Qualification Guideline for Microsoft Office 365€¦ · Qualification Guideline Qualification...
Transcript of Qualification Guideline for Microsoft Office 365€¦ · Qualification Guideline Qualification...
Qualification Guideline Qualification Guideline for Microsoft Office 365
June 2013
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 2 of 74
Document MTM-O365-GDE-01 Revision 01
Disclaimer:
This document is meant as a reference to Life Science companies in regards to the Microsoft O365 platform. Montrium does
not warrant that the use of the recommendations contained herein will result in a qualified system or that a system validated
within Office 365 in accordance with this document will be acceptable to regulatory authorities.
This document is provided “as-is.” Information and views expressed in this document, including URL and other Internet Web
site references, may change without notice.
Limitation of Liability:
In no event shall Montrium or any of its affiliates or the officers, directors, employees, members, or agents of each of them, be
liable for any damages of any kind, including without limitation any special, incidental, indirect, or consequential damages,
whether or not advised of the possibility of such damages, and on any theory of liability whatsoever, arising out of or in
connection with the use of this information.
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 3 of 74
Document MTM-O365-GDE-01 Revision 01
Authors
Michael Zwetkow VP Operations, Montrium Inc.
Stephanie Tanguay Quality Assurance Manager, Montrium Inc.
Paul Fenton CEO, Montrium Inc.
Gabrielle Soucy Sr. Business Analyst, Montrium Inc.
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 4 of 74
Document MTM-O365-GDE-01 Revision 01
Foreword
Over the last few years, Microsoft has paid an increasing amount of attention to a couple of key concepts that are represented in this whitepaper: compliance and the cloud. Together these concepts represent a fairly radical departure from normal business. By enabling cloud technologies, which provide an ease of use and ease of implementation, with compliance, which provides the ability to work with information in a regulatory compliant fashion, the implementing party may find the best of both worlds. This set of guideline whitepapers show how Microsoft is committed to cloud and compliance, spanning Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS), a relatively unique combination of technologies and commitment to compliance. At the end of the day these are qualification guidelines and do not represent any guarantees from Microsoft that your processes can be validated in any of the environments discussed or against any of the regulations or standards discussed. Yet when paired with the documentation referred to herein along with customer evidence, these guidelines offer customers a starting point for their own “compliance in the cloud” efforts, a starting point that may be furthered by the expertise Montrium has demonstrated in producing these guidelines. Mohamed Ayad, Cloud Solution Specialist Les Jordan, Chief Technology Strategist Health & Life Sciences Industry Unit Microsoft
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 5 of 74
Document MTM-O365-GDE-01 Revision 01
Executive Summary
The purpose of this document is to assist Microsoft’s life science customers in establishing a
qualification strategy for the Microsoft Office 365 (O365) software service. This guideline identifies the
responsibilities shared by Microsoft and its customers for meeting the regulatory requirements of FDA
21 CFR Part 11 Electronic Records; Electronic Signatures (21 CFR Part 11) and EudraLex Volume 4 - Annex
11 Computerised Systems (Annex 11).
The intended audience for this guideline is any regulated customer within the life sciences industry,
aiming to use the O365 platform to run GxP regulated applications. It is assumed that these regulated
applications will support GxP activities and produce and/or manage electronic records.
Traditionally GxP computerized systems have been deployed on specific servers either directly or
through the use of virtual machines. This underlying hardware was usually qualified, managed and
specifically identified as being part of a specific instance of a GxP computerized system. With cloud
computing this paradigm changes slightly. The O365 software solution is composed of many hardware
and software components which all fall under the same controls that have been identified in this
guideline. Each time a new customer instance of O365 is commissioned, it is done using the same
controlled process and standards. When considering public cloud based systems, it is important to view
the whole public cloud as one system upon which we are able to install and run GxP computerized
systems and applications. This guideline will help companies achieve this by providing references to the
21 CFR Part 11 controls that are present within the O365 environment and that should be identified in
customer qualification documentation.
Microsoft’s GFS and O365 platform services have undergone SSAE 16 Service Organization Control (SOC)
audits and are also certified according to ISO/IEC 27001:2005 standards. Although these standards do
not specifically focus on regulatory compliance, their objectives are very similar to those of 21 CFR Part
11 and Annex 11. Montrium has therefore decided to leverage the reports produced by independent
third party SSAE and ISO auditors to identify the procedural and technical controls established at
Microsoft that could be used to satisfy the requirements of 21 CFR Part 11 and Annex 11. It was
assumed that these audit reports were generated by qualified third party auditors and that all
information contained within the reviewed audit reports was objective and accurate at the time of the
audits. It is expected that customers will perform an independent analysis and verification of relevant
regulatory requirements to determine if the GxP applications deployed on O365 are fit for their
intended purpose. The customer must also ensure that GxP applications system will be sufficiently
documented and validated to further demonstrate compliance.
GFS delivers the core infrastructure and foundation technologies for Microsoft's Online Services
environment. Microsoft Office O365 is subscription-based software service hosted by the Global
Foundation Services (GFS) group within Microsoft managed data centers. The services included as part
of O365 are Microsoft SharePoint Online, Microsoft Exchange Online, Microsoft Lync Online and
Microsoft Forefront Online Protection for Exchange. This guideline focuses on the Microsoft SharePoint
Online service, which is the only O365 service which when configured appropriately, provides the ability
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 6 of 74
Document MTM-O365-GDE-01 Revision 01
to manage electronic records in manner that could satisfy applicable regulatory requirements. The O365
platform is classified as a public, off-premise, third-party managed solution which is offered via the SaaS
cloud service model. From the perspective of a regulated user (customer), Microsoft Office is considered
to be Category 4 – Configured Product as defined in GAMP5®. O365 is considered to be an “open
system” per 21 CFR Part 11, therefore additional measures, such as encryption should be employed to
further secure information stored within or transiting from the system. It should be noted that only
certain versions of O365 is able to meet the 21 CFR Part 11 requirements for open systems.
Audited controls implemented by Microsoft serve to ensure confidentiality, integrity and availability of
data stored on O365 and correspond to the applicable regulatory requirements defined in 21 CFR Part
11 and Annex 11 that have been identified as the responsibility of Microsoft. Microsoft is responsible for
ensuring that O365 meets the terms defined within the governing Service Level Agreements (SLA).
In addition to ensuring that computerized systems have the relevant technical controls outlined in the
assessment contained within the guideline, the customer is also responsible for ensuring adequate
procedural controls governing the use of the GxP computerized system are in place. These procedural
controls should cover the technical aspects of system management, including but not limited to logical
security, user management, data backup and disaster recovery. There should also be procedural
controls relating to the operation of the GxP computerized system. The customer should determine the
GxP requirements that apply to the computerized system based on its intended use and follow internal
procedures governing qualification and/or validation processes to demonstrate that the GxP
requirements are met.
In conclusion, following the assessment performed by Montrium, it is felt that the audited procedural
and technical controls that Microsoft has implemented could serve to demonstrate that the O365
platform is being maintained in a state of control that is in accordance with the applicable regulatory
requirements. Moreover, the customer may leverage the audited controls described in this document
and related audit reports as part of the risk analysis and qualification effort of their GxP applications
deployed in the O365 environment.
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 7 of 74
Document MTM-O365-GDE-01 Revision 01
Table of Contents
Authors .......................................................................................................................................................... 3
Foreword ....................................................................................................................................................... 4
Executive Summary ....................................................................................................................................... 5
Table of Contents .......................................................................................................................................... 7
1 Introduction .......................................................................................................................................... 8
1.1 Purpose ......................................................................................................................................... 8
1.2 Key Definitions .............................................................................................................................. 8
1.3 Audience and Scope ...................................................................................................................... 9
1.4 Methodology ................................................................................................................................. 9
1.5 Glossary ....................................................................................................................................... 11
2 System Overview................................................................................................................................. 14
2.1 Global Foundation Services......................................................................................................... 14
2.2 Microsoft Office 365 ................................................................................................................... 14
2.3 System Classification ................................................................................................................... 15
2.4 Microsoft Audits and Certifications ............................................................................................ 16
2.5 Microsoft Controls ...................................................................................................................... 18
3 Qualification Approach ....................................................................................................................... 23
3.1 Qualification Activities and Responsibilities ............................................................................... 24
3.2 US FDA 21 CFR Part 11 Electronic Records; Electronic Signatures Compliance Assessment ..... 26
3.3 EudraLex Volume 4 Annex 11 Computerised Systems Compliance Assessment ....................... 40
4 Conclusion ........................................................................................................................................... 70
5 References .......................................................................................................................................... 71
6 Appendices .......................................................................................................................................... 72
Appendix A. Recommended Procedures / Policies ............................................................................. 72
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 8 of 74
Document MTM-O365-GDE-01 Revision 01
1 Introduction
1.1 Purpose
The purpose of this document is to assist Microsoft’s life science customers in establishing a
qualification strategy for the Microsoft Office 365 (O365) software service, which is hosted on the
infrastructure provided by the Global Foundation Services (GFS) group within Microsoft. The
guidance provided in this document is based on the assumption that Microsoft’s customers will
utilize the O365 service as a GxP application to perform GxP regulated activities.
This guideline identifies the responsibilities shared by Microsoft and its customers for meeting the
regulations specified within Section 1.2. A summary is provided of the procedural and technical
controls which govern the O365 service and can be leveraged by the regulated user (customer) to
demonstrate compliance with applicable regulatory requirements. Also summarized within this
guideline, are recommended activities and controls that should be established by customers in
order qualify and maintain control over the GxP application configured to run on O365.
The qualification approach outlined within this guideline is based on industry best practices with
an emphasis on the concepts presented and described within ISPE’s, GAMP® series of Good
Practice Guides (Ref. [7]) and PIC/S PI 011-3 Good Practices for Computerised Systems in
Regulated ‘GxP’ Environments (Ref. [17]).
1.2 Key Definitions
1.2.1 GxP computerized system
A GxP computerized system is defined as application configured on the O365 platform that will
support activities and records governed by regulations pertaining to GLP, GCP and GMP
environments.
1.2.2 GxP activity
Any regulated activity performed with the context of GLP, GCP and GMP environments.
1.2.3 Customer
Within the context of this guideline, the customer is defined as any person or persons using a
GxP computerized system hosted on the O365 platform, who are responsible for the content of
the electronic records produced and/or managed within the GxP computerized system.
1.2.4 Customer Data on Storage
As per the Microsoft O365 Privacy Statement (Ref. [19]), “Customer Data is all the data,
including all text, sound, software or image files that you provide, or are provided on your
behalf, to us through your use of the Services.” For example, Customer Data on storage includes
data that customers upload for storage or processing in the O365 platform, and applications
that customer or customer’s end users upload for hosting in the Services. Customer Data on
Storage does not include configuration or technical settings and information. Microsoft does not
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 9 of 74
Document MTM-O365-GDE-01 Revision 01
monitor or approve the applications that customers configure on O365. Microsoft does not
claim ownership of the Data on Storage. Microsoft’s Online Services Use Rights (Ref. [20]) states
“you [the customer] retain all right, title and interest in and to customer data. We [Microsoft]
acquire no rights in customer data, other than the rights you grant to us for the applicable
online service. This does not apply to software or services we license you.” Data security beyond
the access controls mechanisms, including but not limited to fine-grain access controls or
encryption, is the responsibility of the customer.
1.3 Audience and Scope
The intended audience for this guideline is any regulated customer within the life sciences
industry, aiming to configure the O365 platform for use as a GxP application(s). It is assumed that
the application will support GxP activities and produce and/or manage electronic records. The
specific GxP activities performed within the customer’s O365 environment are not addressed in
this guidance document, as the customer is responsible for defining the requirements and
evaluating the risk associated with each GxP application within the O365 environment.
The regulations within the scope of this qualification guidance document are limited to the
following:
FDA 21 CFR Part 11 Electronic Records; Electronic Signatures - Subpart A and B (Sec 11.10
and Sec 11.30) (Ref. [5])1
EudraLex Volume 4 - Annex 11 Computerised Systems (Ref. [8])2
The O365 platform consists of several services as described in Section 2.2; however, Microsoft
SharePoint Online is the only service which could provide the ability to generate or manage
electronic records within the context GxP regulated activities. Therefore, this guidance will focus
on the functionality of SharePoint Online as it relates to the management of electronic records.
This guideline also covers the underlying infrastructure components provided by the Global
Foundation Services group upon which the O365 service is delivered to Microsoft customers.
1.4 Methodology
Microsoft’s GFS and O365 platform services have undergone SSAE 16 Service Organization Control
(SOC) audits and are also certified according to ISO/IEC 27001:2005 standards (see Section 2.4).
