of physical security in the form of physical locks that prevent code from being executed on the controller.<ref name="AhmedIndustrial19" /> Cloud-based data centers and field-based monitoring systems represent other specialist situations requiring added physical controls.<ref name="LebanidzeGuide11" /><ref name="DowningAHIMA17" /><ref name="CopelandHowToDev18" /> That's not to say that even small businesses shouldn't worry about physical security; their workstations, laptops, USB drives, mobile devices, etc. can be compromised if made easy for the general public to access offices and other work spaces.<ref name="CopelandHowToDev18" /> In regulated environments, physical access controls and facility monitoring may even be mandated.
 
====5.3.6 Perform a gap analysis====
A gap analysis is different from a risk analysis in that the gap analysis represents a high-level, narrowly-focused comparison of the technical, physical, and administrative safeguards in place with how well they actually perform against a cyber attack. As such, the gap analysis can be thought of as introduction to potential vulnerabilities in a system, which is part of an overall risk analysis.<ref name="NortonSimilar18">{{cite web |url=https://intraprisehealth.com/similar-but-different-gap-assessment-vs-risk-assessment/ |title=Similar but Different: Gap Assessment vs Risk Analysis |author=Norton, K. |publisher=HIPAA One |date=21 June 2018 |accessdate=10 March 2023}}</ref> The gap analysis asks what your cyber capabilities are, what the major threats are, and what the differences are between the two. Additionally, you may want to consider what the potential impacts would be if a threat were realized.<ref name="NARUCCyber18">{{cite web |url=https://pubs.naruc.org/pub/8C1D5CDD-A2C8-DA11-6DF8-FCC89B5A3204 |format=PDF |title=Cybersecurity Strategy Development Guide |author=Cadmus Group, LLC |publisher=National Association of Regulatory Utility Commissioners |date=30 October 2018 |accessdate=10 March 2023}}</ref>
 
The gap analysis can also be looked at as measure of current safeguards in place vs. what industry best practice controls dictate. This may be done by choosing an industry-standard security framework—we're using the NIST SP 800-53, Rev. 5 framework for this guide—and evaluating key stakeholder policies, responsibilities, and processes against that framework.<ref name="SellHowTo15">{{cite web |url=https://www.cio.com/article/251153/how-to-conduct-an-information-security-gap-analysis.html |title=How To Conduct An Information Security Gap Analysis |author=Sell, C. |work=CIO |publisher=IDG Communications, Inc |date=28 January 2015 |accessdate=10 March 2023}}</ref>
 
====5.3.7 Perform a risk analysis and prioritize risk based on threat, vulnerability, likelihood, and impact====
With cybersecurity goals, asset inventory, and gap analysis in hand, its time to go comprehensive with [[risk assessment]] and prioritization. Regardless of whether or not you're hosting and transmitting PHI or other types of sensitive information, you'll want to look at all your cybersecurity goals, systems, and applications as part of the risk analysis.<ref name="DowningAHIMA17" /> Functions of risk analysis include, but are not limited to<ref name="LebanidzeGuide11" /><ref name="NortonSimilar18" /><ref name="TalamantesDoesYour17">{{cite web |url=https://www.redteamsecure.com/blog/does-your-cybersecurity-plan-need-an-update |title=Does Your Cybersecurity Plan Need an Update? |author=Talamantes, J. |work=RedTeam Knowledge Base |publisher=RedTeam Security Corporation |date=06 September 2017 |accessdate=10 March 2023}}</ref>:
 
* considering the operations supporting business goals and how those operations use technology to achieve them;
* considering the various ways the system functionality and entry points could be abused and compromised (threat modeling);
* comparing the current system's or component's architecture and features to various threat models; and
* compiling the risks identified during threat modeling and architecture analysis and prioritizing them based on threat, vulnerability, likelihood, and impact.
 
Additionally, as part of this process, you'll also want to examine the human element of risk in your business. How thorough are your background checks of new employees and third parties accessing your systems? How easy is it for them to access the software and the hardware? Is the principle of "least privilege" being used appropriately? Have any employee loyalties shifted drastically lately? Are the vendors supplying your IT and data services thoroughly vetted? These and other questions can supplement the human-based aspect of cybersecurity risk assessment.
 
====5.3.8 Declare and describe objectives based on the outcomes of the above assessments====
After performing all that research, it's finally time to distill it down into a clear set of cybersecurity objectives. Those objectives will act as the underlying core for the actions the business will take to develop policies, fill in security gaps, monitor progress, and educate staff. The objectives that come out of this step "should be specific, realistic, and actionable."<ref name="NARUCCyber18" /> In a world where cyber threats are constantly evolving, being "100 percent secure against cyber threats" is an unrealistic goal, for example.<ref name="NARUCCyber18" />
 
One way to go about this process is to go back to the cybersecurity strategy you created (see 5.1.3) and place your objectives under the strategic goals they support. Perhaps one of your goals is to promote a culture of cybersecurity awareness among all employees and contractors. Under that goal you could list objectives such as "improve subject-matter expertise among leadership" and "support and encourage biannual cybersecurity training exercises throughout the business." You may also want to, at this point, make mention of what prioritization the objectives have and what progress measurement mechanisms can and should be put in place. Finally, work a certain level of adaptability into the objectives, not only in what they should achieve but also how they should be evaluated and updated. Technology, attack vectors, and even business needs can change rapidly. The objectives you develop should take this into consideration, as should the review and update policy for the cybersecurity plan itself (discussed later).
 
It's important to note that at this point of identifying cybersecurity requirements and objectives, and into the subsequent two steps of identifying policies and selecting and refining controls, the concept of risk management should be front and center. In a 2016 letter to the U.S. Commission on Enhancing National Cybersecurity, computing experts Lipner and Lampson emphasized the difficulty of cybersecurity risk management<ref name="LipnerRisk16">{{cite web |url=https://www.nist.gov/system/files/documents/2016/09/16/s.lipner-b.lampson_rfi_response.pdf |format=PDF |title=Risk Management and the Cybersecurity of the U.S. Government - Input to the Commission on Enhancing National Cybersecurity |author=Lipner, S.B.; Lampson, B.W. |date=September 2016 |accessdate=10 March 2023}}</ref>:
 
<blockquote>"It is impossible to measure precisely either the amount of security a given investment buys or the expected consequences of less than perfect security. Thus, decision makers must make security investments whose benefits are very uncertain. This makes it tempting to spend less on security and more on new programs or other alternatives with more visible benefits."</blockquote>
 
Despite these difficulties, the process of translating gap analysis and risk analysis into actionable and realistic objectives must be done. But you're close to or already have made the inroads to reaching this point. You've inventoried and examined the hardware and network settings you already use (5.3.1). You've examined your existing (and possibly even future) data and declared its criticality (5.3.2) in the context of the regulations, standards, and best practices affecting your assets and data (5.3.4). And you've reviewed your existing policies, looking for areas of improvement (5.3.3). You know where you are and where you want to go. Now the risk management components arrive in the form of objectives (5.3.8) that align with your overall cybersecurity strategy (5.1.3), the tangential cybersecurity policies requiring creation and modification (5.3.9), and the security controls chosen to support those objectives and policies (5.3.10). If you realize this full approach, cybyersecurity risk management should come naturally, by extension.
 
====5.3.9 Identify policies for creation or modification concerning passwords, physical security, etc., particularly where gaps have been identified from the prior assessments and objectives====
Say you previously noted your business has a few password and other access management policies in place, but they are relatively weak compared to where you want to be. If you haven't already, now is a good time to start tracking those and other policies that need to be updated or even created from scratch. Note that you may also discover additional policies that should be addressed during the next step of selecting and refining security controls. Consider performing this step in tandem with the next to gain the clearest idea of all the policy updates the business will require to meet its cybersecurity objectives.
 
====5.3.10 Select and refine security controls for identification, protection, detection, response, and recovery based on the assessments, objectives, and policies above====
According to cybersecurity solutions company Tenable, 84 percent of U.S. organization turn to to at least one cybersecurity framework in their organization, and 44 percent work with more than one.<ref name="WatsonTopFour19">{{cite web |url=https://www.itgovernanceusa.com/blog/top-4-cybersecurity-frameworks |title=Top 4 cybersecurity frameworks |author=Watson, M. |work=IT Governance USA Blog |publisher=GRC International Group plc |date=17 January 2019 |accessdate=10 March 2023}}</ref> This is done in part to comply with a mix of regulations affecting organizations today, as well as provide a baseline of security policies and protocols, even for the smallest of organizations. In that regard, it makes sense to heavily involve cybersecurity frameworks and controls in the development of your cybersecurity plan.
 
For the purposes of this guide, the NIST control descriptions found in [https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final NIST Special Publication 800-53, Revision 5]: ''Security and Privacy Controls for Information Systems and Organizations'' are used. Most of the "Low" baseline controls, as well as select "Moderate" and "High" baseline controls, are highly worthy of consideration for organizations. Additionally, a simplified version of controls was derived from 800-53 in the form of [https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final NIST Special Publication 800-171, Revision 2]: ''Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations''. One of the benefits of this set of NIST controls is that it maps to both NIST SP 800-53 and the [[|ISO/IEC 27000-series|ISO/IEC 27001:2013]] controls. And many of the cybersecurity groups and frameworks listed above have at their base—or are mapped to—those same two groups of controls.
 
You'll probably want to refer to Appendix 1 of this guide. There you'll find the "Low" baseline controls of NIST SP 800-53, as well as select "Moderate" and "High" baseline controls. For basic organizations working with non-federal data, these controls should prefer a perfectly useful baseline. The control descriptions have been simplified somewhat for quick reading, and any references or additional recommend reading is also added. Finally, you'll also see mapping to what's known as "[[LII:LIMSpec 2022 R2|LIMSpec]]," an evolving set of software requirements specifications for [[laboratory informatics]] systems. If you're not in the laboratory industry, you may not find that mapping entirely useful; however, LIMSpec still includes many specifications that could apply to a broad array of software systems.
 
