I was recently asked about how to handle one CIO's concern about security in a cloud environment when evaluating tool solutions. To my mind, the CIO is expressing a potential requirement that should be considered and that may narrow your selection criterion.
Your selection criteria should assist in achieving two outcomes. One is to narrow down the list of providers and their products to a workable number so that you are not spending undue amounts of time evaluating too many vendors. The other is to ensure that the products you have selected to evaluate really do meet 80% of your stated requirements out of the box.
You will need to develop three criteria sets. The first list is a set of criteria of what you would like the tool to do in terms of supporting your documented and defined processes (call these functional requirements). Functional requirements are those things that help you to achieve utility of your processes and services. You will also need a set of criteria in terms of what the tool can do as a tool (call these non-functional requirements). Non-functional requirements are those things that help to deliver on the promise of warranty (in the form of availability, capacity, continuity and security). The third list of selection criteria would be at the technical specification level, and would deal with the inner workings of the source code of the tool, underlying database structures, etc.
You will need to weight each criterion to determine the necessity or importance of that criterion. Not all requirements are created equal. So if your CIO has a concern about cloud technologies, then that needs to become one of your non-functional requirements or selection criteria (in this case an Information Security requirement). Since a CIO is a stakeholder their requirements must be considered when putting together your selection criteria. You will need to weight that against other criteria in terms of how important the criterion is for your organization.
Once you weight each requirement, you then need to evaluate and score each vendor against those lists of criteria. The two vendors with the highest total from the scoring can be brought on site for demos and further evaluation.
--
Originally posted By Professor P. Ross S. Wise @ ITSM Professor
#security #ITIL #computing #securitycloudenvironment #cloud