Montrium has leveraged the reports produced by independent third party auditors to identify
procedural and technical controls established at Microsoft which could be used to satisfy
1 21 CFR Part 11 subparts related to electronic signatures are out of scope for this guide, as Microsoft does not
provide electronic signature functionality as part of the above services. 2 Although Eudralex Volume 4 Annex 11 specifically discusses GMP systems, it is generally accepted in industry that
the same principals in the most part are applicable to GCP and GLP systems.
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 10 of 74
Document MTM-O365-GDE-01 Revision 01
regulatory requirements within US FDA 21 CFR Part 11 (Ref. [5]) and EudraLex Volume 4 - Annex
11 (Ref. [8]). These controls are described in detail in Section 2.5. Montrium based the analysis on
the ISO and SSAE 16 standards as they have similar objectives to 21 CFR Part 11 and EudraLex
Volume 4 - Annex 11 in relation to controls for computerized systems.
The qualification approach summarizes the activities and responsibilities shared between the
regulated user (customer) and the cloud service provider (Microsoft) to qualify the system against
the relevant regulatory requirements. A detailed assessment (see Section 3.2 and 3.3) was
performed on each regulatory requirement to interpret how compliance could be achieved within
the context of a GxP computerized system configured on the O365 platform. The assessment
described the responsibilities of the customer and Microsoft, as well as the activities,
documentation and controls (technical/procedural) that are required to meet the regulatory
requirement.
The contents of this document are based on these assumptions:
Audit reports listed in Section 2.4 were generated by qualified third party auditors;
All information contained within the reviewed audit reports was objective and accurate at
the time of the audits;
Customers will perform an independent analysis and verification of related regulatory
requirements to determine if the O365 platform is fit for its intended purpose;
The O356 application(s) will be sufficiently documented and validated by the customer to
demonstrate compliance with all applicable regulations;
The customer will use only out-of-the-box functionality and will not be installing
developing any customizations or 3rd party applications within the O365 environment.
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 11 of 74
Document MTM-O365-GDE-01 Revision 01
1.5 Glossary
Term Definition
AICPA American Institute of Certified Public Accountants
CFR Code of Federal Regulations
Closed System An environment in which system access is controlled by persons who are
responsible for the content of electronic records that are on the system.3
Cloud
Infrastructure as a
Service (IaaS).
The capability provided to the consumer is to provision processing, storage,
networks, and other fundamental computing resources where the consumer is
able to deploy and run arbitrary software, which can include operating systems
and applications. The consumer does not manage or control the underlying cloud
infrastructure but has control over operating systems, storage, deployed
applications, and possibly limited control of select networking components (e.g.,
host firewalls).4
Cloud Platform as
a Service (PaaS)
The capability provided to the consumer is to deploy onto the cloud infrastructure
consumer-created or acquired applications created using programming languages
and tools supported by the provider. The consumer does not manage or control
the underlying cloud infrastructure including network, servers, operating systems,
or storage, but has control over the deployed applications and possibly application
hosting environment configurations.4
Cloud Software as
a Service (SaaS) The capability provided to the consumer is to use the provider’s applications
running on a cloud infrastructure. The applications are accessible from various
client devices through a thin client interface such as a Web browser (e.g., Web-
based email). The consumer does not manage or control the underlying cloud
infrastructure including network, servers, operating systems, storage, or even
individual application capabilities, with the possible exception of limited user
specific application configuration settings.
Computerized
System
Includes hardware, software, peripheral devices, personnel, and documentation;
e.g., manuals and Standard Operating Procedures.5
Customer O365 user using the software service for GxP regulated activities.
CV Curriculum Vitae
3 FDA 21 CFR Part 11 (Ref. [4]).
4 NIST Cloud Computing Standards Roadmap (Ref. [9])
5 FDA, Glossary of Computer Systems Software Development Terminology (8/95)
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 12 of 74
Document MTM-O365-GDE-01 Revision 01
Term Definition
Electronic Record Any combination of text, graphics, data, audio, pictorial, or other information
representation in digital form that is created, modified, maintained, archived,
retrieved, or distributed by a computer system.3
FDA United States Food and Drug Administration
GAMP Good Automated Manufacturing Practice
GFS Global Foundation Services
GCP Good Clinical Practice
GLP Good Laboratory Practice
GMP Good Manufacturing Practice
GxP Compliance requirements for all good practice disciplines in the regulated
pharmaceutical sector supply chain from discovery to post marketing.6
IaaS Infrastructure as a Service
ID Identifier
IEC International Electrotechnical Commission
ISO International Organization for Standardization
ISPE International Society of Pharmaceutical Engineers
IT Information Technology
NDA Non-Disclosure Agreement
NIST National Institute of Standards and Technology
Open System An environment in which system access is not controlled by persons who are
responsible for the content of electronic records that are on the system.3
O/S Operating System
PaaS Platform as a Service
PIC/S Pharmaceutical Inspection Convention and Pharmaceutical Inspection Co-
operation Scheme
Procedure The term “procedure” within the context of this document refers to any approved
and effective controlled document governing specific processes (i.e. Policy, SOP,
Standard, Guide, Work Instruction).
6 PIC/S (Ref. [17])
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 13 of 74
Document MTM-O365-GDE-01 Revision 01
Term Definition
SaaS Software as a Service
SDLC Software Development Lifecycle
SLA Service Level Agreement
SMAPI System Management Application Program Interface
SOC Service Organization Controls
SOP Standard Operating Procedure
SSAE Statement on Standards for Attestation Engagements
SSL Secure Sockets Layer
STB Microsoft Server and Tools Business
TLS Transport Layer Security
TSP Trust Services Principles
VM Virtual Machine
VPN Virtual Private Network
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 14 of 74
Document MTM-O365-GDE-01 Revision 01
2 System Overview
2.1 Global Foundation Services
Global Foundation Services (GFS) delivers the core infrastructure, foundation technologies and
operational support for Microsoft's Online Services environment, including O365. As described
within the GFS SOC 2 report (Ref. [2]), the GFS operational infrastructure services include the
following:
Engineering and operations for core infrastructure (networking, directory services, access
services, data retention and backup, hardware and software procurement, physical and
environmental controls)
Deployment, hosting and data center services
Service support, monitoring and escalation
Information security management and compliance monitoring
2.2 Microsoft Office 365
Microsoft Office O365 is subscription-based software service hosted by the Global Foundation
Services group within Microsoft managed data centers. As described within the O365 SOC 1
report (Ref. [1]), the O365 hosted service is offered in two ways:
Microsoft Office 365 – where all customers receive a standard set of features they
subscribe to, hosted on a multi-tenant basis
Microsoft Office 365 Dedicated (O365-D) – hosts applications and services with a separate,
secured hardware infrastructure dedicated to a single customer
The services included as part of O365 and O365-D are: Microsoft SharePoint Online, Microsoft
Exchange Online, Microsoft Lync Online and Microsoft Forefront Online Protection for Exchange.
This guideline will focus on the Microsoft SharePoint Online service, which is the only O365
service which when configured appropriately, provides the ability to manage electronic records in
manner that could satisfy applicable regulatory requirements (see Section 1.3). SharePoint Online
allows users to create and store data as well as documents in lists and libraries within SharePoint
which can be configured with audit trails and versioning. In addition, user permissions can be
configured to control access to the content stored with the various lists and libraries.
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 15 of 74
Document MTM-O365-GDE-01 Revision 01
In order to be able to meet regulatory requirements for encryption, the software service must
also provide the ability to encrypt data which is stored within the application. The Active Directory
Rights Management functionality can be configured to encrypt documents stored with
SharePoint. However, this functionality is only available with the SharePoint Online Plan 2 option,
which is included in the following O365 plans:
Office 365 Enterprise E3
Office 365 Education A3
Office 365 Government G3
Office 365 Enterprise E4
Office 365 Education A4
Office 365 Government G4
2.3 System Classification
2.3.1 Cloud Service Model
The O365 platform is classified as a public, off-premise, third-party managed solution which is
offered via the SaaS cloud service model (see NIST definition in Section 1.5). The following
diagram depicts the various components of the software service which are managed by
Microsoft as part of the SaaS service model.
Figure 1 – SaaS Cloud Service Model (based on Ref. [18])
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 16 of 74
Document MTM-O365-GDE-01 Revision 01
2.3.2 GAMP5® Category
From the perspective of a regulated user (customer), Microsoft Office is considered to be
Category 4 – Configured Product as defined in GAMP5® (Ref. [6]). A configured product refers to
a commercially available software product which is configured to meet a specific business
requirement.
2.3.3 FDA Classification
While Microsoft is not directly responsible for the electronic records contained within the O365
platform, it is responsible for maintaining the O365 platform. In addition, Microsoft configures
the O365 platform and establishes access control requirements for logical and physical security.
The O365 platform is therefore considered to be “open” (refer to definition in Section 1.5). The
FDA requires open systems to meet additional requirements, such as encryption, as defined in
21 CFR Part 11.30 (Ref. [5]).
2.4 Microsoft Audits and Certifications
The following table lists the formal audit reports prepared by third parties which were reviewed
by Montrium in order to identify relevant controls which have a potential impact on compliance
with the 21 CFR Part 11 (Ref. [5]) and Annex 11 (Ref. [8]) regulations. Existing Microsoft customers
may request access to these reports subject to NDA terms and conditions, through their
respective Microsoft account representatives.
Audited Service Audit Type Date Reference No.
GFS SOC 2 Type II April 18, 2012 Ref. [2]
Office 365 SOC 1 Type II June 14, 2012 Ref. [1]
Office 365 ISO/IEC 27001:2005 November 16, 2012 Ref. [3]
2.4.1 ISO/IEC 27001:2005 Certification
ISO/IEC 27001:2005 specifies the requirements for establishing, implementing, operating,
monitoring, reviewing, maintaining and improving a documented information security
management system within the context of the organization's overall business risks. It specifies
requirements for the implementation of security controls customized to the needs of individual
organizations or parts thereof.
ISO/IEC 27001:2005 certifications for O365 and Global Foundation Services can be found by
clicking on the following links:
Microsoft Office 365 ISO/IEC 27001:2005 certificate
GFS ISO/IEC 27001:2005 certificate
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 17 of 74
Document MTM-O365-GDE-01 Revision 01
2.4.2 SOC Service Audit Reports
Service Organization Controls reports are designed by the American Institute of Certified Public
Accountants (AICPA) to help service organizations that operate information systems and provide
information system services to other entities, build trust and confidence in their service delivery
processes and controls through a report by an independent Certified Public Accountant.
SOC 1 Service Audit Reports are conducted in accordance with the professional standard known
as Statement on Standards for Attestation Engagements (SSAE) No. 16. SOC 1 reports are geared
towards reporting on controls at service organizations that are relevant to Internal Control over
Financial Reporting, and replace the SAS 70 auditing standard.
The O365 services group has been audited by independent third party auditors to generate a
SOC 1 Service Auditor’s report which examined the following control areas:
Logical Access
Change Management
Backup and Restoration
Monitoring and Incident Management
Software Development Lifecycle (SDLC)
Network Services
SOC 2 Service Auditor’s Reports are also conducted in accordance with the professional
standard of SSAE 16. SOC2 reports are intended to meet the needs of a broad range of users
that need to understand internal control at a service organization as it relates to security,
availability, processing integrity, confidentiality and privacy and are intended for use by
stakeholders (e.g., customers, regulators, business partners, suppliers, directors) of the service
organization that have a thorough understanding of the service organization and its internal
controls.
The SOC 2 framework is a comprehensive set of criteria known as the Trust Services Principles
(TSP) which are composed of the following five (5) sections:
The security of a service organization' system
The availability of a service organization's system
The processing integrity of a service organization's system
The confidentiality of the information that the service organization's system processes
or maintains for user entities
The privacy of personal information that the service organization collects, uses, retains,
discloses, and disposes of for user entities
The GFS services group has undergone a SOC 2 audit, to examine the suitability of the design
and operating effectiveness of controls to meet the criteria for the security principle set forth in
TSP section 100, Trust Services Principles and Criteria for Security, Availability, Processing
Integrity, Confidentiality, and Privacy (Ref. [11]).
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 18 of 74
Document MTM-O365-GDE-01 Revision 01
2.5 Microsoft Controls
This section describes the audited controls implemented by Microsoft which serve to assure
confidentiality, integrity and availability of data stored on the O365 platform. These controls are
also referenced within the compliance assessment sections (see Section 3.2 and 3.3), where they
respond to applicable regulatory requirements.
2.5.1 Security Policies and Procedures
Microsoft has implemented a Security Policy which applies to Microsoft O365. The Security
Organization control objective within the SOC 1 audit reported that the information security
policies are implemented and communicated to the applicable employees.