Regardless of which frameworks and control groups you choose, you'll want to choose at least one and browse through the controls. Select the controls that map readily to the assessments, objectives, and policies you've already developed. You should even notice that some of the controls match to elements of the cybersecurity plan development steps found in this guide. The NIST control "IR-1 Incident response policy and procedures," for example, ties into step 5.8 of this guide, discussed later.
 
 
 
<div class="nonumtoc">__TOC__</div>
===5.6 Determine resource needs===
[[File:Figure 1- Cybersecurity Funding at IRS, Fiscal Years 2014 Estimated, 2015 Actual, 2016 Enacted, and 2017 Requested (Dollars in Millions) (28979530692).jpg|right|500px]]
====5.6.1 Determine whether sufficient in-house subject-matter expertise exists, and if not, how it will be acquired====
Businesses come in many sizes, and not all have the in-house expertise to take the deep dive into cybersecurity. To be fair, the size of a business isn't the only determiner of IT resources. Hiring practices and hosting decisions for both software and IT (e.g., [[software as a service]] [SaaS] and [[infrastructure as a service]] [IaaS] vs. local hosting) may also impact the level of cybersecurity expertise in the business. Regardless, it's doubtlessly imperative to have some type of expertise involved in assisting with the implementation of your organization's cybersecurity plan. You probably have already addressed this during part two and three of making the cybersecurity plan, but now is an excellent time to double check that aside from any short-term expertise you're tapping into while formulating your plan, ensure you have long-term support for the implementation and monitoring of the plan's components.
 
====5.6.2 Estimate time commitments and resource allocation towards training exercises, professional assistance, infrastructure, asset management, and recovery and continuity====
The realities of business dictate that time is indeed valuable.<ref name="CakmakTime19">{{cite web |url=https://techonomy.com/time-money-money-time-means-tech/ |title=Time is Money, Money is Time, and What That Means for Tech |author=Cakmak, J. |work=Techonomy |publisher=Techonomy Media, Inc |date=11 January 2019 |accessdate=10 March 2023}}</ref> For a business to meet its primary goals, an investment of time and resources are required by those involved in the business. For a clinical laboratory, that means laboratorians performing analyses, making [[quality control]] checks, managing test results and reporting, and more. How much time do they truly need to commit in any given week to developing cybersecurity skills? And beyond the individual level, how much time does the business as a whole want to commit? With a need for training, infrastructure management, policy development and management, and recovery and continuity activities, your business has a lot to consider. These and other questions must be asked in relation to the realistic amount of resources available to the business and its personnel.
 
Here are a few additional questions to ask, as suggested by NARUC<ref name="NARUCCyber18">{{cite web |url=https://pubs.naruc.org/pub/8C1D5CDD-A2C8-DA11-6DF8-FCC89B5A3204 |format=PDF |title=Cybersecurity Strategy Development Guide |author=Cadmus Group, LLC |publisher=National Association of Regulatory Utility Commissioners |date=30 October 2018 |accessdate=10 March 2023}}</ref>:
 
* "What level of staff time should [a business] dedicate to learning about cybersecurity and developing skills necessary to achieve stated goals?"
* "Do staff need to become subject-matter experts, or is it enough that they are familiar with the language and terms?"
* "Do any staff need one-time training, ongoing training, certifications, or security clearances?"
* "Does the [business] have enough personnel to build and maintain relationships with [cybersecurity stakeholders]?"
 
====5.6.3 Review the budget====
Of course, the realities of business also dictate that money is a key component to business operations. That means budgeting that all-important resource. What share of the overall budget will cybersecurity take, as proposed vs. what can realistically be allotted? This is where that previously conducted gap assessment and risk assessment comes into play again. You ended up identifying critical gaps in your current infrastructure and prioritizing cyber risks based on threat, vulnerability, likelihood, and impact. Those assessments guided your goals and objectives. Does your budget align with those goals and objectives? If not, what concessions must be made? If you're a small retail shop, antivirus software and firewalls may be enough. And as editor Cristina Lago notes in her 2019 article for ''CIO'': "Be realistic about what you can afford. After all, you don’t need a huge budget to have a successful security plan. Invest in knowledge and skills."<ref name="LagoHowTo19">{{cite web |url=https://www.cio.com/article/222076/how-to-implement-a-successful-security-plan.html |title=How to implement a successful cybersecurity plan |author=Lago, C. |work=CIO |publisher=IDG Communications, Inc |date=10 July 2019 |accessdate=10 March 2023}}</ref>
 
<div class="nonumtoc">__TOC__</div>
===5.7 Develop a communications plan===
[[File:Cybersecurity and the nation's digital future.jpg|right|300px]]
====5.7.1 Address the need for transparency in improving the cybersecurity culture====
<blockquote>"If you look at it historically, the best ways to handle [cybersecurity] incidents is the more transparent you are the more you are able to maintain a level of trust. Obviously, every time there’s an incident, trust in your organization goes down. But the most transparent and communicative organizations tend to reduce the financial impact of that incident.” - McAfee CTO Ian Yip<ref name="LagoHowTo19">{{cite web |url=https://www.cio.com/article/222076/how-to-implement-a-successful-security-plan.html |title=How to implement a successful cybersecurity plan |author=Lago, C. |work=CIO |publisher=IDG Communications, Inc |date=10 July 2019 |accessdate=10 March 2023}}</ref></blockquote>
 
When your organization spreads the idea of improving cybersecurity and the culture around it, it shouldn't forget to talk about the importance of transparency. That includes the development process for the cybersecurity plan itself. Stakeholders will appreciate a forthright plan development and implementation strategy that clearly and concisely addresses the critical information system protections, monitoring, and communication that should be enacted.<ref name="NARUCCyber18">{{cite web |url=https://pubs.naruc.org/pub/8C1D5CDD-A2C8-DA11-6DF8-FCC89B5A3204 |format=PDF |title=Cybersecurity Strategy Development Guide |author=Cadmus Group, LLC |publisher=National Association of Regulatory Utility Commissioners |date=30 October 2018 |accessdate=10 March 2023}}</ref><ref name="LagoHowTo19" /> Not only should internal communication about plan status be clear and regular, but also greater openness placed on promptly informing the affected individuals of cybersecurity risks and incidents. Of course, trust can be indirectly built up in other ways, such as ensuring training material is relevant and understandable, improving user management in critical systems, and ensuring communication barriers between people are limited.
 
====5.7.2 Determine guidelines for everyday communication and mandatory reporting to meet cybersecurity goals====
Sure, your IT specialists and system administrators know and understand the language of cybersecurity, but do the rest of your staff know and understand the topic enough to meet various cybersecurity business goals? One aspect of solving this issue involves ensuring clear, consistent communication and understanding across all levels of the organization. (Another aspect, of course, is training, discussed below.) If everyone is speaking the same language, planning and implementation for cybersecurity becomes more effective.<ref name="NARUCCyber18" /> This extends to everyday communications and reporting. Tips include:
 
* Clearly and politely communicate what consequences exist for those who violate cybersecurity policy, better ensuring compliance.<ref name="LebanidzeGuide11">{{cite web |url=https://www.cooperative.com/programs-services/bts/documents/guide-cybersecurity-mitigation-plan.pdf |format=PDF |title=Guide to Developing a Cyber Security and Risk Mitigation Plan |author=Lebanidze, E. |publisher=National Rural Electric Cooperative Association, Cooperative Research Network |date=2011 |accessdate=10 March 2023}}</ref><ref name="CopelandHowToDev18">{{cite web |url=https://www.copelanddata.com/blog/how-to-develop-a-cybersecurity-plan/ |title=How to Develop A Cybersecurity Plan For Your Company (checklist included) |publisher=Copeland Technology Solutions |date=17 July 2018 |accessdate=10 March 2023}}</ref>
* Consider developing and using communication and reporting templates for a variety of everyday emails, letters, and reports.<ref name="NARUCCyber18" />
* Don't forget to communicate organizational privacy policies and other security policies to third parties such as vendors and contractors.
* Don't forget to communicate changes of cybersecurity policy to all affected.
* Be flexible with the various routes of communication you can use; not everyone is diligent with email, for example.
 
====5.7.3 Determine guidelines for handling or discussing sensitive information====
Safely and correctly working with sensitive, protected, or confidential data in the organization is no simple task, requiring extra precautions, attention to regulations, and improved awareness throughout the workflow. In the clinical realm, organizations have PHI to worry about, while [[forensic laboratories]] must be mindful of working with classified data. Most businesses keep some sort of financial transaction data, and even your smallest of businesses may be working with trade secrets. These and other types of data require special attention by those creating a cybersecurity plan. Important considerations include staying informed of changes to local, state, and federal law; being vigilant with any role-based access to sensitive data; developing and enforcing clear policy on documenting and disposing cyber assets with such data; and developing boundary protection mechanisms for confining sensitive communications to trusted zones.<ref name="LebanidzeGuide11" /> Cybersecurity standards and frameworks provide additional guidance in this realm.
 
