… and QualificationTrends...Contracts and SLA’s •The contract and especially the Service Level...
Transcript of … and QualificationTrends...Contracts and SLA’s •The contract and especially the Service Level...
Pharma Cloud Adoption
… and Qualification Trends
Our Cloud Experience
• Numerous implementations of EDMS systems
with external hosting for smaller life science
clients
• Development of qualification strategy for tier-1
pharma company for potentially GxP critical
solution based on Amazon (SaaS)
• Development of qualification strategy for tier-1
pharma company for MS Office 365
implementation (PaaS)
• Development of qualification strategy for tier-1
pharma company for MS Azure (IaaS)
‘Going Cloud’
A number of challenges need to be addressed by
regulated life science companies
• Which Cloud model do I choose (IaaS, PaaS,
SaaS)?
• How do I set forth a validation strategy?
• Can I rely on vendor processes and procedures?
• Has anyone else done it before?
• What do inspectors say?
• Where to get guidance on cloud validation?
• Data Security and Data Privacy
Responsibility
The responsibility does not disappear when you
outsource…
“The regulated company remains responsible for the regulatory
compliance of their IT operations regardless of whether they
choose to outsource/offshore some or their entire IT
Infrastructure processes to external service provider(s).
Compliance oversight and approvals cannot be delegated to the
outsource partner”.
GAMP Good Practice Guide: IT Infrastructure Control and Compliance. Appendix 8: Outsourcing
NIST – National Institute of Standards and Technology
The NIST Definition of Cloud Computing - 2011
What is Cloud?
Regulatory Considerations
• Overall regulatory requirements, in reality, the
same as for on-premise IT systems
• We are responsible for everything in the cloud
including infrastructure
• We need to adopt the vendor’s processes and
procedures and we need to defend these during
audits
– Overall Risk Assessments required
– Adoption of vendor documentation required
– Potential gaps need to be filled
QMS and Cloud
How do we adjust the QMS to include Cloud and how do we overcome the challenge of inexperienced inspectors?
• Accept your regulatory responsibility for everything in the cloud and the infrastructure of the cloud
• Align QMS with approach for Cloud validation, so known approach for a ‘normal’ validation is linked to approach for cloud
• The inspector will understand the approach better, since it is directly comparable to on-premise systems
Overall Process
Compliance Approach
Specifications
• Requirement Specification
– Gather requirements according to standard company
process
• Technical Specification
– Describing technical interfaces to solution, technical
requirements etc.
– Describing interfaces (e.g. Active Directory set-up) etc.
– On-premise interfaces
– Encryption Solution
Assessments
• Use a Cloud Navigation Tool for assessing ‘cloud
suitability’:
– GxP, 21 CFR Part 11 and business criticality
– Data Classification
– Security
– Risk
– Level of control required?
– Where can data be stored?
– Encryption required?
Service and Deployment
The Service and Deployment Model must be
chosen
Evaluate based on the assessments - which Service
and Deployment Model best fit the requirements
and assessments
– IaaS, PaaS, SaaS?
– Type of Cloud?
Service Provider
The Supplier must be assessed
• Perform an audit of Service Provider in order to assess level of quality and controls
– Capability as software vendor
– Capability as service provider
• If not possible make an assessment of material provided by the supplier, certifications and 3rd party reports – and take this into account in the risk assessment and qualification strategy.
• (Standard Operating Procedures) from Service Provider
Contracts and SLA’s
• The contract and especially the Service Level Agreement must reflect the requirements for a GxP solution and a sufficient level of control
• Note that some major Service Providers only offer a standard SLA. This may require additional controls
• All services delivered from the Service Provider must be evaluated against both business and GxP requirements.
• Where it is evaluated that the level of control is insufficient, the customer must either request extra controls from the Service Provider or establish own control mechanisms.
Cloud Control
• Identify relevant controls for chosen service using
a ‘Cloud Control Matrix’
• The matrix lists company requirements for e.g.
Change Control.
• These are compared to the service provided and
control objectives and gaps are identified.
• Gaps are filled with revised SLAs, internal
procedures and controls
Infrastructure Controls
Control Objectives
• Changes– Regular reviews of Change Log
– Monitor changes in production environment
– Follow-up on release plan from supplier
– Test documentation
– Training records
• User Access– Periodic User Access Review
• Security– Yearly Penetration testing
– Yearly review of SSAE16 SOC1 Type 2 Audit Report
– Periodic review of Certifications and Accreditations from Service Provider
– Review of Configuration Item List
Annual Control Wheel
Quarterly
Quarterly Quarterly
Quarterly
Yearly
Monthly
Monthly
Monthly
Monthly
Monthly
Daily/
weekly
Yearly Customer
• Periodic Review of Technical Accounts
Service Provider
• Disaster Recovery Test
• Penetration Testing
• SSAE16 SOC 1 Type 2 Audit Report
Monthly
Customer
• Revocation of User Accounts and Shared
Accounts
Service Provider
• Back-up Report
• Monthly Update (summary of updates and
patches, incidents)
QuarterlyCustomer
• Periodic Review of Administrator Accounts
• Periodic review of User Accounts
• Periodic review of Shared Accounts
Service Provider
• Evaluate the security of one site against recognized
standards
• Audit one site for adherence to best practice for high
performance + performance assessment report
Daily/weeklyCustomer
• XX
Service Provider• YY
First Steps
1. Create a Cloud Governance policy to establish a standardized and
effective approach to the selection, integration, ongoing
management and subsequent decommissioning of cloud based IT
services (System Life Cycle)
2. Establish a Cloud Navigation Tool – is cloud a suitable solution?
Which type of cloud? Do the service provider and the service fit?
3. Establish a Cloud Control Matrix with all requirements for
controls. Evaluate the services delivered against internal control
requirements. Fill in the blanks by updating the SLA, creating
internal controls etc.
Extra Material
Cloud Controls
Ensure that all processes are controlled either by the Service Provider, the company or both.
Implementation
Develop a Qualification Plan:
• Identified gaps from the Service assessment are
documented in internal procedures and listed in a
Qualification Plan
• Summary of Service Provider assessment
• Conclusion on risk assessment
Verification
A Qualification must be executed, including:
• Testing of technical specifications
• Test and verification of requirements
• Checklist for verification of additional controls
that is not provided by Service Provider
• Test and verification of internal company controls