The GFS SOC 2 audit reported that the security policies are established, periodically reviewed
and approved by a designated individual or group.
The O365 ISO/IEC 27001:2005 audit reported that an approved information security policy has
been published and communicated to all employees and relevant external parties.
2.5.2 Physical and Environmental Security
The physical assets on which the O365 system resides Microsoft has been audited to verify that
proper physical security controls are established to protect the physical assets forming the
foundation of the O365 platform as part of the GFS SOC 2 audit report.
The GFS SOC 2 audit reported that the GFS services group has implemented procedures to
restrict physical access to the infrastructure elements including, but not limited to:
Facilities
Backup media
Firewalls
Routers
Servers
The GFS ISO/IEC 27001:2005 audit reported that procedural controls are in place for tracking
and monitoring physical infrastructures and services, as well as a documented methodology for
determining the asset security level.
2.5.3 Logical Security
The O365 SOC 1 audit reported that Microsoft has implemented logical security controls to
provide reasonable assurance that logical access to the O365 production infrastructure and
systems is restricted to authorized personnel. User Account Management is performed using
Active Directory which centralizes the authentication and authorization to the O365
environment. Policies and standards have been implemented to enforce appropriate user
account password expiration, length, complexity and history.
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 19 of 74
Document MTM-O365-GDE-01 Revision 01
The GFS SOC2 audit reported that the GFS services group has implemented procedures to
restrict logical access to the system including, but not limited to, the following measures:
a. Logical access security measures to restrict access to information resources not deemed
to be public
b. Identification and authentication of users
c. Registration and authorization of new users
d. The process to make changes and updates to user profiles
e. Distribution of output restricted to authorized users
f. Restriction of access to offline storage, backup data, systems and media
g. Restriction of access to system configurations, super-user functionality, master
passwords, power utilities and security devices (for example, firewalls)
The O365 ISO/IEC 27001:2005 audit reported that the logical access to the system is restricted
to authorized personnel in accordance with an enforced access control policy.
2.5.4 System Monitoring and Maintenance
The O365 SOC 1 audit reported that proper controls are established to provide reasonable
assurance that the O365 platform is monitored to detect and remediate any security
vulnerabilities.
The following activities/controls were audited in relation to system monitoring and
maintenance:
Vulnerability and Patch Management
Security Incident Management
The GFS SOC 2 audit reported that proper controls are established to monitor the GFS
infrastructure components and proper actions are taken to maintain compliance within its
defined system security policies. Automated tools are used to monitor the security controls on a
regular basis. The GFS group monitors, logs, reports and takes appropriate action to resolve
events involving critical/suspicious activities.
2.5.5 Data Backup, Recovery and Retention
The O365 SOC 1 audit reported that O365 utilizes secure backup system infrastructure delivered
by the Global Foundation Services Data Protection Services.
The GFS SOC 2 audit reported that the GFS Data Protection Services group provides secure
backup retention and restoration of data in the Microsoft Online Services environment. The
audit also reported that the recovery and backup process is tested on an annual basis
2.5.6 Confidentiality
The following excerpt for the publicly available Office 365 Standard Response to Request for
Information - Security and Privacy (Ref. [13]) describes the technical controls which help to
ensure confidentiality of data as it transmits between the customer and the O365 platform:
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 20 of 74
Document MTM-O365-GDE-01 Revision 01
“Customer access to services provided over the Internet originates from users’ Internet-enabled
locations and ends at a Microsoft data center. These connections established between
customers and Microsoft data centers are encrypted using industry-standard Transport Layer
Security (TLS) /Secure Sockets Layer (SSL). The use of TLS/SSL effectively establishes a highly
secure browser-to-server connection to help provide data confidentiality and integrity between
the desktop and the data center. Filtering routers at the edge of the Office 365 services network
provides security at the packet level for preventing unauthorized connections to Office 365
Services.”
The GFS SOC 2 audit reported that encryption or other equivalent security techniques are used
to protect user authentication information and the corresponding session transmitted over the
internet or other public networks.
2.5.7 Software Development / Change Management
The O365 SOC 1 audit reported that a formal SDLC process is defined which governs the
development of new features or major changes to the O365 platform with the goal of
minimizing processing errors and security vulnerabilities within the environment. The SDLC
process encompasses the following phases:
Requirements gathering
Design
Implementation
Verification
Release
Key stakeholders are required to provide approval of the tested code prior to deployment of
newly developed or changed code into the production environment.
The O365 SOC 1 audit also reported that a formal change control process has been established
to provide reasonable assurance that changes to the production environment are made in a
controlled manner. Ticketing systems are used to track changes which contain documented
details including appropriate authorizations and approvals.
The GFS SOC 2 audit of the GFS services verified adequate IT change management controls are
established surrounding the following topics:
Service Infrastructure and Support Systems Change Management
Secure Configuration – Imaging
Network Change Management
Network Patch Management
The O365 ISO/IEC 27001:2005 audit reported that a procedural document covering change
management is in place which covers security impact analysis, change control and component
inventory management.
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 21 of 74
Document MTM-O365-GDE-01 Revision 01
2.5.8 Incident Management
The O365 SOC 1 audit reported that adequate processes are established governing how
incidents within the production environment are documented and resolved in a timely manner.
The processes are part of an incident management framework that includes defined process
roles, responsibilities, and communications for managing the detection, escalation and response
to incidents.
The GFS SOC 2 audit reported that procedures exist to identify, report, and act upon system
security breaches and other incidents. The Security Incident Management team ensures the
Security Response procedures are tested annually.
The O365 ISO/IEC 27001:2005 audit reported that mechanisms are in place for logging and
monitoring security incidents in O365. Any security events are reported in a timely manner
through the appropriate management channels.
2.5.9 Service Level Agreements
Microsoft provides Service Level Agreements (SLA) related to the O365 and O365-D Dedicated
application service, which are available for download from the Microsoft website.
2.5.10 Risk Assessment
The O365 SOC 1 audit reported that as part of the SDLC process Microsoft has implemented a
comprehensive threat modeling process to identify potential security and privacy issues.
Detailed risk assessments covering both security and privacy are performed with the objective
of remediating any issues detected.
The GFS SOC 2 audit reported that risk assessments are performed within the context of
network device change management to evaluate potential risks associated with the change.
2.5.11 Documentation / Asset Management
The procedure governing software development was audited against a control objective which
stipulates that the development of new features or major changes must be documented. In
addition, Microsoft has confirmed to Montrium that a Document and Records Management
procedure governing protection and retention of documentation is in force. Microsoft has also
indicated to Montrium that the baseline configuration of O365 components is documented,
managed, maintained and controlled for access via access control mechanisms. Additionally, this
configuration is performed according to the Asset management guidelines.
2.5.12 Training Management
The O365 SOC 1 audit reported that all Microsoft employees receive mandatory training on
Microsoft Standards of Business conduct on an annual basis. Microsoft O365 staff and
contingent staff are accountable for understanding and adhering with the Microsoft Online
Services Security Policy.
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 22 of 74
Document MTM-O365-GDE-01 Revision 01
The GFS SOC 2 audit reported security policies concerning information security and business
conduct were implemented. Training is mandatory for all employees on these policies.
Procedures and standards cover policy training and training requirements. Training is
documented and compliance with training requirements is monitored.
The O365 ISO/IEC 27001:2005 audit reported that Microsoft has a formal security and
awareness training program which includes security responsibilities, asset ownership, and
classification.
2.5.13 Disaster Recovery
The GFS SOC 2 audit reported processes for backing-up critical components and data, customer
data and credentials are defined and tested on an annual basis. Backup frequency and retention
period is based on the type of data. Data centers used for backup are in a different geographical
location than the primary data center.
The O365 ISO/IEC 27001:2005 audit reported that Microsoft has a formal business continuity
process that describes the information security requirements.
2.5.14 Vendor Management
The O365 SOC 1 audit reported that third party vendors have specific statements of work with
service level agreements that are monitored for compliance and adherence. The Microsoft
Online Services Delivery Platform group works with vendor companies to perform background
checks on individuals before they are granted access to the production environment.
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 23 of 74
Document MTM-O365-GDE-01 Revision 01
3 Qualification Approach
Qualification is defined as “a process of demonstrating the ability of an entity to fulfill specified
requirements. In the context of an IT Infrastructure, this means demonstrating the ability of components
such as servers, clients, and peripherals to fulfill the specified requirements for the various platforms
regardless of whether they are specific or of a generic nature.”7 According to industry best practices as
proposed within the GAMP Good Practice Guide: IT Infrastructure Control and Compliance7, in order for
an IT infrastructure platform to be considered qualified and compliant, the following critical aspects
need to be considered:
Installation and operational qualification of infrastructure components
Configuration management and change control of infrastructure components
Management of risks to IT Infrastructure
Involvement of service providers in critical infrastructure processes
Security management in relation to access controls, availability of services and data integrity
Data Backup, Restore, Disaster Recovery, Archiving
In the context of a public SaaS cloud service model, the customer does not have control over the
underlying infrastructure hardware and software components, nor to the application itself. The cloud
service provider is responsible for managing and maintaining these components and ensuring that they
meet the terms defined within the governing Service Level Agreement(s). Microsoft has implemented
controls (see Section 2.5) which encompass these critical aspects of IT infrastructure compliance.
Figure 2 – Qualification of Infrastructure vs. Validation of Applications
Validation consists of demonstrating, with objective evidence, that a system meets the requirements of
the users and their processes and is compliant with applicable GxP regulations. In order to remain in a
validated state, appropriate operational controls must be implemented throughout the life of the
system. As such, validation is performed by the regulated users (customer) of the GxP computerized
7 ISPE, GAMP Good Practice Guide: IT Infrastructure Control and Compliance (Ref. [7])
Applications
Infrastructure Software & Tools
Network Components
Infrastructure Hardware
Data Center Facilities
Validation
Qualification
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 24 of 74
Document MTM-O365-GDE-01 Revision 01
systems that reside on the O365 platform. The following diagram depicts the typical deliverables and
activities required in order the implement and validate a system and maintain its validated state during
operation.
Figure 3 – Typical Validation Activities/Deliverables
Additional information for GxP computerized system validation can be found within the following
guidance documents:
PIC / S - Good Practices for Computerised Systems in Regulated “GxP” Environments (Ref. [17])
GAMP 5 - A Risk-Based Approach to Compliant GxP computerized systems (Ref. [6])
3.1 Qualification Activities and Responsibilities
By utilizing the O365 platform, the customer is effectively outsourcing the management and
operations of their IT infrastructure and of the application development to Microsoft. However, it
is important to note that, “the regulated company remains responsible for the regulatory
compliance of their IT operations regardless of whether they choose to outsource/offshore some
or all of their IT Infrastructure processes to external service provider(s). Compliance oversight and
approvals cannot be delegated to the outsource partner.”8
8 ISPE, GAMP Good Practice Guide: IT Infrastructure Control and Compliance (Ref. [7])
• Validation Plan and Reporting
• User Requirement and Acceptance Testing
• Installation Qualification Implementation
• Incident Management
• Operational Change Control
• Periodic Review Operation
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 25 of 74
Document MTM-O365-GDE-01 Revision 01
A summary of the Customer’s and Microsoft’s responsibilities, as they relate to the qualification
and validation activities is provided below. A detailed description of each party’s responsibilities,
as they relate to the applicable regulatory requirements, is provided in Section 3.2 (21 CFR Part
11) and Section 3.3 (Annex 11).
3.1.1 Summary of Microsoft Responsibilities
Microsoft is responsible for ensuring that O365 meets the terms defined within the governing
Service Level Agreements (see Section 2.5.9). When new customer environments are deployed
within the O365 platform, they are created using the default configuration established by
Microsoft. Microsoft is responsible for ensuring the system is capable of meeting the
specifications and the terms of the SLA(s).
The O365 platform must be managed in a controlled and secured manner, so as to provide the
following key elements in relation to customer data:
Confidentiality - ensuring that information is accessible only to those authorized to have
access
Integrity - safeguarding the accuracy and completeness of information and processing
methods
Availability - ensuring that authorized users have access to information and associated
assets when required
The controls identified in Section 2.5 are implemented, managed and maintained by Microsoft
to ensure that the above key requirements can be met.