====5.7.4 Address incident reporting and response, as well as corrective action====
As discussed earlier, fostering an environment of transparency in regards to cybersecurity matters is beneficial to the business. By extension, this includes properly disseminating notice of cybersecurity risks, breaches, and associated responses. Steve McGaw, the chief marketing officer for AT&T Business Solutions, had this to say about it in 2017<ref name="McGawBreaching17">{{cite journal |url=https://apps.prsa.org/Intelligence/TheStrategist/Articles/view/11873/1152/Breaching_the_Secret_to_Cybersecurity_Communicatio |archiveurl=https://web.archive.org/web/20220815122956/https://apps.prsa.org/Intelligence/TheStrategist/Articles/view/11873/1152/Breaching_the_Secret_to_Cybersecurity_Communicatio |title=Breaching the secret to cybersecurity communications |author=McGaw, S. |journal=The Public Relations Strategist |issue=Spring 2017 |year=2017 |archivedate=15 August 2022 |accessdate=10 March 2023}}</ref>
 
<blockquote>When a breach is revealed, the attacked company is portrayed not as a victim, but as negligent and, in a subtle way, complicit in the event that ultimately exposed partners and customers. In short, it’s clearer than ever that cyberattacks can have an existential impact on companies. If customers don’t trust a company, then they simply won’t do business with them. These types of brand implications are indelible, and a communication strategy is invaluable.</blockquote>
 
This is where you decide how to communicate cybersecurity incidents and respond to them. McGaw and others offer the following advice in that regard<ref name="NARUCCyber18" /><ref name="LagoHowTo19" /><ref name="McGawBreaching17" /><ref name="HamburgAlign18">{{cite book |chapter=Chapter 4: Aligning a Cybersecurity Strategy with Communication Management in Organizations |title=Digital Communication Management |author=Hamburg, I.; Grosch, K.R |editor=Peña-Acuña, B. |publisher=IntechOpen |year=2018 |isbn=9781838814908 |doi=10.5772/intechopen.75952}}</ref>:
 
* Organize an incident response team of IT professionals, writers, leaders, and legal advisers and together develop protocols for how revelation of a cybersecurity incident should be handled, from the start.
* Ensure that upon an identified breach that the issue and it's likely impact are eventually clearly understood before communicating it to stakeholders. Communicating a hastily written, vague message creates more problems than solutions.
* Provide messaging on the solution (corrective action), not just the problem. Sometimes the solution is complex and difficult, but it's still beneficial to at least let stakeholders know action is being taken to correct the issue and limit its impact.
* Consider the use of playbooks, report templates, and training drills as part of your communication plan. Practice resolving security incidents with your assembled incident response team, and seek outside help when needed.
* When crafting your message, avoid jargon, use clear and simple language, be transparent (avoid "may" and "might"; be up-front), and keep your business values in context with the message.
* Don't forget to extend transparent messaging to internal stakeholders.
 
====5.7.5 Address cybersecurity training methodology, requirements, and status tracking====
While the topic of cybersecurity training could arguably receive its own section, training and communication planning go hand-in-hand. What is training but another form of imparting (communicating) information to others to act upon? And getting the word out about the cybersecurity plan and the culture it wants to promote is just another impetus for providing training to the relevant stakeholders.
 
The training methodology, requirements, and tracking used will largely be shaped by the goals and objectives detailed prior, as well as the budget allotted by management. For example, businesses with ample budget may be able to add new software firewalls and custom firmware updates to their system; however, small businesses with limited resources may get more out of training users on proper cyber hygiene than investing heavily in IT.<ref name="NARUCCyber18" /> Regardless, addressing training in the workplace remains a critical aspect of your cybersecurity plan. As the NRECA notes<ref name="LebanidzeGuide11" />: "Insufficiently trained personnel are often the weakest security link in the organization’s security perimeter and are the target of social engineering attacks. It is therefore crucial to provide adequate security awareness training to all new hires, as well as refresher training to current employees on a yearly basis."
 
You'll find additional guidance on training recommendations and requirements by looking at existing regulations. Various NIST cybersecurity framework publications such as [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf 800-53], [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf 800-171], and the [https://doi.org/10.6028/NIST.CSWP.04162018 NIST Cybersecurity Framework] (PDFs) may also provide insight into training.
 
<div class="nonumtoc">__TOC__</div>
===5.8 Develop a response and continuity plan===
[[File:Micro Data Center.jpg|right|300px]]
====5.8.1 Consider linking a cybersecurity incident response plan and communication tools with a business continuity plan and its communication tools====
In the previous section, we discussed transparently and effectively communicating the details of a cybersecurity incident, as part of a communications plan. As it turns out, those communications also play a role in developing a recovery and continuity plan, which in turn helps limit the effects of a cyber incident. However, some planners end up confusing terminology, using "incident response" in place of either "business continuity" or "disaster recovery." While unfortunate, this gives you an opportunity to address both.
 
A cybersecurity incident response plan is a plan that focuses on the processes and procedures of managing the consequences of a particular cyber attack or other such incident. Traditionally, this plan has been the responsibility of the IT department and less the overall business. On the other hand, a business continuity plan is a plan that focuses on the processes and procedures of managing the consequences of any major disruption to business operations across the entire organization. A disaster recovery plan is one component of the business continuity plan that specifically addresses restoring IT infrastructure and operations after the major disruption. The business continuity plan looks at natural disasters like floods, fires and earthquakes, as well as other events, and it's usually developed with the help of management or senior leadership.<ref name="KrasnowCyber17">{{cite web |url=https://www.irmi.com/articles/expert-commentary/cyber-security-event-recovery-plans |title=Cyber-Security Event Recovery Plans |author=Krasnow, M.J. |publisher=International Risk Management Institute, Inc |date=February 2017 |accessdate=10 March 2023}}</ref><ref name="LindrosHowTo17">{{cite web |url=https://www.cio.com/article/288554/best-practices-how-to-create-an-effective-business-continuity-plan.html |title=How to create an effective business continuity plan |author=Lindros, K.; Tittel, E. |work=CIO |publisher=IDG Communications, Inc |date=18 July 2017 |accessdate=10 March 2023}}</ref>
 
All of these plans have utility, but consider linking your cybersecurity incident response plan with your new or existing business continuity plan. You may garner several benefits from doing so. In fact, some experts already view cyber incident response "as part of a larger business continuity plan, which may include other plans and procedures for ensuring minimal impact to business functions."<ref name="KrasnowCyber17" /><ref name="LindrosHowTo17" /><ref name="EwingFourWays17">{{cite web |url=https://deltarisk.com/blog/4-ways-to-integrate-your-cyber-security-incident-response-and-business-continuity-plans/ |title=4 Ways to Integrate Your Cyber Security Incident Response and Business Continuity Plans |author=Ewing, S. |publisher=Delta Risk |date=12 July 2017 |accessdate=10 March 2023}}</ref> Stephanie Ewing of Delta Risk offers four tips in integrating cybersecurity incident recovery with business continuity. First, she suggests using a similar process approach to creating and reviewing your plans, including establishing an organizational hierarchy of the plans for improved understanding of how they work together. Second, Ewing notes that both plans speak in terms of incident classifications, response thresholds, and affected technologies, adding that it would be advantageous to share those linkages for consistency and improved collaboration. Similarly, linking the experience of operations in developing training exercises and drills with the technological expertise of IT creates a logical match in efforts to test both plans. Finally, Ewing examines the tendency of operations teams to use different communications tools and language from IT, creating additional problems. She suggests removing the walls and silos and establishing a common communication between the two planning groups to ensure greater cohesion across the enterprise.<ref name="EwingFourWays17" />
 
For the specifics of what should be contained in your recovery and continuity planning, you may want to turn to reference works such as ''[https://books.google.com/books?id=DXhvDwAAQBAJ&printsec=frontcover Cybersecurity Incident Response]'', as well as existing incident response plans (e.g., [https://web.archive.org/web/20210320130805/https://www.it.miami.edu/_assets/pdf/security/cyber-security-incident-response-guide.pdf University of Miami]) and [https://www.irmi.com/articles/expert-commentary/cyber-security-event-recovery-plans expert advice].
 
====5.8.2 Include a listing of organizational resources and their criticality, a set of formal recovery processes, security and dependency maps, a list of responsible personnel, a (previously mentioned) communication plan, and information sharing criteria====
A lot of this material has already been developed as part of your overall cybersecurity plan, but it is all relevant to developing incident response plans. Having the list of technological components and their defined criticality will help you create the organizational hierarchy of the various aspects of your incident response and business continuity plans. Having the formal recovery processes in place beforehand allows your organization to develop training exercises around them, increasing preparedness. Application dependency mapping allows you to "understand risk, model policy, create mitigation strategies, set up compensating controls, and verify that those policies, strategies, and controls are working as you intend to mitigate risk."<ref name="KirnerTime17">{{cite web |url=https://www.illumio.com/blog/security-evolution-application-mapping |archiveurl=https://web.archive.org/web/20191204160526/https://www.illumio.com/blog/security-evolution-application-mapping |title=You need a map to evolve security |work=Time for a {r}evolution in data center and cloud security |author=Kirner, P.J. |publisher=Illumio |date=09 August 2017 |archivedate=04 December 2019 |accessdate=10 March 2023}}</ref> Knowing who's in charge of what aspect of recovery ensures a more rapid approach. And having a communication and information sharing strategy in place helps to limit rumors and transparently relate what happened, what's being done, and what the future looks like after the cyber incident.
 
<div class="nonumtoc">__TOC__</div>
===5.9 Establish how the overall cybersecurity plan will be implemented===
[[File:Cybersecurity.png|right|300px]]
====5.9.1 Detail the specific steps regarding how all the above will be implemented====
Weeks, months, perhaps even years of planning have led you to this point: how do we go about implementing the details of our cybersecurity plan? It may seem the daunting process, but this is where management expertise comes in handy. A formal project manager should be taking the reigns of the implementation, as that person preferably has experience initializing change processes, evaluating milestones as realistic or flawed, implementing ad hoc revisions to the plan, and finalizing the processes and procedures for reporting and evaluating the implementation.<ref name="NARUCCyber18">{{cite web |url=https://pubs.naruc.org/pub/8C1D5CDD-A2C8-DA11-6DF8-FCC89B5A3204 |format=PDF |title=Cybersecurity Strategy Development Guide |author=Cadmus Group, LLC |publisher=National Association of Regulatory Utility Commissioners |date=30 October 2018 |accessdate=10 March 2023}}</ref> The manager also has the benefit of being able to ensure the implementation will stay true to the proposed budget and make the necessary adjustments along the way.<ref name="LebanidzeGuide11">{{cite web |url=https://www.cooperative.com/programs-services/bts/documents/guide-cybersecurity-mitigation-plan.pdf |format=PDF |title=Guide to Developing a Cyber Security and Risk Mitigation Plan |author=Lebanidze, E. |publisher=National Rural Electric Cooperative Association, Cooperative Research Network |date=2011 |accessdate=10 March 2023}}</ref>
 
====5.9.2 State the major implementation milestones====
In Martinelli and Milosevic's ''Project Management ToolBox: Tools and Techniques for the Practicing Project Manager'', milestones and milestone charts are discussed as integral project management tools. They define a milestone as "a point in time or event whose importance lies in it being the climax point for many converging activities."<ref name="MarinelliProject16">{{cite book |url=https://books.google.com/books?id=SbA7CwAAQBAJ&pg=PA150 |title=Project Management ToolBox: Tools and Techniques for the Practicing Project Manager |author=Martinelli, R.J.; Milosevic, D.Z. |publisher=John Wiley & Sons |year=2016 |pages=150–54 |isbn=9781118973202}}</ref> They go on to give examples of milestones, including deliverables, project phase transitions, extensive reviews, and external events. Deciding what the key milestones of plan implementation will be up to the project manager, but they'll likely consider traditional milestones or focus on the major synchronization and decision points along the entire process. This includes studying the dependencies in the various implementation steps and anticipating how they will converge, ensuring also that the milestones are adequately spaced and have received team input.<ref name="MarinelliProject16" />
 
====5.9.3 Determine how best to communicate progress on the plan’s implementation====
The project manager will also likely oversee dissemination of communications related to plan implementation. Without a doubt, internal stakeholders will want to be kept aware of the implementation status of the cybersecurity plan. When should IT go live with the improved firewall installation? Are the new password requirements going into effect later than expected? Has the training literature you handed out last week been updated to reflect the critical changes your staff had to make over the weekend? Keeping everyone in the loop will help build trust in the attempt to build cybersecurity culture into the workplace. This also means concise and comprehensible documentation is being made available and is updated as changes in implementation take place. This is all in addition to deciding how to best communicate implementation progress (e.g., reports, emails, meetings, project website).