3.1.2 Summary of Customer Responsibilities
The customer is responsible for performing the following activities for each GxP computerized
system requiring qualification and validation within the O365 platform:
1) Develop or identify procedural controls governing the use of the GxP computerized
system. These procedural controls should cover the topics as described in Appendix A,
as well as any other controlled processes which are impacted by the GxP computerized
system including the following:
a. Use of Live IDs and passwords
b. Account access to the O365 platform
c. Compliance management with applicable laws and regulations
d. Customer data encryption requirements
e. O365 SMAPI access certificates acquisition
f. Data access mechanism (public or signed access) for data contained with the O365 platform
g. SharePoint environment configuration
h. Data backup upon O365 subscription termination
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 26 of 74
Document MTM-O365-GDE-01 Revision 01
i. Protection of account-related secrecy
j. Security Development Lifecycle for applications developed on O365
k. Quality assurance of applications before moving to O365 Production
l. Security monitoring for applications developed on O365
m. Public O365 security and patch updates review
n. Patch application when not subscribed to auto-upgrade
o. Incident and alert reporting to Microsoft when those are specific to customer systems and O365
p. Incident response support with the O365 team
2) Determine the GxP requirements that apply to the O365 based on its intended use.
3) Follow internal procedures governing Qualification and/or Validation processes,
expected deliverables would include but are not limited to:
a. Qualification / Validation plan describing the activities, responsibilities and
deliverables to be produced for GxP computerized system configured on the
O365 platform
b. Specification documentation describing the GxP computerized system’s
requirements, functionality and intended use
c. Risk Assessments covering both the decision to configure the GxP computerized
system within the O365 platform, and a functional risk assessment of the GxP
computerized system. The assessments should include mitigation actions
required to address identified risks
d. Verification documentation providing evidence that the GxP computerized
system meets its intended use as defined within relevant specification
documents
4) Maintain and operate the GxP computerized system in a secure and controlled manner
according to internally developed procedures as defined in point 1) above.
3.2 US FDA 21 CFR Part 11 Electronic Records; Electronic Signatures Compliance Assessment
The following table outlines the assessment that was performed on each regulatory requirement
of US FDA 21 CFR Part 11 which were identified as in scope in Section 1.2 of this document. The
primary objective of the assessment is to identify the procedural and technical controls that are
required to satisfy the different regulatory requirements.
In conjunction with the responsibilities identified in Section 3.1, we further identify which controls
fall within the responsibility of Microsoft versus the controls that are considered the responsibility
of the customer when using the O365 platform for regulated GxP computerized systems.
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 27 of 74
Document MTM-O365-GDE-01 Revision 01
Sec. 11.10 Controls for closed syste ms. 11.10 (a)
SEC. 11.10 CONTROLS FOR CLOSED SYSTEMS. Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following:
11.10 (a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.
Customer – Regulated User
The customer is responsible for ensuring any GxP computerized system used to produce and/or manage
electronic records is validated according to an approved and effective procedure. This procedure should
ensure that the validation verifies accuracy, reliability, consistent intended performance, and the ability to
discern invalid or altered records. Additional details regarding the qualification / validation activities are
provided in Section 3.1.2.
Description of activities, documentation and controls:
Perform computer system validation activities for GxP computerized systems as defined within the governing the computer system validation procedure to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records;
Document the qualification/validation activities performed prior to and during the configuration of the GxP computerized systems configured on the O365 platform;
Establish appropriate system performance monitoring to ensure consistent availability and performance of GxP computerized system.
Microsoft – Cloud service provider
Microsoft is not responsible for validation of the GxP computerized systems configured within the O365 platform. Microsoft is responsible for ensuring the O365 platform performs consistently and reliably by implementing adequate controls over the development, deployment and testing of the software applications which make up the O365 platform.
Microsoft meets these requirements through the following controls:
System Monitoring and Maintenance (see Section 2.5.4)
Software Development / Change Management (see Section 2.5.7)
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 28 of 74
Document MTM-O365-GDE-01 Revision 01
11.10 (b)
11.10 (b) The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. Persons should contact the agency if there are any questions regarding the ability of the agency to perform such review and copying of the electronic records.
Customer – Regulated User
The customer is responsible for implementing adequate controls to secure the GxP computerized systems
which contain electronic records and provide appropriate system monitoring. These controls should
ensure that the electronic records which are stored within the GxP computerized systems configured on
the O365 platform are protected to prevent corruption or loss of information. The customer is also
responsible for ensuring that GxP computerized systems configured on the O365 platform are capable of
generating accurate and complete copies of records in both human readable and electronic form suitable
for inspection, review, and copying by the agency.
Description of activities, documentation and controls:
Establish Procedure(s) to govern the protection of records to ensure accurate and complete copies are readily available including:
o Documentation Management – to define who is responsible for managing documentation within the organization;
o Records Retention and Archiving – to ensure adequate record retention policies and archive management processes are in place;
o Backup and Restoration – to ensure proper protection of records through backup mechanisms with regular restoration tests;
o Disaster recovery – to ensure that electronic records can be retrieved properly in the event of a disaster and that this retrieval is tested periodically;
o System Monitoring – to ensure consistent availability and performance of GxP computerized system;
Verify accurate and complete copies of electronic records can be retrieved from the GxP computerized systems configured on the O365 platform;
Verify that data transfer from GxP computerized systems which store electronic records on the O365 platform does not impact data integrity;
Ensure that record retention procedures establish long term archiving controls so that electronic records can be retrieved throughout the required retention period from the O365 platform (or until they are moved to another long term archiving environment outside of the O365 platform);
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 29 of 74
Document MTM-O365-GDE-01 Revision 01
11.10 (b) The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. Persons should contact the agency if there are any questions regarding the ability of the agency to perform such review and copying of the electronic records.
Microsoft – Cloud service provider
Microsoft is responsible for implementing adequate controls to secure the O365 platform and provide
appropriate system monitoring. By securing and monitoring the O365 platform, these controls help to
satisfy the above regulatory requirement, such that the GxP computerized systems are protected and are
continually available.
Microsoft meets these requirements through the following controls:
Security Policies and Procedures (see Section 2.5.1)
Physical Security (see Section 2.5.2)
Logical Security (see Section 2.5.3)
System Monitoring and Maintenance (see Section 2.5.4)
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 30 of 74
Document MTM-O365-GDE-01 Revision 01
11.10 (c)
11.10 (c) Protection of records to enable their accurate and ready retrieval throughout the records retention period.
Customer – Regulated User
The customer is responsible for ensuring that appropriate controls are established to protect records
pertaining to GxP activities performed within GxP computerized systems which are configured on the O365
platform and to ensure the records are readily available throughout their retention period.
O365 SharePoint Online provides the ability to declare content as records and, through configuration,
apply the necessary controls such as audit trail, security and record retention policies to meet the technical
requirements of 21 CFR Part 11 and other relevant regulations (see section 2.2. for more information).
Description of activities, documentation and controls:
Establish procedure(s) that govern the following topics:
o Logical security - describing the security controls which are required in order to prevent unauthorized access to the application;
o Records Retention and Archiving – to ensure adequate record retention policies and archive management processes are in place
o Backup and Restoration – to ensure proper protection of records through backup mechanisms with regular restoration tests;
o System Monitoring – to ensure consistent availability and performance of GxP computerized system;
Data repatriation plans are established and tested in the case of contract termination with Microsoft for Office 365 services;
Verify that the O365 SharePoint Online records management functionality is properly configured to meet 21 CFR Part 11 and other applicable regulatory record retention requirements.
Microsoft – Cloud service provider
Microsoft is responsible for implementing adequate controls to secure the O365 platform, provide
appropriate system backup and data retention policies. Data backup and retention policies/procedures are
defined and maintained in accordance to regulatory, statutory, contractual or business requirements.
These controls help to satisfy the above regulatory requirement, such that Microsoft backs up O365
infrastructure data regularly and validates restoration of data periodically for disaster recovery purposes.
Microsoft meets these requirements through the following controls:
Security Policies and Procedures (see Section 2.5.1)
Physical Security (see Section 2.5.2)
Logical Security (see Section 2.5.3)
System Monitoring and Maintenance (see Section 2.5.4)
Data Backup, Recovery and Retention (see Section 2.5.5)
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 31 of 74
Document MTM-O365-GDE-01 Revision 01
11.10 (d)
11.10 (d) Limiting system access to authorized individuals.
Customer – Regulated User
The customer is responsible for ensuring that an individual must have a valid user account in order to
access both the O365 platform and any relevant GxP computerized system. Within the O365 platform,
user permissions must be managed by the System Administrator to specify what areas of the
computerized system are accessible to authorized users.
Description of activities, documentation and controls:
O365 customers must register for the service by creating a subscription through the O365 Portal web site;
Ensure proper user management procedures are in place to govern access to the O365 environment;
Ensure proper procedures are established to govern logical and physical security over the terminal devices (e.g. workstations, laptops, etc.) used to access the O365 platform. The procedure should clearly describe how access to the system is managed, as well as how user system access is documented;
Appropriate System Administration practices are followed for GxP computerized systems configured on the O365 platform based on predefined system administration procedures.
Microsoft – Cloud service provider
Microsoft is responsible for ensuring adequate controls are established to ensure access to the O365
platform is restricted to authorized individuals.
Microsoft meets these requirements through the following controls:
Security Policies and Procedures (see Section 2.5.1)
Physical Security (see Section 2.5.2)
Logical Security (see Section 2.5.3)
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 32 of 74
Document MTM-O365-GDE-01 Revision 01
11.10 (e)
11.10 (e) Use of secure, computer-generated time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.
Customer – Regulated User
The O365 environment provides a standard audit trail feature. This feature must be turned on and
configured as part of the installation process for GxP computerized system configured on the O365
platform (see section 2.2. for more information).
Description of activities, documentation and controls:
Verify that audit trails are being properly generated for electronic records within O365 based on the requirements of 21 CFR Part 11.10 (e);
Verify that audit trail entries can be retrieved and that audit trail entries remain linked to their respective records throughout their retention period;
Verify that the audit trail can be retrieved as a human readable record;
Ensure Procedure(s) are established governing the following activities:
o Record retention and archiving - should define how audit trails will be protected throughout their corresponding records lifetime;
o Logical security – to ensure adequate protection and integrity of audit trails as electronic records in their own right;
o System Administration procedures for the GxP computerized systems configured on the O365 platform to ensure the proper management of audit trails;
o System Monitoring – to ensure consistent availability and performance of GxP computerized system.
Microsoft – Cloud service provider
Customers are responsible for ensuring that the audit trail functionality provided in the O365 platform is
properly configured. Microsoft is responsible for implementing adequate controls to secure the O365
platform and provide appropriate system monitoring. By securing and monitoring the O365 platform,
these controls help to satisfy the above regulatory requirement, such that the GxP computerized systems
are protected and are continually available.
Microsoft meets these requirements through the following controls:
Security Policies and Procedures (see Section 2.5.1)
Physical Security (see Section 2.5.2)
Logical Security (see Section 2.5.3)
System Monitoring and Maintenance (see Section 2.5.4)
Data Backup, Recovery and Retention (see Section 2.5.5)
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 33 of 74
Document MTM-O365-GDE-01 Revision 01
11.10 (f)
11.10 (f)
Use of operational system checks to enforce permitted sequencing of steps and events as appropriate.
Customer – Regulated User
Operational checks are typically present in the process control mechanisms of GxP computerized systems
to ensure that operations are not executed outside of the predefined order established by the operating
group.
The customer should ensure that GxP computerized system configured on the O365 platform have been
assessed and are capable of fulfilling this requirement.
Microsoft – Cloud service provider
Within the context of the O365 platform, Microsoft provides certain operational system checks such as
authentication mechanisms, however all operational checks should be verified with the GxP computerized
system managed by the customer.
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 34 of 74
Document MTM-O365-GDE-01 Revision 01
11.10 (g)
11.10 (g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand
Customer – Regulated User
The customer is responsible for ensuring that adequate authority checks are implemented where
necessary through the application of security policies and the centralized management of user permissions
within the GxP computerized system. The customer is responsible for managing the access mechanism to
GxP computerized systems configured on the O365 platform (see Section 3.1.2).
Description of activities, documentation and controls:
Establish a procedure describing the process for managing user accounts and user permissions for the GxP computerized system;
The verification that only authorized users are able to access and alter records contained within the GxP computerized system should be performed as part of the validation effort.
Microsoft – Cloud service provider
The customer is primarily responsible for implementing and verifying the proper application of authority
checks in order to fulfill this regulatory requirement. Microsoft maintains the system which authenticates
users of the GxP computerized system, and must also manage authentication and security for the O365
platform. Microsoft is therefore responsible for ensuring proper controls are established to securely
manage the user access control system.
Microsoft meets these requirements through the following controls:
Security Policies and Procedures (see Section 2.5.1)
Physical Security (see Section 2.5.2)
Logical Security (see Section 2.5.3)
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 35 of 74
Document MTM-O365-GDE-01 Revision 01
11.10 (h)
11.10 (h)
Use of device (e.g. terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction.
Customer – Regulated User
The customer must determine whether the implementation of device checks is required based on the
intended use of the GxP computerized system and the associated risks. Device checks are warranted in an
environment where only certain devices have been selected as legitimate sources of data input or
commands. In such cases, the device checks would be used to determine if the data or command source
was authorized. If required, the customer is responsible for defining which devices are authorized to
provide data or operational instructions and implement the necessary controls within the GxP
computerized system configured on the O365 platform.
Microsoft – Cloud service provider
Within the context of the O365 cloud services, Microsoft does not have control over device checks, as
these would be implemented and managed by the customer.
11.10 (i)
11.10 (i) Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks.
Customer – Regulated User
The customer is responsible for establishing procedural controls that define the employee training process
and requirements which ensure that adequate training is provided to an end user prior to using the GxP
computerized system. The customer is also responsible for ensuring that the adequate education and
experience requirement is met for persons who develop, maintain or use the GxP computerized system(s).
Description of activities, documentation and controls:
Ensure that appropriate training policies are established and that training and personnel qualification are documented (i.e. training records, CV).
Microsoft – Cloud service provider
Microsoft is responsible for maintaining the O365 infrastructure and services that which store electronic
records, therefore must ensure appropriate training policies are established and that training and
personnel qualification are documented (i.e. training records, CV) for personnel managing and monitoring
the O365 services.
Microsoft meets these requirements through the following controls:
Training Management (see Section 2.5.12)
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 36 of 74
Document MTM-O365-GDE-01 Revision 01
10.10 (j)
11.10 (j)
The establishment of, and adherence to, written policies that hold individuals accountable and responsible for actions initiated under their electronic signatures, in order to deter record and signature falsification.
Customer – Regulated User
This requirement would be applicable if the customer has implemented a GxP computerized system which
provides users with the ability to apply electronic signatures to sign electronic records (see definition in
Section 1.5). The customer would in this case be responsible for implementing controls governing the use
of electronic signatures ensuring that individuals are aware that they are accountable and responsible for
actions initiated under their electronic signatures.
Description of activities, documentation and controls:
A written policy should be established that holds individuals accountable and responsible for actions initiated under or authorized by their electronic signatures;
Ensure that appropriate Training policies are established and that training and personnel qualification are documented (i.e. training records, CV).
Microsoft – Cloud service provider
Microsoft does not participate in the generation of electronic records or application of electronic
signatures, therefore does not have any responsibilities with regards to this regulatory requirement.
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 37 of 74
Document MTM-O365-GDE-01 Revision 01
11.10 (k)(1)
11.10 (k) Use of appropriate controls over systems documentation including :
11.10 (k)(1)
Adequate controls over the distribution of, access to, and use of documentation for system operation
and maintenance.
Customer – Regulated User
This regulation applies to system documentation which describes how a system operates and is
maintained, including standard operating procedures. Some highly sensitive documentation, such as
instructions on how to modify system security features, should not be widely distributed. Hence, the
customer is responsible for controlling the distribution of, access to, and use of such documentation which
is typically managed via the Document Management and Training Management processes.
Description of activities, documentation and controls:
Procedures governing controlled documentation management should be established in order to ensure that employees have access to the correct and updated versions of standard operating and maintenance procedures for the GxP computerized system configured on the O365 platform;
Ensure that procedural controls are established to appropriately manage the distribution, access and use of system documentation for GxP computerized systems configured on the O365 platform.
Microsoft – Cloud service provider
Microsoft is responsible for ensuring access to system operation and maintenance documentation related to the O365 platform is properly controlled and that adequate controls are established to control the distribution and use of these documents. Employee training is performed in order to ensure proper use of the system documentation.
Microsoft meets these requirements through the following controls:
Documentation / Asset Management (see Section 2.5.11)
Training Management (see Section 2.5.12)
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 38 of 74
Document MTM-O365-GDE-01 Revision 01
11.10 (k)(2)
11.10 (k) Use of appropriate controls over systems documentation including :
11.10 (k)(2)
Revision and change control procedures to maintain an audit trail that documents time-sequenced development and modification of systems documentation.
Customer – Regulated User
The customer is responsible for establishing controls which govern changes to system and corresponding
documentation. Documents within the scope of this requirement include GxP computerized system
specification, design, installation and validation documents and all other system operating procedures and
manuals.
Description of activities, documentation and controls:
Establish procedures for proper documentation management including document change control;
Ensure proper versioning and audit trail controls on GxP computerized systems documentation;
Establish system change control procedures which trigger appropriate documentation revisions for GxP computerized systems.
Microsoft – Cloud service provider
This regulation stipulates any change to Microsoft system’s hardware or software components should be
documented. The Microsoft change control procedure governs the process of applying changes to the
system and associated documentation. Microsoft has implemented Document and Records Management
procedure governing protection and retention of documentation in conjunction with its Asset
Management procedure.
Microsoft meets these requirements through the following controls:
Software Development / Change Management (see Section 2.5.7)
Documentation / Asset Management (see Section 2.5.11)
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 39 of 74
Document MTM-O365-GDE-01 Revision 01
Sec. 11.30 Controls for Open System
SEC. 11.30 CONTROLS FOR OPEN SYSTEMS
11.30
Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and as appropriate, the confidentiality of electronic records from the point of their creation to the point of their receipt. Such procedures and controls shall include those identified in 11.10, as appropriate and additional measures such as document encryption and use of appropriate digital signature standards to ensure, as necessary under the circumstances, record authenticity, integrity, and confidentiality.
Customer – Regulated User
The customer is responsible for ensuring that appropriate controls are implemented to ensure record
authenticity, integrity, and confidentiality. These controls include those identified in Section 3.1.2
As the GxP computerized system is hosted and the internet is used to transmit and/or view electronic
records within the O365 platform, in addition to controls for the proper authentication of users (as with a
closed system), there should also be encryption controls (i.e. SSL or VPN) established to ensure that
records that transit across public networks (such as the Internet) cannot be intercepted or interpreted by
unauthorized individuals. Customers are also responsible for determining and implementing encryption
and information rights management requirements for data stored within the GxP computerized system(s).
The customer is responsible for ensuring that appropriate controls are implemented to ensure record
authenticity, integrity, and confidentiality. These controls include those identified in Section 3.1.2.
Description of activities, documentation and controls:
Applications configured within the O365 platform must be assessed for this requirement;
Customer may implement encryption of customer data within the customer’s application;
Ensure that encryption and access controls are established to ensure that the integrity of data is maintained;
System Monitoring – to ensure consistent availability and performance of GxP computerized system.
Microsoft – Cloud service provider
Microsoft is responsible for ensuring controls are established to ensure the authenticity, integrity and confidentiality of data within the O365 platform and during transit. Microsoft provides customers the option of encrypting data transmitted to and from Microsoft data centers over public networks.
Microsoft meets these requirements through the following controls:
Security Policies and Procedures (see Section 2.5.1)
Physical Security (see Section 2.5.2)
Logical Security (see Section 2.5.3)
System Monitoring and Maintenance (see Section 2.5.4)
Confidentiality (see Section 2.5.6)
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 40 of 74
Document MTM-O365-GDE-01 Revision 01
3.3 EudraLex Volume 4 Annex 11 Computerised Systems Compliance Assessment
The following table outlines the assessment that was performed on each regulatory requirement of
EudraLex Volume 4 Annex 11 which were identified as in scope in Section 1.2 of this document. The
primary objective of the assessment is to identify the procedural and technical controls that are
required to satisfy the different regulatory requirements.
We further identify which controls fall within the responsibility of Microsoft versus the controls that are
considered the responsibility of the customer when using the O365 platform for regulated GxP
computerized systems.
PRINCIPLE
This annex applies to all forms of computerised systems used as part of a GMP regulated activities. A computerised system is a set of software and hardware components which together fulfill certain functionalities. The application should be validated; IT infrastructure should be qualified. Where a computerised system replaces a manual operation, there should be no resultant decrease in product quality, process control or quality assurance. There should be no increase in the overall risk of the process.
Customer – Regulated User
The customer must interpret this regulation as applying to all GxP computerized systems supporting GxP related activities that will be configured on the O365 platform. The customer is responsible for validating the GxP computerized systems configured to run within the O365 platform.
Microsoft – Cloud service provider
Microsoft’s responsibility towards their customers is to ensure that the components supporting the O365 platform have been developed, verified and deployed in a controlled fashion and managed according to approved procedures.
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 41 of 74
Document MTM-O365-GDE-01 Revision 01
1 – Risk Manage ment
GENERAL
1 - Risk Management
Risk management should be applied throughout the lifecycle of the computerised system taking into
account patient safety, data integrity and product quality. As part of a risk management system,
decisions on the extent of validation and data integrity controls should be based on a justified and
documented risk assessment of the computerised system.
Customer – Regulated User
The customer is responsible for ensuring that risk management is part of the process of assessing,
selecting or developing and implementing GxP computerized systems within the O365 platform.
Description of activities, documentation and controls:
Ensure risk management policies are effective and implemented and/or risk management is integrated into the relevant procedures used for the development, deployment and management of GxP computerized systems;
Integrate risk management into your software development lifecycle procedure.
Use a risk based approach when performing and documenting the qualification/validation activities surrounding the deployment of the GxP computerized systems configured on the O365 platform.
Microsoft – Cloud service provider
Microsoft is responsible for ensuring that risk management has been applied in the development,
maintenance and monitoring of its O365 platform.
Microsoft meets this requirement through the following control:
Software Development / Change Management (see Section 2.5.7)
Risk Assessment (see Section 2.5.10)
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 42 of 74
Document MTM-O365-GDE-01 Revision 01
2 - Personnel
2 - Personnel
There should be close cooperation between all relevant personnel such as Process Owner, System Owner,
Qualified Persons and IT. All personnel should have appropriate qualifications, level of access and
defined responsibilities to carry out their assigned duties.
Customer – Regulated User
The customer is responsible for ensuring that controls are established to govern the training and the
activities assigned to their personnel. They should also document the method used to confirm or verify an
individual’s qualifications and experience against formal job descriptions to ensure they are qualified to
perform assigned tasks.
The customer is also responsible for ensuring that an individual has a valid user account in order access the
O365 platform and any relevant GxP computerized system. Within both the O365 platform and the GxP
computerized system, user permissions must be managed by the customer’s assigned System
Administrator to specify what areas of the system are accessible to authorized users.
Description of activities, documentation and controls:
Ensure that appropriate training policies are established and that training and personnel qualifications are documented (i.e. training records, CV);
Ensure that personnel are aware of their roles and responsibilities through approved and signed documentation such as Job Descriptions;
User Account Management procedures should be established to govern the assessment, enabling and disabling of IT system user accounts;
Different levels of system access should be formally defined for each GxP application configured within O365 and users should be assigned to the different levels through the User Account Management procedure.
Microsoft – Cloud service provider
Microsoft is responsible for maintaining the O365 platform infrastructure and services which store
customer electronic records, and therefore must ensure appropriate training policies are established and
that training and personnel qualifications are documented (i.e. training records, CV).
Microsoft is responsible for ensuring adequate controls are established to ensure access to the O365
platform is restricted to authorized individuals.
Microsoft meets these requirements through the following controls:
Security Policies and Procedures (see Section 2.5.1)
Physical Security (see Section 2.5.2)
Logical Security (see Section 2.5.3)
Training Management (see Section 2.5.12)
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 43 of 74
Document MTM-O365-GDE-01 Revision 01
3 - Supplier s
3.1
3 - Suppliers
3.1 When third parties (e.g. suppliers, service providers) are used e.g. to provide, install, configure,
integrate, validate, maintain (e.g. via remote access), modify or retain a computerised system or related
service or for data processing, formal agreements must exist between the manufacturer and any third
parties, and these agreements should include clear statements of the responsibilities of the third party.
IT-departments should be considered analogous.
Customer – Regulated User
The customer is responsible for assessing third party suppliers that have an impact on relevant GxP
computerized systems. They are responsible for ensuring that controls addressing the identification,
assessment, selection and management of third party suppliers are established.
Description of activities, documentation and controls:
Ensure that a vendor selection process has been defined and is covered within an effective procedure;
Ensure that when needed appropriate contracts are established (i.e. NDA, SLAs);
Ensure that contracts establish clear statements of responsibility;
Ensure that vendor selection evidence and documentation is maintained following governing Record Retention policies.
Microsoft – Cloud service provider
Microsoft would be considered a third party service provider to the client within the context of this
requirement and formal agreements will be in place between the customer and Microsoft which include a
service level agreement which clearly defines responsibility of each party. In addition, Microsoft is
responsible for ensuring that they appropriately document and control the services provided by third party
suppliers within the context of their O365 platform offering.