Latest revision as of 19:53, 22 March 2023

This is sublevel12 of my sandbox, where I play with features and test MediaWiki code. If you wish to leave a comment for me, please see my discussion page instead.

Sandbox begins below

4. Resources for selecting and implementing informatics solutions

The LIMS vendors and consultants lists are directly pulled from LIMSwiki's maintained tabular listings of these types of entities. The professional section addresses trade organizations, conferences, and more. The last section introduces LIMSpec, which will be addressed further in this guide.


4.1 LIMS vendors

NOTE: This listing represents all known active LIMS vendors. For a categorized listing of LIMS vendors who publicly indicate they serve a particular manufacturing-related industry, see the categorization of LIMS vendors by industry.


Vendor Key LIMS offering(s) SaaS
option? 		Headquarters
(Country) 		Key information Additional notes
10BioSystems, LLC LabCentral Yes United States
AAC Infotray AG Limsophy LIMS No Switzerland
ABB Ltd. Knowledge Manager Yes United States Sold CCLAS LIMS to Datamine Software Ltd. in August 2019.[1]
ABI-Health Technologies Pvt. Ltd. ABI LIMS No India LIMS is part of the SmartLabs platform.
ABS Systems, Inc. PHIMS No United States
Adifo NV BESTMIX LIMS No Belgium Former product Laboras now seems defunct.
Advanced Solutions Accelerator SAS 100 lims No France
Advanced Technical Software uniLIME No Austria Former product q/LIME seems no longer supported.
Advanced Technology Corp. VADDS, VETSTAR No United States
Agaram Technologies Pvt. Ltd. Qualis LIMS Yes India Demonstration videos
AgiLab SAS AgiLIMS Yes France
Agile Frameworks, LLC MetaField Yes United States Demonstration videos A field information management system for architecture,
engineering, and construction that contains a full LIMS module
AgileBio LabCollector Yes United States Pricing and demonstration videos
Agilent Technologies, Inc. iLab Operations Software, SLIMS Yes United States Demonstration videos Agilent acquired the iLab core facility management software in 2016.[2]
Agilent acquired Genohm SA in May 2018.[3][4]
AHP GmbH iQ-LIMS No Germany
AINZ Corp. LabFlow Yes United States Pricing and demonstration videos Cannabis-oriented LIMS; former product was PharmWare.
AiZen Algo Pvt. Ltd. LabZen No India
Alcor SPRL CI-Master, LabTec No Belgium
Alpha Technologies US, LP Enterprise No United States
Ambidata Digital Innovation Solutions & Consulting, Lda. LabWay-LIMS No Portugal
American Technical Services, Inc. MOX No United States "Laboratory workflow and [metrology] management system"
with LIMS module
Analytical Information Systems, Ltd. AIS LIMS No United Kingdom
Aquatic Informatics, Inc. AQUARIUS Yes Canada Demonstration videos Not marketed as a LIMS, but software suite has
extensive LIMS functionality.
ASM Soft SL asmLIMS No Spain
Assaynet Inc. Assaynet LIMS No Canada Demonstration videos Previous name for LIMS2010 was LIMS2003.
Asterian, LLC ArgoLIMS Yes United States See the LIS vendor page for QuikLIMS.
Asystance B.V. AlisQI LIMS Yes Netherlands Demonstration videos
ATGC Labs, LLC ActiveLIMS No United States
Aurora Systems, Inc. VisuaLab No United States
Autoscribe Informatics, Inc. Matrix Gemini, Matrix Express Yes United States Pricing and demonstration videos North American distributor/support team was
Zumatrix, Inc. until it was absorbed into new
entity Autoscribe Informatics, Inc.[5]
BARTELT GmbH datalabX No Austria
Bassetti France SAS TEEXMA LIMS No France
Batalyse GmbH Mind No Germany Demonstration videos
Baytek International, Inc. cBLISS Yes United States Product line changed in summer 2017 with introduction of cBLISS.
Beijing Bio-LIMS Soft Co. Ltd. Bio-LIMS No China
Bentley Systems, Inc. KeyLAB No United States Pricing and demonstration videos Acquired Keynetix Ltd. and KeyLAB in 2019.[6]
BGASoft, Inc. LIMS ABC Yes United States
Bika Lab Systems (Pty) Ltd. Bika LIMS Yes South Africa Pricing Also available at SourceForge.net under GPL.
Bio-Analytical Technologies Pvt. Ltd. BioClinical No India
Bio-ITech BV eLABInventory, eLABJournal Yes The Netherlands Pricing and demonstration videos Neither is a true traditional LIMS; Inventory is a sample manager
and Journal is an ELN with the features of Inventory. However, both
have LIMS-like features.
BioData Inc. Labguru Yes United States Demonstration videos Labguru replaced LabLife and BioKM on December 5, 2011.[7]
Became an ELN+LIMS platform in late 2022.
BioFortis, Inc. Labmatrix No United States
BioInfoRx, Inc. mLIMS Yes United States Pricing and demonstration videos Animal colony management LIMS
Biomatters Ltd. Geneious No New Zealand Pricing and demonstration videos
Biomed Systems Ltd. LABA Yes England Pricing and demonstration videos Biotechnology and biobanking LIMS
BioSilicium SASU bs-LIMS No France
Bit Wave Solutions Ltd. Labsols LIMS Yes United Kingdom
Blaze Systems Corporation BlazeLIMS Yes United States Pricing and demonstration videos
Blomesystem GmbH LABbase No Germany readyLIMS appears to have been discontinued in 2019 or 2020.
Bode Cellmark Forensics, Inc. BodeLIMS No United States
Brooks Automation, Inc. FreezerPro, Limfinity Yes United States Pricingand demonstration videos Sample management solutions + LIMS
Broughton Software Ltd. LabHQ Yes United Kingdom Pricing and demonstration videos Was formerly SkySource Ltd.
Bruker Corporation SampleTrack No United States
BTLIMS Technologies BTLIMS, Lab Data Master No United States
Bureau Conseils et Services SCRL AQ Manager LIMS Yes Belgium Pricing and demonstration videos
Bytewize AB O3 LIMS, O3 LIMSXpress Yes Sweden Pricing and demonstration videos
Caliber Technologies Pvt. Ltd. CaliberLIMS Yes India
Cannabliss New England, LLC CannabLIS Yes United States Cannabis LIMS
Capstone Technology Corporation dataPARC No United States
Cerebrum Corporation LABdivus Yes United States
Cargotrader, Inc. Cargotester.com Yes United States
Carobar Business Solutions, LLC reLIMS Yes United States
CC Software, LLC Confident Cannabis LIMS No United States Demonstration videos
CellPort Software, LLC CellPort Cell Culture Suite Yes United States Demonstration videos
Clinical Systems Ltd. ClinAxys II No United Kingdom
CliniSys Group Limited Clinisys WinPath No United Kingdom Part of the Clinisys brand of companies.
Clinisys NV Clinisys GLIMS, GLIMS Genetics, and DaVinci No Belgium Was MIPS NV until September 2022.[8][9]
Part of the Clinisys brand of companies.
CliniSys, Inc. Clinisys ApolloLIMS and SQ Lab No United States Renamed from Sunquest Information Systems, Inc. on May 31, 2022.[10]
Part of the Clinisys brand of companies.
CloudLIMS.com, LLC CloudLIMS, FreeLIMS Yes United States Pricing and demonstration videos
Clyde Computing Ltd. Q-SYS LIMS No United Kingdom
Codon Software Private Limited Codon LIMS No India
Columbia Energy & Environmental Services, Inc. OmniLIMS No United States
CompuDrug International, Inc. Laboratory Manager Plus No United States
Computing Solutions, Inc. LabSoft LIMS No United States
Comsense Datasystems of Australia ComLIMS No Australia
Condition Monitoring International, LLC LabTrak No United States
Contec Group International Ltd. MADCAP Yes New Zealand
Cosine Consultants Ltd. Fission LIMS No Cyprus
CSMS Sp. z o.o. CS-17 LIMS No Poland
Dassault Systèmes SA BIOVIA Lab Management No France Demonstration videos Dassault acquired Accelrys, Inc. on April 29, 2014.[11]
Data Systems Integration Group, Inc. RevolutionDx Yes United States
Data Unlimited International, Inc. Starfruit GeneTell, IdentiTrack, and Toxicology No United States
Datamine Software Ltd. CCLAS EL and CCLAS 6 Yes United Kingdom Demonstration videos
Dataworks Development, Inc. Freezerworks No United States Demonstration videos
Dedalus Healthcare Ltd. Dedalus LIMS Yes United Kingdom Pathology LIMS
Deutsche Telekom Healthcare Solutions Netherlands B.V. LMS, SymPathy Lifecare No Netherlands Acquired Finalist Software Noord Nederland C.V.
and LMS in January 2019.[12][13]
DHC Dr. Herterich & Consultants GmbH SAP QM No Germany
dialog EDV Systementwicklung GmbH diaLIMS No Germany
DiData, Inc. Di-LIMS No Switzerland
DIPOLE SARL DipLABO No France
Diversity Arrays Technology Pty. Ltd. DArT LIMS No Australia Demonstration videos
Dorner GmbH & Co. KG B/Lab, i/med Genetics, i/med Hygiene,
M/Lab, X/Lab 		No Germany
Drishti-Soft Solutions Pvt. Ltd. cLIMS No India
Dynamic Databases, LLC limsExpress Yes United States Demonstration videos
E-BiOnary Technologies Pvt. Ltd. e-BiOnary A, C, M, and D Yes India Demonstration videos
EffiChem s.r.o. EffiChem Yes Czech Republic Demonstration videos
Elysia-raytest GmbH Argus RPS, SARA No Germany Specializes in radiopharmaceutical LIMS.
ElmTree Systems, LLC ElmTree System No United States
Elmwood Solutions, Inc. Pure Harvest Yes United States LIMS-like seed lab software
Enable IT Solutions Pvt. Ltd. Ensō-LIMS No India Demonstration videos
entimo AG PhaLIMS No Germany
EthoSoft, Inc. X-LIMS No United States Pricing
Eusoft Srl EuSoft.Lab Yes Italy Demonstration videos
Fink & Partner GmbH [FP]-LIMS No Germany Demonstration videos Former product was [Dia]
Forney, LP ForneyVault Yes United States Pricing and demonstration videos
Frontier Science & Technology Research Foundation, Inc. LDMS Yes United States Demonstration videos
Future Technologies, Inc. DNA LIMS No United States
Genesis MicroSystems, Inc. LAB-2000 No United States
Genetic Technologies, Inc. eDNA LIMS No United States Pricing
Genetrics, Inc. GEN-LIMS No United Arab Emirates
Genial Genetic Solutions, Ltd. iGene, Shire No United Kingdom
GenoFAB, Inc. GenoFAB Yes United States Pricing Combination LIMS + ELN
Genosity, Inc. Integrated Genomic Toolkit Yes United States Genomics platform with a LIMS
GoInformatics, Inc. GoLIMS Yes United States Demonstration videos
GoMeyra Corporation GoMeyra LIMS Yes United States Demonstration videos
GQM mbH Qualifax LIMS No Germany
GTS Systems Private Limited GLab360, LabExpress Yes Egypt
H&A Scientific, Inc. SLIM No United States Screenshots
Hach Company Hach WIMS Yes United States, Germany Demonstration videos
Harris Systems USA, Inc. Forensic Advantage Yes United States Placed under Harris' Caliber Public Safety division.[14]
HM-Software HM-LAB No Germany
i2D Solution, Inc. i2DS LIMS No United States
iCD System GmbH LABS/Q, LABS/QM No Germany
Illumina, Inc. BaseSpace Clarity LIMS, Illumina LIMS Yes United States Demonstration videos
In-QM-Team Software GmbH WinLaisy No Europe Development taken over from inray Industriesoftware GmbH
in March 2019.[15]
Indusoft OOO I-LDS LIMS No Russia Demonstration videos
Infomed Kouvatsos Theodoros Ltd. Lab@link No Greece
Information Management Services, Inc. BSI, SEER*DMS Yes United States Pricing and demonstration videos
InfoTrak Pty. Ltd. Oil Commander No Australia Previous product name was InfoTrak Oil.
Innovatics Ky InnoLIMS Yes Finland
Instem LSS Limited Provantis Yes United Kingdom
Instrumentos Científicos SA NevisLIMS Yes Spain Demonstration videos
IntaForensics Ltd. Lima Forensic Case Management No United Kingdom Pricing and demonstration videos Personal edition is free, but no other pricing.
Integrated Software Solutions Ltd. OMNI-Lab No Australia Absorbed Point of Care Solutions Pty. Ltd. and v-Lab in 2020.[16]
INTEGRIS LIMS GmbH iLIMS No Germany Pricing and demonstration videos Changed company name from CSS LIMS GmbH in March 2017.[17]
Interactive Software Limited Achiever Medical LIMS Yes United Kingdom
Interactive Technology Services, LLC LIMS IAL Yes United States
Interpec Corporation INQAS, INTRACES No United States
InterSystems Corporation TrakCare Lab No United States Demonstration videos
InVita Healthcare Technologies, Inc. STACS Casework, STACS Database Yes United States Acquired from STaCS DNA Inc. in May 2021.[18]
iVention BV iVentionLES Yes Netherlands Demonstration videos Marketed as a laboratory execution system with LIMS,
ELN, and SDMS functionality
J Street Technology, Inc. J Street LIMS No United States Pricing Formerly MSC-LIMS by Mountain States Consulting, LLC.
Jeganee Technologies Pvt. Ltd. Laboratory-On Yes India
JusticeTrax, Inc. LIMS-plus No United States Pricing
jwConsulting GmbH jwLIMS No Germany
Khemia Software, Inc. Omega 11 LIMS No United States Screenshots
Kriti Microsystems Pvt. Ltd. Kriti LIMS No India
KVANT spol. s r.o. Evidence No Slovakia
L7 Informatics, Inc. L7 ESP No United States Demonstration videos Enterprise science platform/workflow engine w/ a LIMS
LabCloud, Inc. LabCloud Yes United States
Labforward GmbH Labregister Yes Germany Integrates with company's ELN Labfolder
Labii, Inc. Labii ELN & LIMS Yes United States Pricing and demonstration videos Combination ELN + LIMS
LabKey Corporation LabKey Biologics LIMS Yes United States Pricing and demonstration videos
LabLite, LLC LabLite SQL LIMS No United States Pricing
LabLogic Systems Limited Debra, PETra No United Kingdom Demonstration videos
LabLynx, Inc. ELab Yes United States Pricing and Demonstration videos
LabMaster.pl Sp. z o.o. LabMaster LIMS Yes Poland
Labmin (Pty) Ltd. Labmin, Labmin Lite Yes South Africa Demonstration videos
LabPro 2000 Ltd. eQual Yes New Zealand
Labs Division SL OraLims 2000i and 3.0 Yes Spain Demonstration videos
Labsoft Tecnologia Ltda. myLIMS Yes Brazil Demonstration videos Not to be confused with Odysis SA's myLIMS product.
Labstudio (Pty) Ltd. Labstud.io LIMS Yes South Africa Pricing and screenshots
LABTrack, LLC LABTrack LIMS Yes United States EKM Corporation was previously a distributor of LABTrack.
LabVantage Solutions, Inc. LabVantage 8 Yes United States Pricing and demonstration videos Products formerly called SAPPHIRE and SQL*LIMS.
LabWare, Inc. LabWare LIMS, LabWare GROW Yes United States Pricing and demonstration videos
Labworks, LLC Labworks No United States Bought LABWORKS from PerkinElmer Inc. in May 2016.[19]
Lenava Engineering Group Ltd. Lenava LIMS Yes United Kingdom
LETEC SARL Tetraed LIMS No France
Lex Software Solutions Manage! Yes (customer request) Turkey Screenshots
LGC Limited Kraken No United Kingdom
LIMS at work GmbH Labmatica LIMS No Germany
lims+WARE lims+WARE/ASP, /Networks,
/Results, /UNIX 		No United States
Limseo SARL Solution Laboratoire No France
LIMSey, LLC LIMSey No United States
Locasoft SARL LIMS.FR Yes France Demonstration videos Product changed names in 2019 from Lims.net to LIMS.FR.
Logiq Innovations, Inc. LabPlus No Canada LabPlus formerly a product of LabPlus Technologies.
LogicaSoft SPRL Odoo LIMS Yes Belgium A LIMS built on open-source Odoo ERP
LTech Australia Pty. Ltd. Lims1 No Australia
Lyons Information Systems, Inc. LLMS Yes United States
M-Tech International, Inc. CAT2 LIMS No United States
Malvern Panalytical BV SPARCS No Netherlands Previously known as PANalytical BV.
MAQSIMA GmbH MAQSIMA LAB+ No Germany
Mci IT Pty. Ltd. Cloud Solutions Suite Yes South Africa Pricing and demonstration videos
MEDEORA GmbH BioArchive Yes Germany Pricing and demonstration videos Biobanking LIMS
Medpace, Inc. ClinTrak Lab No United States Clinical research LIMS
Megaware, Inc. LIAS No United States
Methodiq, LLC custom LIMS development No United States
Microcline Projects Labosaurus Yes Canada Pricing
ML Consulting Technologies, LLC WeLIMS Yes United States Pricing and demonstration videos Free quality control LIMS for small labs
Modul-Bio SAS MBioLIMS No France
Motto Systems Pvt. Ltd. GMPPro LIMS Yes India Demonstration videos
Mukon Informatics (Pty) Ltd. Skylims No South Africa Formerly Mukon CC. LIS marketed as a LIMS.
Myfab Myfab LIMS No Sweden
National Agribusiness Technology Center USALIMS No United States Pricing
National Cancer Institute caLIMS No United States Pricing
Nexactly AI Solutions Pvt. Ltd. Nexactly LIMS No India
Nexix, Inc. Nexix LIMS Yes Canada Designed for PCR
Nippon Control System Corporation SimpDoc No Japan Discontinued SimpLabo in May or June 2018.
Still offering SimpDoc, per company.
Novatek International NOVA-LIMS No Canada
Oasis Infotech Pvt. Ltd. EnviroLIMS EWM, LIMZ-RD,
OasisLIMS, True-LIMZ CTL 		No India
Ocimum Biosolutions Ltd. Biotracker LIMS Yes India
Odysis SA myLIMS No Switzerland Not to be confused with Labsoft Tecnologia Limitada's myLIMS product.
Online LIMS Canada Limited OnLIMS No Canada
OnQ Software Pty. Ltd. QLIMS Yes Australia
Open-source software solution Bika LIMS N/A N/A See Bika Lab Systems (Pty) Ltd. for more info.