Microsoft meets these requirements through the following controls:
Documentation / Asset Management (see Section 2.5.11)
Vendor Management (see Section 2.5.14)
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 44 of 74
Document MTM-O365-GDE-01 Revision 01
3.2
3 - Suppliers
3.2 The competence and reliability of a supplier are key factors when selecting a product or service
provider. The need for an audit should be based on a risk assessment.
Customer – Regulated User
The customer is responsible for assessing third party suppliers that have an impact on relevant GxP
computerized systems. The level of impact that a supplier may have on a GxP computerized systems
should be part of the supplier assessment process. This should be taken into account in order to determine
the need for a formal audit of the supplier.
Description of activities, documentation and controls:
Establish a vendor selection procedure and an external audit procedure to define when a vendor audit is required;
Ensure that risk assessment is part of the vendor selection process.
Microsoft – Cloud service provider
Microsoft is responsible for ensuring that they appropriately document and control the selection of third
party suppliers of components/services which form part of the O365 platform offering used by customers
to deploy GxP computerized systems.
Microsoft meets these requirements through the following controls:
Documentation / Asset Management (see Section 2.5.11)
Vendor Management (see Section 2.5.14)
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 45 of 74
Document MTM-O365-GDE-01 Revision 01
3.3
3 - Suppliers
3.3 Documentation supplied with commercial off-the-shelf products should be reviewed by regulated
users to check that user requirements are fulfilled.
Customer – Regulated User
The customer is responsible for implementing controls ensuring the review of documentation related to
commercial off-the-self applications supporting GxP activities to verify that the system meets user
requirements.
Description of activities, documentation and controls:
Establish procedures for selecting and deploying off the shelf software solutions and services which includes the verification of supplied documentation to ensure the solutions or services meet user requirements.
Microsoft – Cloud service provider
This regulatory requirement does not apply to Microsoft as they are not regulated users of third party
commercial off-the-shelf products.
As Microsoft is the provider of commercial off-the-self products to regulated users, they are required to
provide customers with sufficient documentation to allow the customer to meet this requirement. 3.4
3 - Suppliers
3.4 Quality system and audit information relating to suppliers or developers of software and
implemented systems should be made available to inspectors on request.
Customer – Regulated User
The customer is responsible for implementing appropriate controls which ensure that quality system and
audit information relating to suppliers is available to inspectors.
Description of activities, documentation and controls:
Ensure that quality system and vendor selection evidence and documentation is maintained following governing record management policies.
Microsoft – Cloud service provider
As Microsoft is a third party vendor of cloud services to their customer’s, they are not required to meet
this requirement.
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 46 of 74
Document MTM-O365-GDE-01 Revision 01
4 – Validation
4.1
4 - Validation
4.1 The validation documentation and reports should cover the relevant steps of the life cycle.
Manufacturers should be able to justify their standards, protocols, acceptance criteria, procedures and
records based on their risk assessment.
Customer – Regulated User
The customer is responsible for ensuring that GxP computerized systems are defined, developed, verified,
configured, and validated according to approved and effective software development lifecycle procedures.
Description of activities, documentation and controls:
Establish formal risk based software development lifecycle and computer systems validation procedures;
Ensure GxP computerized systems configured on the O365 platform that manage electronic records are validated to confirm they are fit for their intended purpose based on a formal risk assessment;
Document the qualification/validation activities surrounding the deployment of the GxP computerized systems configured on the O365 platform per the formal procedures.
Microsoft – Cloud service provider
Microsoft is not responsible for validation of the GxP computerized systems configured within the O365 platform, as this is the responsibility of the customer. Microsoft is responsible for ensuring that the components used within the O365 platform have been defined, developed, verified, deployed, and validated according to approved and effective software development lifecycle procedures.
Microsoft meets these requirements through the following control:
Software Development / Change Management (see Section 2.5.7)
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 47 of 74
Document MTM-O365-GDE-01 Revision 01
4.2
4 - Validation
4.2 Validation documentation should include change control records (if applicable) and reports on any
deviations observed during the validation process.
Customer – Regulated User
The customer is responsible for ensuring that controls are established to govern the management of issues
encountered within the validation process, along with the administration of changes to GxP computerized
systems and corresponding documentation.
The customer’s validation process should also describe methods used to track and manage deviations and
issues encountered within the validation process. Additional details regarding the qualification / validation
activities are provided in Section 3.1.2.
Description of activities, documentation and controls:
Ensure computer system validation and change control procedures are established, including specific security controls;
Ensure that documentation management controls are established to manage documents produced within the validation and change management processes;
Documents within the scope of this requirement include validation, change control and deviation documents.
Microsoft – Cloud service provider
Microsoft is responsible for ensuring that controls are established to manage the deployment and
verification of customer instances of O365.
Microsoft is also responsible for the implementation of upgrades or patches to the O365 platform. Any
changes to hardware or software components supporting the O365 platform should be documented and
tested prior to being placed into production.
Microsoft meets these requirements through the following controls:
Software Development / Change Management (see Section 2.5.7)
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 48 of 74
Document MTM-O365-GDE-01 Revision 01
4.3
4 - Validation
4.3 An up to date listing of all relevant systems and their GMP functionality (inventory) should be
available.
For critical systems an up to date system description detailing the physical and logical arrangements,
data flows and interfaces with other systems or processes, any hardware and software pre-requisites,
and security measures should be available.
Customer – Regulated User
The customer is responsible for ensuring that controls are established to determine the need and content
of system documentation required to manage applicable GxP computerized systems.
Description of activities, documentation and controls:
Produce system description document for all GxP computerized systems, including O365 and relevant systems, which describes hardware requirements, software requirements, system components, data flow and system interfaces;
Reference the O365 platform that will be used to deploy the GxP computerized system in the system description document.
Microsoft – Cloud service provider
As customers may implement critical GxP computerized systems within the O365 platform, Microsoft is
responsible for ensuring the management of assets within the GFS environment supporting the O365
platform.
Microsoft meets this requirement through the following control:
Documentation / Asset Management (see Section 2.5.11)
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 49 of 74
Document MTM-O365-GDE-01 Revision 01
4.4
4 - Validation
4.4 User Requirements Specifications should describe the required functions of the computerised
system and be based on documented risk assessment and GMP impact. User requirements should be
traceable throughout the life-cycle
Customer – Regulated User
The customer is responsible for ensuring that controls are in place which define the method for gathering
and documenting the needs of their users. The approach must include the assessment and mitigation of
risk and regulatory impact. The customer’s documented User Requirements must be traced throughout
the GxP computerized system’s lifecycle.
Description of activities, documentation and controls:
Establish procedures for the development and management of user requirements;
Establish traceability mechanisms for user requirements.
Microsoft – Cloud service provider
This regulatory requirement does not apply to Microsoft as they are not users of regulated computerized
systems.
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 50 of 74
Document MTM-O365-GDE-01 Revision 01
4.5
4 - Validation
4.5 The regulated user should take all reasonable steps, to ensure that the system has been developed
in accordance with an appropriate quality management system. The supplier should be assessed
appropriately
Customer – Regulated User
The customer is responsible for ensuring that controls addressing the management of third party suppliers
are established. The customer must also ensure that regulated systems have been developed according to
or meet the requirements of an approved SDLC process.
Description of activities, documentation and controls:
Ensure that a vendor selection process has been defined and is covered within an effective procedure;
Ensure that when needed appropriate contracts are established (i.e. NDA, SLAs);
Ensure that vendor selection evidence and documentation is maintained following governing Record Retention policies;
Ensure that the vendors quality system has the appropriate controls in place to govern the SDLC process;
Ensure that system development activities are performed as defined within the governing the SDLC or computer system validation procedure.
Microsoft – Cloud service provider
This regulatory requirement does not apply to Microsoft as they are not users of regulated computerized
systems.
As Microsoft is the provider of commercial off-the-self products to regulated users, they are required to
provide these customer’s with sufficient documentation to allow the customer to meet this requirement.
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 51 of 74
Document MTM-O365-GDE-01 Revision 01
4.6
4 - Validation
4.6 For the validation of bespoke or customised computerised systems there should be a process
established that ensures the formal assessment and reporting of quality and performance measures for
all the life-cycle stages of the system.
Customer – Regulated User
The customer is responsible for establishing controls that will ensure the continuous assessment and
measurement of quality and performance throughout the GxP computerized system’s lifecycle.
Description of activities, documentation and controls:
Ensure computer system validation and change control policies are established.
Microsoft – Cloud service provider
As customers may implement GxP computerized systems within the O365 platform, Microsoft is
responsible for establishing appropriate controls to ensure the monitoring and change management of
assets supporting the O365 platform.
Microsoft meets these requirements through the following controls:
System Monitoring and Maintenance (see Section 2.5.4)
Software Development / Change management (see Section 2.5.7)
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 52 of 74
Document MTM-O365-GDE-01 Revision 01
4.7
4 - Validation
4.7 Evidence of appropriate test methods and test scenarios should be demonstrated. Particularly,
system (process) parameter limits, data limits and error handling should be considered. Automated
testing tools and test environments should have documented assessments for their adequacy.
Customer – Regulated User
The customer is responsible for establishing appropriate controls to govern the testing of their GxP
computerized systems and that relevant tests are performed and adequately documented.
Description of activities, documentation and controls:
Ensure adequate computer system validation and change control policies are established;
Ensure that all testing activities are properly documented.
Microsoft – Cloud service provider
As customers may implement GxP computerized systems within the O365 platform, Microsoft is
responsible for establishing appropriate controls to ensure the controlled and verified deployment of the
underlying infrastructure that supports the O365 platform.
Microsoft meets these requirements through the following controls:
System Monitoring and Maintenance (see Section 2.5.4)
Software Development / Change Management (see Section 2.5.7)
4.8
4 - Validation
4.8 If data are transferred to another data format or system, validation should include checks that
data are not altered in value and/or meaning during this migration process.
Customer – Regulated User
The customer is responsible for establishing appropriate controls to ensure that the process of data
migration is tested and documented accordingly when migrating data to/from GxP computerized systems
configured on the O365 platform.
Description of activities, documentation and controls:
Establish change management procedures which govern data migration;
Establish data migration plans which include controls for the verification that data has not altered in value and/or meaning following migration.
Microsoft – Cloud service provider
Microsoft is not responsible for the migration of data between GxP computerized systems configured on
the O365 platform.
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 53 of 74
Document MTM-O365-GDE-01 Revision 01
5 – Data
OPERATIONAL PHASE
5 - Data
Computerised systems exchanging data electronically with other systems should include appropriate
built-in checks for the correct and secure entry and processing of data, in order to minimize the risks.
Customer – Regulated User
The customer is responsible for establishing the controls required to ensure the authenticity, integrity and
confidentiality of data related to GxP computerized systems configured within the O365 platform. In
addition to controls for the proper authentication of users (as with a closed system), there should also be
encryption controls (i.e. SSL or VPN) established to ensure that records that transit across public networks
(such as the Internet) cannot be intercepted or interpreted by unauthorized individuals. These controls
should include related topics as identified in Section 3.1.2.
Description of activities, documentation and controls:
Applications configured within the O365 platform must be assessed to this requirement;
Ensure that encryption and access controls are established to ensure that the integrity of data is maintained within the GxP computerized system and when data is transiting from the O365 platform across the internet.
Microsoft – Cloud service provider
Microsoft is responsible for implementing adequate controls to secure the O365 platform and provide
appropriate system monitoring. By securing and monitoring the O365 platform, these controls help to
satisfy the above regulatory requirement, such that the GxP computerized systems configured on the
O365 platform are protected. Microsoft provides customers the option of encrypting data transmitted to
and from Microsoft data centers over public networks.
Microsoft meets these requirements through the following controls:
Security Policies and Procedures (see Section 2.5.1)
Physical Security (see Section 2.5.2)
Logical Security (see Section 2.5.3)
System Monitoring and Maintenance (see Section 2.5.4)
Confidentiality (see Section 2.5.6)
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 54 of 74
Document MTM-O365-GDE-01 Revision 01
6 – Accura cy Che cks
6 - Accuracy Checks
For critical data entered manually, there should be an additional check on the accuracy of the data. This
check may be done by a second operator or by validated electronic means. The criticality and the
potential consequences of erroneous or incorrectly entered data to a system should be covered by risk
management.
Customer – Regulated User
The customer is responsible for implementing controls to ensure that data entered into GxP computerized
systems are accurate. Verification controls should be implemented to determine the risk and impact that
inaccurate or mistakenly entered data would have on the GxP computerized system.
Description of activities, documentation and controls:
Ensure GxP computerized have controls for detecting inaccurate or erroneous data.
Microsoft – Cloud service provider
This requirement is the customer’s responsibility as Microsoft is not providing GxP computerized systems
used for data entry.
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 55 of 74
Document MTM-O365-GDE-01 Revision 01
7 - Data Storage
7.1
7 - Data Storage
7.1 Data should be secured by both physical and electronic means against damage. Stored data should
be checked for accessibility, readability and accuracy. Access to data should be ensured throughout the
retention period.
Customer – Regulated User
The customer is responsible to ensure adequate authority checks are implemented where necessary
through the application of security policies and the centralized management of user permissions with the
GxP computerized system. The customer is also responsible for ensuring that appropriate controls are
established to protect data and records pertaining to GxP activities performed within GxP computerized
systems configured on the O365 platform, and to ensure accurate data is readily available throughout its
retention period.
Description of activities, documentation and controls:
The verification that only authorized users are able to access, read and alter records contained within the GxP computerized system should be performed as part of the validation effort;
Procedure(s) are established governing the following topics:
o Logical security - describes the security controls which are required in order to prevent unauthorized access to the application;
o User Account Management - describes the process for requesting new user accounts and how to provide end users with relevant permissions;
o Data backup and recovery - describes the process for the backup and recovery of data housed within the O365 platform;
o Records retention and archiving - describes how records will be protected and archived throughout their lifecycle;
Ensure that mechanisms for Disaster Recovery and Business Continuity are established and tested, should any issue arise with the Azure VMs;
Data repatriation plan are established and tested in the case of contract termination.
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 56 of 74
Document MTM-O365-GDE-01 Revision 01
7 - Data Storage
7.1 Data should be secured by both physical and electronic means against damage. Stored data should
be checked for accessibility, readability and accuracy. Access to data should be ensured throughout the
retention period.
Microsoft – Cloud service provider
Microsoft manages the security component which authenticates users of the O365 platform, therefore is
responsible for ensuring proper controls are established to securely manage the user access control
system along with the physical elements housing customer records.
Microsoft is responsible for implementing adequate controls to secure the O365 platform and provide
appropriate system monitoring. By securing and monitoring the O365 platform, these controls help to
satisfy the above regulatory requirement, such that the GxP computerized systems are protected and are
continually available.
Microsoft meets these requirements through the following controls:
Security Policies and Procedures (see Section 2.5.1)
Physical Security (see Section 2.5.2)
Logical Security (see Section 2.5.3)
System Monitoring and Maintenance (see Section 2.5.4)
Data Backup, Recovery and Retention (see Section 2.5.5)
Service Level Agreements (see Section 2.5.9)
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 57 of 74
Document MTM-O365-GDE-01 Revision 01
7.2
7 - Data Storage
7.2 Regular back-ups of all relevant data should be done. Integrity and accuracy of backup data and
the ability to restore the data should be checked during validation and monitored periodically.
Customer – Regulated User
The customer is responsible for defining the backup scheme for data housed within GxP computerized
systems which are configured on the O365 platform and ensuring that the implemented backup
mechanism functions appropriately and consistently.
Description of activities, documentation and controls:
Ensure that controls and procedures are established to oversee the backup and recovery of data. These controls should be tested periodically to ensure that they are still functional;
Ensure data repatriation plans are established and tested in the case of contract termination.
Microsoft – Cloud service provider
Microsoft is responsible for ensuring that appropriate controls are in place to manage the backup systems
and provide assurance to customers that their defined backup schemes are implemented and function
correctly and will provide the expected level of retention. Controls to govern the maintenance and
verification of the backup system should be implemented.
Microsoft meets these requirements through the following controls:
System Monitoring and Maintenance (see Section 2.5.4)
Data Backup, Recovery and Retention (see Section 2.5.5)
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 58 of 74
Document MTM-O365-GDE-01 Revision 01
8 – Printouts
8.1
8 - Printouts
8.1 It should be possible to obtain clear printed copies of electronically stored data.
Customer – Regulated User
The customer is responsible for ensuring that GxP computerized systems configured on the O365 platform
are capable of generating accurate and complete copies of records.
Description of activities, documentation and controls:
Procedure(s) are established governing the protection of records to ensure accurate and complete copies are readily available;
Verify accurate and complete copies of electronic records can be retrieved and printed from the system during validation;
Verify data transfer from applications which store electronic records in GxP computerized systems configured on the O365 platform does not impact data integrity.
Microsoft – Cloud service provider
Microsoft is not responsible for ensuring it is possible to print copies of customer data stored within the
GxP computerized systems configured on the O365 platform. However, Microsoft is responsible for
implementing adequate controls to secure the O365 platform and provide appropriate system monitoring.
By securing and monitoring the O365 platform, these controls help to satisfy the above regulatory
requirement, such that the GxP computerized systems are protected are continually available.
Microsoft meets these requirements through the following controls:
Security Policies and Procedures (see Section 2.5.1)
Physical Security (see Section 2.5.2)
Logical Security (see Section 2.5.3)
System Monitoring and Maintenance (see Section 2.5.4)
Service Level Agreements (see Section 2.5.9)
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 59 of 74
Document MTM-O365-GDE-01 Revision 01
8 - Printouts
8.2 For records supporting batch release it should be possible to generate printouts indicating if any of
the data has been changed since the original entry.
Customer – Regulated User
The customer should ensure that GxP computerized systems configured on the O365 platform have been
assessed and are capable of fulfilling this requirement. This requirement is typically met through the
generation of audit trails for batch records and ensuring that the batch records with audit trail can be
printed.
Microsoft – Cloud service provider
Microsoft is not responsible for customer data stored within the GxP computerized systems configured on
the O365 platform. However, Microsoft is responsible for implementing adequate controls to secure the
O365 platform and provide appropriate system monitoring. By securing and monitoring the O365
platform, these controls help to satisfy the above regulatory requirement, such that the GxP computerized
systems are protected and are continually available.
Microsoft meets these requirements through the following controls:
Security Policies and Procedures (see Section 2.5.1)
Physical Security (see Section 2.5.2)
Logical Security (see Section 2.5.3)
System Monitoring and Maintenance (see Section 2.5.4)
Service Level Agreements (see Section 2.5.9)
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 60 of 74
Document MTM-O365-GDE-01 Revision 01
9 – Audit Trails
9 - Audit Trails
Consideration should be given, based on a risk assessment, to building into the system the creation of a
record of all GMP-relevant changes and deletions (a system generated "audit trail"). For change or
deletion of GMP-relevant data the reason should be documented. Audit trails need to be available and
convertible to a generally intelligible form and regularly reviewed.
Customer – Regulated User
The O365 environment provides a standard audit trail feature. This feature must be turned on and
configured as part of the installation process for GxP computerized system configured on the O365
platform (see section 2.2. for more information).
Description of activities, documentation and controls:
Verify that audit trails are being properly generated for electronic records within O365 based on this requirement;
Verify that audit trail entries can be retrieved and that audit trail entries remain linked to their respective records throughout their retention period;
Verify that the audit trail can be retrieved as a human readable record;
Ensure Procedure(s) are established governing the following activities:
o Record retention and archiving - should define how audit trails will be protected throughout their corresponding records lifetime;
o Logical security – to ensure adequate protection and integrity of audit trails as electronic records in their own right;
o System Administration procedures for the GxP computerized systems configured on the O365 platform to ensure the proper management of audit trails.
Microsoft – Cloud service provider
Customers are responsible for ensuring that the audit trail functionality provided in the O365 platform is
properly configured. Microsoft is responsible for implementing adequate controls to secure the O365
platform and provide appropriate system monitoring. By securing and monitoring the O365 platform,
these controls help to satisfy the above regulatory requirement, such that the GxP computerized systems
are protected and are continually available.
Microsoft meets these requirements through the following controls:
Security Policies and Procedures (see Section 2.5.1)
Physical Security (see Section 2.5.2)
Logical Security (see Section 2.5.3)
System Monitoring and Maintenance (see Section 2.5.4)
Service Level Agreements (see Section 2.5.9)
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 61 of 74
Document MTM-O365-GDE-01 Revision 01
10 – Cha nge and Configuration Manage ment
10 - Change and Configuration Management
Any changes to a computerised system including system configurations should only be made in a
controlled manner in accordance with a defined procedure.
Customer – Regulated User
The customer is responsible for establishing controls to govern the change and configuration management
processes related to GxP computerized systems configured on the O365 platform.
Description of activities, documentation and controls:
Ensure that appropriate System Change Control, Configuration Management, Application Quality and Security procedures along with documentation management controls are established.
Microsoft – Cloud service provider
Microsoft is responsible for ensuring that controls are in place to govern the management of the
underlying O365 system components used for GxP computerized systems configured on the O365
platform.
Microsoft meets these requirements through the following controls:
Software Development / Change Management (see Section 2.5.7)
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 62 of 74
Document MTM-O365-GDE-01 Revision 01
11 – Periodi c evaluation
11 - Periodic evaluation
Computerised systems should be periodically evaluated to confirm that they remain in a valid state and
are compliant with GMP. Such evaluations should include, where appropriate, the current range of
functionality, deviation records, incidents, problems, upgrade history, performance, reliability, security
and validation status reports.
Customer – Regulated User
The customer is responsible for ensuring that controls are established to govern the maintenance of the
GxP computerized systems’ validated state throughout its lifecycle. These controls should include related
topics as identified in Section 3.1.2.
Description of activities, documentation and controls:
Ensure computer system validation and change control policies are established for GxP computerized systems configured on the O365 platform;
Ensure that systems maintenance procedures are in place to manage GxP computerized systems configured on the O365 platform;
Ensure that deviation and incident management procedures are in place to manage deviations, incidents and problems that arise with GxP computerized systems configured on the O365 platform.
Microsoft – Cloud service provider
Microsoft is not responsible for validation of systems to verify compliance with GxP regulations. However,
Microsoft is responsible for implementing adequate controls to secure the O365 platform and provide
appropriate system monitoring. By securing and monitoring the O365 platform, these controls help to
satisfy the above regulatory requirement, such that the GxP computerized systems configured on the
O365 platform are protected and are continually available.
Microsoft meets these requirements through the following controls:
Security Policies and Procedures (see Section 2.5.1)
Physical Security (see Section 2.5.2)
Logical Security (see Section 2.5.3)
System Monitoring and Maintenance (see Section 2.5.4)
Service Level Agreements (see Section 2.5.9)
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 63 of 74
Document MTM-O365-GDE-01 Revision 01
12 – Security
12.1
12 - Security
12.1 Physical and/or logical controls should be established to restrict access to computerised system to
authorised persons. Suitable methods of preventing unauthorised entry to the system may include the
use of keys, pass cards, personal codes with passwords, biometrics, restricted access to computer
equipment and data storage areas.
Customer – Regulated User
The customer is responsible for ensuring that an individual has a valid user account in order to access the
O365 platform and GxP computerized system. Within the O365 platform and GxP computerized system,
user permissions must be managed by the System Administrator to specify which areas of the system are
accessible to each user.
Description of activities, documentation and controls:
Ensure proper procedures are established to govern logical and physical security. The procedure should clearly describe how access to the system is managed, as well as how user system access is documented;
A procedure describing the process for requesting new user accounts and how to provide the correct permissions should be developed;
The verification that only authorized users are able to access and alter records contained within the system should be performed as part of the validation effort;
Appropriate System Administration practices are followed for applications configured on the O365 platform;
Ensure that encryption and access controls are established to ensure that the integrity of data is maintained.
Microsoft – Cloud service provider
Microsoft is responsible for ensuring adequate controls are established to ensure access to the Azure
infrastructure components is restricted to authorized individuals.
Microsoft meets these requirements through the following controls:
Security Policies and Procedures (see Section 2.5.1)
Physical Security (see Section 2.5.2)
Logical Security (see Section 2.5.3)
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 64 of 74
Document MTM-O365-GDE-01 Revision 01
12.2
12 - Security
12.2 The extent of security controls depends on the criticality of the computerised system.
Customer – Regulated User
The customer is responsible for establishing controls to ensure that appropriate security controls are
implemented. The level and complexity of security controls should be based on the GxP impact of the GxP
computerized system.
Description of activities, documentation and controls:
Ensure proper procedures are established to govern logical and physical security;
Ensure risk management policies are established
Microsoft – Cloud service provider
Microsoft is responsible for implementing adequate controls to secure the O365 platform and provide
appropriate system monitoring. By securing and monitoring the O365 platform, these controls help to
satisfy the above regulatory requirement, such that the GxP computerized systems configured on the
O365 platform are protected and are continually available. .