Open-source software solution caLIMS N/A N/A See National Cancer Institute for more info.
Open-source software solution ClinViro N/A N/A More information found on [project page].
Open-source software solution GNomEx N/A N/A More information found on SourceForge.net.
Open-source software solution GNU LIMS N/A N/A More information found on the project page.
Open-source software solution LAMA N/A N/A More information found on the project website.
Open-source software solution Leaf LIMS N/A N/A More information found on the project website.
Open-source software solution MetaLIMS N/A N/A More information found on the project website.
Open-source software solution Open-LIMS N/A N/A More information found on the project website.
Open-source software solution openBIS N/A N/A More information found on the project website.
Open-source software solution OpenELIS N/A N/A More information found on the project website.
Open-source software solution OpenSpecimen N/A N/A More information found on the Krishagni Solutions Pvt. Ltd. page.
Open-source software solution Screensaver HTS LIMS N/A N/A More information found on SourceForge.net.
Open-source software solution SMITH N/A N/A More information found on Bitbucket.
Open.Co Srl ProLab.Q Yes Italy
OPTIMAL SYSTEMS GmbH enaio Laboratory Content Center No Germany
Oracle Corporation Oracle Health Sciences
Clinical Development Analytics 		No United States
Orsyx eL@b No Israel Demonstration videos
Ovation.io, Inc. Ovation LIMS Yes United States Demonstration videos Company and product have undergone many name changes,
with "Ovation" the latest.
Oy Fision Ltd. Broadsight LIMS No Finland
Pardus d.o.o. eQMS::LIMS No Croatia
PDS Group Holding AG Ascentos Yes Switzerland Former products were PathData, ReproData, and ToxData.
pdv-software GmbH pdv-lims 3 No Germany
Persistent Systems Ltd. ChemLMS No India Acquired from Agilent.[20]
Pharmaceuticals Systems International, LLC PSI Yes U.S. Pricing and demonstration videos Cloud-based application suite that includes LIMS
Phylum SARL Phylum.Laboratoire No France
PiControl Solutions, LLC PiLims No United States
Polisystem Informatica Srl Analisi No Italy
Pondpol Group The rapid family of LIMS No Thailand Five LIMS-like solutions covering multiple industries
Porter Lee Corporation Crime Fighter BEAST No United States
Process Solutions Canada Limited LDMS No Canada
Prog4biz Software Solutions Ltd. BookitLab Yes Canada
Progeny Genetics, LLC Progeny Clinical Yes United States Pricing Some pricing available for Clinical.
Promadis Pty. Ltd. Caseman No Australia
Promium, LLC Element LIMS Yes United States Pricing and demonstration videos
PRYM-SOFT Sp. z o.o. CleverLAB, PureLAB Yes Poland
PT Digita Scientia Indonesia OrbitaLIMS No Indonesia
QBench, Inc. QBench Yes United States Demonstration videos Transferred from Junction Concepts, Inc. in August 2022.
(Source: Personal correspondence)
QDA SOLUTIONS GmbH QDA LIMS No Germany
Qualitype GmbH Abetter LIMS No Germany
QUALIMS SARL QUALIMS No France
Quality Systems International Corporation WinLIMS Yes United States
Quartz Imaging Corporation Quartz LA-, FA-, and RE-LIMS No Canada
Raddec International Ltd. Raddec-LIMS No United Kingdom Demonstration videos
Realistic Computing, Inc. eData Specialty LIMS No United States
Reston Stable Isotope Laboratory LIMS for Lasers,
LIMS for Light Stable Isotopes 		No United States Pricing The RSIL is part of the U.S. Geological Survey.
Revol Software Solutions, LLC Revol LIMS Yes United States Pricing and demonstration videos
RHAPSODY Software Solutions GmbH RHAPSODY LIMS No Germany Officially changed name from Softwaresysteme Keeve GmbH in February 2018.[21][22]
RJ Lee Solutions, LLC THEMIS No United States
RockStep Solutions, Inc. Climb Yes United States Demonstration videos
S.G. Systems, LLC V5 Traceability No United States Manufacturing traceability software system with a LIMS module
Sapio Sciences, LLC Sapio Bioanalytical LIMS, Clinical
LIMS, Histopathology LIMS, NGS LIMS,
Research LIMS, and Stability LIMS 		Yes United States Demonstration videos
Satya Sistemas Ltda. Flux2 No Brazil
Scigilian Software, Inc. Scigilian Yes United States
ScienTek Software, Inc. iStability LIMS No United States LIMS designed for pharmaceutical stability testing programs
and stability test management
Semaphore Solutions, Inc. Labbit, custom LIMS development No Canada
Sempai Consulting Ltd. & Co. KG scarabPLUS No Germany A pharmaceutical ERP that fully integrates a LIMS
Shimadzu Corporation LIMSsolution No Japan
Siemens AG Formulated Product Design, SIMATIC IT Unilab No Germany
Sigmen Technologies Solutions Pvt. Ltd. Sigma LIMS No India
Simploud Limited Simplab No Israel Pricing and demonstration videos Salesforce-based LIMS
SLCLAB Informática SL ALFA21, Zendo LIMS Yes Spain Pricing and demonstration videos
Sofcom (Private) Limited Spectrum No Pakistan
Soft Computer Consultants, Inc. SoftLIMS Yes United States
Software for Life Sciences BV LabScores No Netherlands Demonstration videos
Software Point Oy LabVantage Medical Suite,
Enterprise, and Express 		Yes Finland Acquired by LABVANTAGE in April 2011.[23] C5 LIMS was renamed to
"LABVANTAGE Medical Suite" in December 2012.[24] Former products:
TasteBOSS and WilabLIMS
Sorenson Forensics, LLC eDNA LIMS No United States Forensic LIMS
SpecPage AG SpecLIMS No Switzerland Previously known as Object Solutions Software AG.[25][26]
Spectra QEST Australia Pty. Ltd. QESTField, QESTLab No Australia
StackWave, LLC StackWave Affinity LIMS Yes United States
Stanford University School of Medicine MendeLIMS No United States
STARLIMS Corporation STARLIMS Yes United States Pricing and demonstration videos Formerly Abbot Informatics Corporation.
Stelsel Software Technologies Pvt. Ltd. NABL LIMS No India
TechWare Incorporated Logbook Discovery,
TechWare MainTrac 		No United States
Telesphorus Consulting Ltd. gemLIMS Yes United Kingdom
The Edge Software Consultancy Ltd. BioRails LIMS Yes United Kingdom Pricing and demonstration videos
Thermo Fisher Scientific Core LIMS, Nautilus, SampleManager, Watson Yes United States Demonstration videos
Third Wave Analytics, Inc. Lockbox LIMS Yes United States Pricing and demonstration videos
Title21 Health Solutions, Inc. Cellular Therapy Solution No United States Demonstration videos A LIMS with a focus on cellular therapy
Trace First Ltd. CoreOne for Labs Yes Ireland
TraxStar Technologies, Inc. QATrax LIMS No United States Demonstration videos
Tribal Software, Inc. LIMS Lyte, Tribal-LIMS No United States
Triestram & Partner GmbH lisa.lims No Germany
Trilogy Group Limited TAPS No United Kingdom
TRUST Infotech Electronics, LLC TRUST LIMS No United Arab Emirates
TQ Technology Pvt. Ltd. TQLIMS No India
Uncountable, Inc. Uncountable Yes United States Demonstration videos LIMS- and ELN-like platform for chemical R&D
U.S. EPA Scribe No United States Pricing
up to data sales and services GmbH up2Lims No Germany
Valdata Systems USA, Inc. Chemical Management System Yes United States Demonstration videos Suite of modules, including a LIMS, for manufacturing
Veeva Systems, Inc. Vault LIMS Yes United States
Venture Development, LLC GoRev Yes United States Health information system with LIMS/LIS
Verisis A.S. CLIMS No Turkey Forensic LIMS
VertiQ Software, LLC CME-LIMS No United States Forensic LIMS
Vette EDV-Beratung & Entwicklung GmbH TransGraph No Germany Quality management software with a LIMS module
Waters Corporation NuGenesis 8 No United States Pricing and demonstration videos NuGenesis 8 is a data management and workflow package
of applications, including NuGenesis Sample Management.[27]
Wavefront Software, Inc. Wavefront LIMS Yes United States Demonstration videos
WESTcom Logiciels et Services SARL ARES No France
WireWorks West, Inc. FermWorks No United States Formerly operated as Jova Solutions Inc.
Wixon and Cross, LLC LIMFinite Yes United States
Wolfe Information Systems, Inc. Wolfe LIMS No United States Pricing
Xybion Corporation Labwise XD, Pristima XD Yes United States Pricing and demonstration videos Pre-clinical LIMS solutions
Yokogawa Electric Corporation OpreX, CIMVisionLIMS No Japan
Yro Systems Pvt. Ltd. MocDoc LIMS No India
Yullin Technologies Co., Ltd. LabMate Enterprise No South Korea


4.2 Consultants

These consultancies seem to focus primarily on helping others plan, choose, and implement an informatics system for the laboratory, though they may offer other services to laboratories, such as computer system validation (CSV), project management, and workflow development. (The location represents the entity's headquarters.)

Vendor Headquarters Key services Services page
A Byte of Advice, Inc. Fairfield, IL, U.S. "We provide project management, system development, code modification, support and training";
experience with LabVantage and PerkinElmer products 		Services page
A2LA Workplace Training Frederick, MD, U.S. LIMS, quality management systems, regulatory compliance assessments, process and risk management, etc. Services page
ABB Ltd. Zurich, Switzerland Provides an expansive set of services. Services page
Accenture PLC Dublin, Ireland Laboratory informatics, LIMS, LIS, ELN, data analytics, managed services, etc. Services page
AKKA Technologies Group Brussels, Belgium Information technology, engineering, clinical data management, regulatory affairs and compliance, etc. Services page
Astrix, Inc. Red Bank, NJ, U.S. "Astrix’s core competency is to assist organizations in the development and implementation of data
management strategies to enhance the collection, processing, analysis and reporting of scientific data." 		Services page
Avellana Learning Oy Vantaa, Finland LIMS, LIS, and ELN implementation; open-source software implementation; software validation; quality control Services page
BC Solutions, LLC Phoenix, AZ, U.S. LIS implementation, interface testing and validation, project management and consulting,
data conversion/migration 		Services page
BGASoft, Inc. dba LIMS ABC Fort Lauderdale, FL, U.S. Business analysis, lab process improvement, enterprise and cloud architecture, LIMS implementation, etc. Services page
Bika Lab Systems (Pty) Ltd. Western Cape, South Africa LIMS requirement analysis, design, customization, configuration, and testing; training; project management, etc. Services page
Bottom Line Consulting, LLC Endwell, NY, U.S. Labware products, user requirements specifications, vendor selection, project management Services page
Brevitas Consulting, Inc. Sacramento, CA, U.S. Labware products, LIMS implementation; project management; quality assurance, etc. Services page
C4 Database Management, Inc. Port Orchard, WA, U.S. LIS administration, LIS integrity, data integrity, database installation and migration Services page
Chemtech Servicos de Engenharia e Software Ltda. Rio de Janeiro, Brazil Manufacturing execution systems, SCADA, automation, cyber security, etc. Services page
Clarity Compliance Solutions Limited Chepstow, Wales LIMS, system validation, data integrity, process mapping, vendor selection, etc. Services page
Clarkston Consulting Durham, NC, U.S. LIMS, data integrity, process mapping, vendor selection, quality management, project management etc. Services page
Clevr Newstead, QLD, Australia Laboratory process and technology consultations, custom LIMS development Services page
Clinical Lab Consulting, LLC Dublin, OH, U.S. Provides a wide range of services "to all types of clinical laboratories including governmental, academia,
hospital, reference and physician office laboratories." 		Services page
Clinical Laboratory Consultants dba Medical Source Marietta, GA, U.S. "Medical Source offers experience, guidance, and unmatched expertise in the physician office and
independent reference laboratory." 		Services page
Cosine Consultants Ltd. Strovolos, Cyprus Software customization, data management system consulting, Fission LIMS, etc. Services page
CSols, Inc. Newark, DE, U.S. Laboratory informatics strategic services, ELN and LIMS implementation, computer system validation, and
laboratory vendor-specific technologies 		Services page
Digital Lab Consulting Ltd. London, U.K. LIMS, LIS, and ELN implementation; computer system validation; business case development;
requirements definition; project management; vendor selection; etc. 		Services page
e-Science Solutions Ltd Whittington, U.K. Information technology, business case development, requirements definition, vendor selection, etc. Services page
EM2 Solutions, Inc. dba Labtopia Houston, TX, U.S. Laboratory informatics strategic services, LIMS implementation, computer system validation,
quality management systems, training, and staffing 		Services page
EquixTech Madrid, Spain LIMS selection, implementation, and change management; manufacturing execution systems;
automation; industrial internet of things 		Services page
Fructeam SARL Paris, France eLearning tools, clinical trial management systems, LIMS, ELN, SDMS, SAP Services page
HPFM, Inc. Pacifica, CA, U.S. LIMS selection, implementation, and change management; computer system validation; quality
management systems, etc. 		Services page
iConnect Consulting, Inc. San Francisco, CA, U.S. LIMS implementation and validation; computer system validation; HL7 electronic communication, training Services page
IMCOR GmbH Filderstadt, Germany LIMS selection and implementation, computer system validation, business process analysis and optimization Services page
InfoWiz Anyang, Gyeonggi, South Korea LIMS, LES, ELN, SDMS, and quality management system selection and implementation; system integration Services page
Kainos Healthcare Solutions, LLC Richmond, VA, U.S. Laboratory informatics, LIMS, LIS, EHR, EMR, quality control, procurement and implementation,
custom development; they also offer a laboratory quality management solution, eQCo 		Services page
Kalleid, Inc. Cambridge, MA, U.S. "We work across the value chain in R&D, clinical and quality areas to deliver support services for software
implementations in highly complex, multi-site organizations." 		Services page
Lab Insights, LLC Carlsbad, CA, U.S. Laboratory informatics, computer system validation, vendor assessment, HIPAA audits and training,
quality assurance, process improvement, etc. 		Services page
LabMetrics, LLC Ishpeming, MI, U.S. Laboratory informatics, automation, instrumentation, compliance and auditing, quality assurance, etc. Services page
Laboratory Advisory Bureau, LLC McAllen, TX, U.S. Clinical laboratory informatics, LIS, quality assurance, compliance and auditing, workflow management, etc. Services page
Laboratory Systems Consulting Celbridge, Ireland Laboratory and scientific informatics, 21 CFR Part 11, project management, etc. Services page
LIMS4U Bedworth, England Laboratory informatics, LIMS Services page
LIMSCON Vienna, Austria Laboratory informatics, LIMS, ELN, CDMS, document management, training, project management,
computer system validation, etc. 		Services page
LUFC LabConsultants Mierlo, The Netherlands Laboratory informatics, LIMS, ELN, CDMS, SDMS, vendor selection, computer system validation,
workflows, project management, lab management, etc. 		Services page
Nichols Management Group Ltd. York Harbor, ME, U.S. Clinical laboratory informatics, system assessment, implementation, and integration;
project management; workflow management, etc. 		Services page
NNIT A/S Søborg, Denmark Laboratory informatics; system assessment, implementation, and integration;
system validation; project management; workflow management; etc. 		Services page
Nous Labautomation Support Mariaheide, Netherlands Laboratory process, automation, and regulation assistance; project management;
LIMS, ELN, CDS, and document management system implementation 		Services page
NXG Group, Inc. Chennai, India Laboratory informatics, LIMS, testing and validation, system integration management,
business consulting, etc. 		Services page
Orbis Labsystems Ltd. Dublin, Ireland Laboratory informatics, LIMS, quality assurance, system integration management, automation, etc. Services page
OSTHUS GmbH Aachen, Germany Laboratory informatics, LIMS, system integration management, business consulting, etc. Services page
prime4services GmbH Karlsruhe, Germany LIMS, project management, vendor selection, quality management and validation, etc. Services page
PQE Group Florence, Italy Laboratory informatics, LIMS, laboratory instrument management, method validation, project management, etc. Services page
RC Inspection Group Rotterdam, Netherlands Laboratory informatics, LIMS, data analysis, automation, etc. Services page
RevereIT, LLC Sterling, VA, U.S. LIMS, system integration management, system validation, method development and validation,
data migration, vendor selection, etc. 		Services page
Sagit Solutions Ltd. Wan Chai, Hong Kong LIMS, implementation management, cloud management, vendor selection, etc. Services page
Scimcon Limited Newmarket, Suffolk, U.K. Laboratory informatics, LIMS, ELN, CDS, SDMS, instrument management, project management Services page
Semaphore Solutions, Inc. Victoria, B.C., Canada Laboratory informatics, LIMS, BaseSpace Clarity LIMS, workflow development, genomics Services page
Sequence, Inc. Morrisville, NC, U.S. Laboratory informatics, LIMS, ELN, CDS, SDMS, data architecture analysis, data analytics Services page
Shaw Informatics Ltd. Horsham, West Sussex, U.K. Laboratory informatics, LIMS, LES, ELN, process mapping, requirements analysis, project management,
vendor selection, deployment strategy, knowledge management solutions, training 		Services page
Silver Lining Informatics, LLC Brooklyn, NY, U.S. Laboratory informatics, LIMS, LES, ELN, Labware products, STARLIMS products, LabVantage products,
workflow development, reporting, project management, training 		Services page
Solution4Labs Sp. z o.o. Białystok, Poland Laboratory informatics, LIMS, ELN, custom development, Thermo Scientific products,
Agaram Technologies products, etc. 		Services page
SoftNLabs SpA Croix, France Laboratory informatics, LIMS, ELN, LES, SDMS, ERP, CRM, project management, software validation Services page
Techsol Corporation Princeton, NJ, U.S. LIMS, QMS, MES, regulatory affairs, clinical development, software validation, analytics, etc. Services page
Validation Systems, Inc. Palo Alto, CA, U.S. Laboratory informatics, microbiological and chemistry services, quality management systems,
computer system validation, etc. 		Services page
Verista Fishers, IN, U.S. Laboratory informatics, LIMS, ELN, CDS, laboratory compliance assessments, computer system validation,
project management, etc. 		Services page
wega Informatik AG Basel, Switzerland LIMS, data management systems design and implementation, clinical trial management systems,
and electronic data capture for life and chemical sciences 		Services page


4.3 Professional

4.3.1 Trade organizations

4.3.2 Conferences and trade shows

4.4 LIMSpec

LIMSpec.png

LIMSpec is an ever-evolving set of software user requirements specifications for laboratory informatics systems. The specification has grown significantly from its humble origins over a decade ago. Earlier versions of LIMSpec focused on a mix of both regulatory requirements and clients' "wishlist" features for a given system. The wishlist items haven't necessarily been ignored by developers, but they do in fact have to be prioritized by the potential buyer as "nice to have" or "essential to system operation," or something in between.[28][29][30] This latest version is different, focusing strictly on a regulatory-, standards-, and guidance-based approach to building a specification document for laboratory informatics systems.

At its core, LIMSpec is rooted in ASTM E1578-18 Standard Guide for Laboratory Informatics. With the latest version released in 2018, the standard includes an updated Laboratory Informatics Functional Requirements checklist, which "covers functionality common to the various laboratory informatics systems discussed throughout [the] guide as well as requirements recommended as part of [the] guide." It goes on to state that the checklist "is an example of typical requirements that can be used to guide the purchase, upgrade, or development of a laboratory informatics system," though it is certainly "not meant to be exhaustive."

LIMSpec borrows from that requirements checklist and then adds more to it from a wide variety of sources. An attempt has been made to find the most relevant regulations, standards, and guidance that shape how a compliant laboratory informatics system is developed and maintained. However, the LIMSpec should also definitely be considered a continual work in progress, with more to be added as new pertinent regulations, standards, and guidance are discovered.

If you've never worked with a user requirements specification document, the concept remains relatively simple to grasp. Merriam-Webster defines a "specification" as "a detailed precise presentation of something or of a plan or proposal for something."[31] Within this organized "plan or proposal" are requirements. A requirement typically comes in the form of a statement that begins with "the system/user/vendor shall/should ..." and focuses on a provided service, reaction to input, or expected behavior in a given situation. The statement may be abstract (high-level), or it may be specific and detailed to a precise function. The statement may also be of a functional nature, describing functionality or services in detail, or of a non-functional nature, describing the constraints of a given functionality or service and how it's rendered.

An example of a functional software requirement could be "the user shall be able to query either all of the initial set of databases or select a subset from it." This statement describes specific functionality the system should have. On the other hand, a non-functional requirement, for example, may state "the system's query tool shall conform to the ABC 123-2014 standard." The statement describes a constraint placed upon the system's query functionality. Once compiled, a set of requirements can serve not only to strengthen the software requirements specification, but the requirements set can also be used for bidding on a contract or serve as the basis for a specific contract that is being finalized.[32]

The next chapter discusses the user requirements specification, using LIMSpec as an example. You'll learn how to shape such a specification to your laboratory's needs, how to issue the specification as a request for information (RFI), and how to get the most out of it when getting decision-related information from vendors. Additionally, in Appendix 1, you'll find a blank version of LIMSpec for practical use.

References

  1. "Datamine Acquires Intelligent Mining Solutions (IMS)". Datamine Software Ltd. 27 August 2019. http://www.dataminesoftware.com/2019/08/27/datamine-acquires-ims/. Retrieved 28 September 2019. 
  2. "Agilent Technologies Completes Asset Acquisition of iLab Solutions, a Leader in Cloud-Based Laboratory Management Software". Agilent Technologies, Inc. 1 August 2016. http://www.agilent.com/about/newsroom/presrel/2016/01aug-gp16015.html. Retrieved 20 April 2017. 
  3. Barraud, E. (2 May 2018). "US group Agilent enters EPFL Innovation Park by acquiring Genohm". EPFL News. École polytechnique fédérale de Lausanne. https://actu.epfl.ch/news/us-group-agilent-enters-epfl-innovation-park-by-ac/. Retrieved 15 May 2018. 
  4. "Genohm SA closes its sale to Agilent Technologies Ltd". Kellerhals Carrard. 14 May 2018. https://www.kellerhals-carrard.ch/fr/genohm-sa-closes-its-sale-to-agilent-technologies-ltd-_content---1--8--460.html. Retrieved 15 May 2018. 
  5. "Autoscribe launches US operation". American Laboratory. CompareNetworks, Inc. 20 March 2012. http://www.americanlaboratory.com/Specialty/Forensics/617-News/37427-Autoscribe-launches-US-operation/. Retrieved 19 January 2016. 
  6. Bentley Systems, Inc (13 May 2019). "Bentley Systems Announces the Acquisition of Keynetix, Provider of Geotechnical Data Management Cloud Services". PR Newswire. https://www.prnewswire.com/news-releases/bentley-systems-announces-the-acquisition-of-keynetix-provider-of-geotechnical-data-management-cloud-services-300848796.html. Retrieved 25 October 2020. 
  7. "BioData Launches Labguru, a Collaborative Research Management Web Application for Academic Labs". Digital Science. Macmillan Publishers Limited. 5 December 2011. Archived from the original on 10 May 2012. https://web.archive.org/web/20120510070908/http://www.digital-science.com/biodata-launches-labguru/. Retrieved 19 January 2016. 
  8. "MEDICAL INFORMATION PROFESSIONAL SYSTEMS, AFGEKORT : MIPS NV". Moniteur Belge. 9 September 2022. http://www.ejustice.just.fgov.be/cgi_tsv/tsv_rech.pl?language=nl&btw=0428149981&liste=Liste. Retrieved 23 January 2023. 
  9. "Medical Information Professional System - Benaming, Statuten (Vertaling, coordinatie, overige wijzigingen)" (PDF). Moniteur Belge. 7 September 2022. https://www.ejustice.just.fgov.be/tsv_pdf/2022/09/09/22356749.pdf. Retrieved 23 January 2023. 
  10. "Articles of Amendment of Sunquest Information Systems, Inc" (PDF). Commonwealth of Pennsylvania. 31 May 2022. https://ecorp.azcc.gov/CommonHelper/GetFilingDocuments?barcode=22053110494530. Retrieved 23 January 2023. 
  11. "Dassault Systèmes Successfully Completes Acquisition of Accelrys". Dassault Systèmes SA. 29 April 2014. http://www.3ds.com/press-releases/single/dassault-systemes-successfully-completes-acquisition-of-accelrys/. Retrieved 04 September 2014. 
  12. Toet, D. (19 January 2019). "Telekom Healthcare lijft Finalist Noord Nederland in". Computable. https://www.computable.nl/artikel/nieuws/datamanagement/6549711/250449/telekom-healthcare-lijft-finalist-noord-nederland-in.html. Retrieved 17 October 2019. 
  13. "Finalist Noord Nederland B.V. gaat verder onder de naam Deutsche Telekom Healthcare". Finalist Software Noord Nederland C.V. http://www.finalistsoftware.com/?id=57. Retrieved 17 October 2019. 
  14. "Forensic Advantage Systems has moved!". Harris Systems USA, Inc. https://caliberpublicsafety.com/forensic-advantage-redirect/. Retrieved 02 October 2021. 
  15. "Das QM-Team nimmt die Arbeit auf und übernimmt das LIMS WinLaisy". MobileWorld.today. Business.today network GmbH & Co KG. 15 April 2019. http://www.mobileworld.today/das-qm-team-nimmt-die-arbeit-auf-und-uebernimmt-das-lims-winlaisy/. Retrieved 15 April 2019. 
  16. "Point of Care Solutions". Point of Care Solutions Pty. Ltd. Archived from the original on 18 January 2020. https://web.archive.org/web/20200118085822/http://www.pocsolutions.net/. Retrieved 06 November 2020. 
  17. "Umfirmierung der CSS LIMS GmbH". INTEGRIS LIMS GmbH. 2 March 2017. https://www.ilims.de/news/detail/konsequente-strategie-umfirmierung-der-css-lims-gmbh/. Retrieved 18 October 2017. 
  18. Nobile, J. (18 May 2021). "Riverside acquires STACS DNA for InVita platform". Crain's. Archived from the original on 18 May 2021. https://web.archive.org/web/20210518230623/https://www.crainscleveland.com/finance/riverside-acquires-stacs-dna-invita-platform. Retrieved 02 March 2022. 
  19. "LABWORKS LIMS Acquired from PerkinElmer by Labworks LLC – Future Never Looked Brighter". BusinessWire. Business Wire, Inc. 11 May 2016. http://www.businesswire.com/news/home/20160511005343/en/LABWORKS-LIMS-Acquired-PerkinElmer-Labworks-LLC-%E2%80%93. Retrieved 02 June 2016. 
  20. "Persistent system to acquire french software business of Agilent Technologies". The Economic Times. 31 May 2011. http://articles.economictimes.indiatimes.com/2011-05-31/news/29604386_1_persistent-systems-life-sciences-anand-deshpande. Retrieved 10 April 2013. 
  21. "RHAPSODY Software Solutions GmbH, Ibbenbüren". Cylex. S.C Cylex Tehnologia Informatiei International S.N.C. https://web2.cylex.de/firma-home/rhapsody-software-solutions-gmbh-1447434.html. Retrieved 15 January 2019. 
  22. "Softwaresysteme Keeve GmbH". online-handelregister.de. Registeranzeiger GmbH. https://www.online-handelsregister.de/handelsregisterauszug/nw/Steinfurt/S/Softwaresysteme+Keeve+GmbH/1798127. Retrieved 15 January 2019. 
  23. "LABVANTAGE Acquires Long-Time Partner Software Point". LABVANTAGE Solutions, Inc. 5 April 2011. http://www.labvantage.com/newsroom/index.php/2011/04/labvantage-acquires-long-time-partner-software-point/. Retrieved 2 January 2012. 
  24. "Software Point - News". Software Point Oy. 21 December 2012. http://www.softwarepoint.com/news.html. Retrieved 10 April 2013. 
  25. "Object Solutions". SpecPage plc. Archived from the original on 15 August 2015. https://web.archive.org/web/20150815162117/https://www.objectsolutions.eu/. Retrieved 27 July 2016. 
  26. "Press". SpecPage plc. Archived from the original on 10 July 2016. https://web.archive.org/web/20160710173713/https://www.specpage.com/about-us/press/#002845730ff39021e. Retrieved 27 July 2016. 
  27. "NuGenesis 8 Featuring LE Technologies" (PDF). Waters Corporation. http://www.waters.com/webassets/cms/library/docs/720003597en.pdf. Retrieved 20 April 2013. 
  28. Aasem, M.; Ramzan, M.; Jaffar, A. (2010). "Analysis and optimization of software requirements prioritization techniques". Proceedings from the 2010 International Conference on Information and Emerging Technologies: 1–6. doi:10.1109/ICIET.2010.5625687. 
  29. Hirsch, J. (22 November 2013). "10 Steps To Successful Requirements Gathering". Phase2 Technology, LLC. https://www.phase2technology.com/blog/successful-requirements-gathering. Retrieved 07 December 2022. 
  30. Burris, E. (2007). "Requirements Specification". CS451R, University of Missouri–Kansas City. University of Missouri–Kansas City. Archived from the original on 24 July 2019. https://web.archive.org/web/20190724173601/http://sce2.umkc.edu/BIT/burrise/pl/requirements/. Retrieved 07 December 2022. 
  31. "specification". Merriam-Webster. Merriam-Webster, Inc. https://www.merriam-webster.com/dictionary/specification. Retrieved 07 December 2022. 
  32. Memon, A. (Spring 2010). "Software Requirements: Descriptions and specifications of a system" (PDF). University of Maryland. https://www.cs.umd.edu/~atif/Teaching/Spring2010/Slides/3.pdf. Retrieved 07 December 2022. 
Retrieved from "https://test.limswiki.org/index.php?title=User:Shawndouglas/sandbox/sublevel12&oldid=51714"