Microsoft meets these requirements through the following controls:
Security Policies and Procedures (see Section 2.5.1)
Physical Security (see Section 2.5.2)
Logical Security (see Section 2.5.3)
Risk Assessment (see Section 2.5.10)
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 65 of 74
Document MTM-O365-GDE-01 Revision 01
12.3
12 - Security
12.3 Creation, change, and cancellation of access authorisations should be recorded.
Customer – Regulated User
The customer is responsible for ensuring that the management of user accounts is controlled and
documented. It should be noted that user accounts should not be deleted but deactivated, allowing
traceability within electronic records to be maintained. This control of access also applies to physical
components related to the GxP computerized systems (i.e. computer rooms, office space, server rooms)
which must equally be controlled and documented.
Description of activities, documentation and controls:
Ensure proper procedures are established to govern logical and physical security. The procedure should clearly describe how access to GxP computerized systems is managed;
Establish a user access control list to record all granting of, changes to or cancellation of user access to GxP computerized systems;
Ensure appropriate System Administration practices are followed for GxP computerized systems configured on the O365 platform.
Microsoft – Cloud service provider
Microsoft is not responsible for validation of systems to verify compliance with GxP regulations. However,
Microsoft is responsible for implementing adequate controls to secure the O365 platform and provide
appropriate system monitoring. By securing and monitoring the O365 platform, these controls help to
satisfy the above regulatory requirement, such that the GxP computerized systems configured on the
O365 platform are protected and are continually available.
Microsoft meets these requirements through the following controls:
Security Policies and Procedures (see Section 2.5.1)
Physical Security (see Section 2.5.2)
Logical Security (see Section 2.5.3)
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 66 of 74
Document MTM-O365-GDE-01 Revision 01
12.4
12 - Security
12.4 Management systems for data and for documents should be designed to record the identity of
operators entering, changing, confirming or deleting data including date and time.
Customer – Regulated User
The GxP computerized systems configured on the O365 platform should capture the identity of users
creating or performing actions on data. The information captured should include the following:
Date and time when electronic records are created, initiated, changed, confirmed, and deleted;
The identity of the user who performed the action.
Description of activities, documentation and controls:
Procedure(s) are established governing the following activities:
o The defined Computer System Validation process should ensure that this requirement is present and functions in the GxP computerized system.
Microsoft – Cloud service provider
This regulatory requirement does not apply to Microsoft as they are not users of regulated computerized systems for the collection and management of regulated electronic records.
13 - Incide nt Management
13 - Incident Management
All incidents, not only system failures and data errors, should be reported and assessed. The root cause
of a critical incident should be identified and should form the basis of corrective and preventive actions.
Customer – Regulated User
The customer is responsible for ensuring that appropriate tools or controls are established to govern the
documentation, assessment and tracking of reported issues related to GxP computerized systems. These
controls should include related topics as identified in Section 3.1.2.
Description of activities, documentation and controls:
Ensure that procedural controls such as incident management and CAPA are implemented to manage all incidents related to GxP computerized systems.
Microsoft – Cloud service provider
Microsoft is responsible for ensuring that appropriate tools or controls are established to govern the documentation, assessment and tracking of reported issues related to the O365 platform on which GxP computerized systems are configured.
Microsoft meets these requirements through the following controls:
Incident Management (see Section 2.5.8)
Service Level Agreements (see Section 2.5.9)
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 67 of 74
Document MTM-O365-GDE-01 Revision 01
14 - Electr onic Signature
14 - Electronic Signature
Electronic records may be signed electronically. Electronic signatures are expected to:
a. have the same impact as hand-written signatures within the boundaries of the company,
b. be permanently linked to their respective record,
c. include the time and date that they were applied.
Customer – Regulated User
The customer is responsible for ensuring through verification that GxP computerized systems configured
within the O365 platform applying electronic signatures meet this requirement.
Description of activities, documentation and controls:
Ensure that the use and elucidation of Electronic Signatures are defined within a procedural control;
Ensure procedure controls are established to govern the assignment of Electronic Signatures.
Microsoft – Cloud service provider
This regulatory requirement does not apply to Microsoft as this functionality is not provided as a part of the O365 platform.
15 - Bat ch release
15 - Batch release
When a computerised system is used for recording certification and batch release, the system should
allow only Qualified Persons to certify the release of the batches and it should clearly identify and record
the person releasing or certifying the batches. This should be performed using an electronic signature.
Customer – Regulated User
The customer is responsible for ensuring that GxP computerized systems to be implemented within the
O365 platform have been assessed to this requirement.
Description of activities, documentation and controls:
The defined Computer System Validation process should ensure that this requirement is assessed and appropriate supporting documentation must be produced;
Ensure that controls have been defined and implemented to govern the use of electronic signatures.
Microsoft – Cloud service provider
This requirement does not apply to Microsoft. Microsoft does not have direct control over GxP activities, as these would be implemented within GxP computerized systems that are configured and managed by the customer on the O365 platform.
Microsoft does not provide electronic signature functionality as part of the O365 platform.
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 68 of 74
Document MTM-O365-GDE-01 Revision 01
16 - Busine ss Continuity
16 - Business Continuity
For the availability of computerised systems supporting critical processes, provisions should be made to
ensure continuity of support for those processes in the event of a system breakdown (e.g. a manual or
alternative system). The time required to bring the alternative arrangements into use should be based
on risk and appropriate for a particular system and the business process it supports. These arrangements
should be adequately documented and tested.
Customer – Regulated User
The customer is responsible for ensuring that mechanisms for Disaster Recovery and Business Continuity
are established and tested, should any issue arise with either the GxP computerized system or with the
O365 platform.
Description of activities, documentation and controls:
Establish a comprehensive disaster recovery and business continuity plan and test it regularly. This plan should include provisions in the case that the O365 platform becomes unavailable. The plan should also integrate risk and impact assessment mechanisms;
Ensure that backup infrastructure and policies are established and have been tested for GxP computerized systems configured on the O365 platform;
Ensure the data repatriation plans are established and tested.
Microsoft – Cloud service provider
Microsoft is responsible for implementing adequate controls to ensure the O365 platform remains
available in the event of disaster. Backup and retention policies/procedures are defined and maintained in
accordance to regulatory, statutory, contractual or business requirements. These controls help to satisfy
the above regulatory requirement, such that Microsoft backs up O365 infrastructure data regularly and
validates restoration of data periodically for disaster recovery purposes.
Microsoft meets these requirements through the following controls:
System Monitoring and Maintenance (see Section 2.5.4)
Data Backup, Recovery and Retention (see Section 2.5.5)
Service Level Agreements (see Section 2.5.9)
Disaster Recovery (see Section 2.5.13)
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 69 of 74
Document MTM-O365-GDE-01 Revision 01
17 - Archiving
17 - Archiving
Data may be archived. This data should be checked for accessibility, readability and integrity. If relevant
changes are to be made to the system (e.g. computer equipment or programs), then the ability to
retrieve the data should be ensured and tested.
Customer – Regulated User
The customer is responsible for establishing controls to implement appropriate archiving mechanisms.
Archived data should be regularly verified to ensure its accessibility, readability and integrity.
Description of activities, documentation and controls:
Ensure that appropriate security controls are established;
Ensure that backup infrastructure and policies are established and have been tested for GxP computerized systems configured on the O365 platform;
Ensure that record retention policies have been defined;
Ensure that mechanism for Disaster Recovery and Business Continuity are established and tested, should any issue arise with the O365 platform;
Data repatriation plan are established and tested;
Ensure that audit trails have been properly defined and verified.
Microsoft – Cloud service provider
Microsoft is not responsible for archiving data contained within the GxP computerized systems hosted on
the O365 platform. However, Microsoft is responsible for implementing adequate controls to secure the
O365 platform and provide appropriate system monitoring. By protecting and monitoring the O365
platform, these controls help to satisfy the above regulatory requirement, such that the GxP computerized
systems are protected and are continually available.
Microsoft meets these requirements through the following controls:
Security Policies and Procedures (see Section 2.5.1)
Physical Security (see Section 2.5.2)
Logical Security (see Section 2.5.3)
System Monitoring and Maintenance (see Section 2.5.4)
Data Backup, Recovery and Retention (see Section 2.5.5)
Service Level Agreements (see Section 2.5.9)
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 70 of 74
Document MTM-O365-GDE-01 Revision 01
4 Conclusion
In summary, when considering the use of a public, off-premise, third party managed cloud service to
host GxP computerized systems it is important to assess the adequacy of the cloud service provider’s
controls which ensure confidentiality, integrity and availability of customer data. Defining roles and
responsibilities shared between the regulated user and the cloud service provider is essential.
As outlined within this guidance document, Microsoft has implemented procedural and technical
controls which are relevant to regulatory requirements stipulated within US FDA 21 CFR Part 11 and
EudraLex Volume 4 Annex 11. These controls have been independently audited and could serve to
demonstrate that the O365 platform is maintained in a state of control that is in accordance with the
applicable regulatory requirements. The assessment has shown that the audited controls are similar to
those required to satisfy the applicable regulatory requirements, therefore the customer may leverage
these audits as part of the risk analysis and qualification effort of their GxP computerized system
configured on the O365 platform.
Of equal importance are the activities and controls which must be implemented by the customer to
ensure that GxP computerized systems are maintained in a secured and qualified state. A summary of
these activities was provided in Section 3.1.2. The customer should identify the specific activities within
a qualification plan for each GxP computerized system configured on the O365 platform. In order to
qualify the system and maintain it in a qualified state, Montrium recommends implementing
procedures/policies which cover the topics as outlined in Appendix A.
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 71 of 74
Document MTM-O365-GDE-01 Revision 01
5 References
Ref ID Reference
Ref. [1] Report on a Description of Microsoft Office 365 and Office 365 Dedicated’s System and the
Suitability of the Design and Operating Effectiveness of Controls (SOC 1)
Ref. [2] Report on Controls at a Service Organization Relevant to Security (SOC 2)
Ref. [3] Assessment Report Microsoft Office 365, ISO/IEC 27001:2005, IS 552878
Ref. [4] U.S. Food and Drug Administration, Code of Federal Regulations, Title 21 Part 11, Electronic
Records; Electronic Signatures.
Ref. [5] U.S. Food and Drug Administration, Guidance for Industry - Part 11, Electronic Records;
Electronic Signatures - Scope and Application.
Ref. [6] ISPE, GAMP 5 - A Risk-Based Approach to Compliant GxP computerized systems, 2008.
Ref. [7] ISPE, GAMP Good Practice Guide: IT Infrastructure Control and Compliance
Ref. [8] EudraLex The Rules Governing Medicinal Products in the European Union - Volume 4 - Good
Manufacturing Practice - Medicinal Products for Human and Veterinary Use- Annex 11:
Computerised Systems
Ref. [9] NIST Cloud Computing Standards Roadmap
Ref. [10] O365™ Security White Paper
Ref. [11] Appendix B: Trust Services Principles and Criteria for Security, Availability,
Processing Integrity, Confidentiality, and Privacy
Ref. [12] Validation Guidance for FDA Regulated Companies
Ref. [13] Standard Response to Request for Information Security and Privacy
Ref. [14] Microsoft Server Tools Business Information Security Policy
Ref. [15] Cloud Security Alliance, Security Guidance for Critical Areas of Focus on Cloud Computing, V3.0
Ref. [16] Cloud Security Alliance “Cloud Controls Matrix (CCM)”
Ref. [17] PIC / S PI 011-3 - Good Practices for Computerised Systems in Regulated “GxP” Environments
Ref. [18] Introducing Windows Azure
Ref. [19] O365 Privacy Statement
Ref. [20] Microsoft Volume Licensing - Online Services Use Rights, April 2013
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 72 of 74
Document MTM-O365-GDE-01 Revision 01
6 Appendices
Appendix A. Recommended Procedures / Policies
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 73 of 74
Document MTM-O365-GDE-01 Revision 01
Appendix A - Recommended Procedures / Policies
The following topics should be covered within the customer’s internal procedures or policies to manage
the qualified state of the GxP system.
Procedure / Policy Topic Purpose
Computer Systems
Validation
Define the management of the validation of computer systems and so
must describe the activities, deliverables and individuals required to
achieve and maintain computer systems in a validated state and in
compliance with applicable GxP regulations.
Physical Security Describe the company’s application of security measures to facilities
(buildings, server rooms, laboratory and other controlled physical
environments), in order to protect data and users.
Logical Security Describe the company’s application of security measures to all
information technology systems in order to protect data and users.
System Monitoring Describe the tools used to monitor the systems to ensure consistent
availability and performance.
Records Retention and
Archiving
Ensure that all the company’s records are managed in conformance with
applicable regulations and requirements. This should include the
identification, classification and retrieval, storage and protection, receipt
and transmission, retention, and disposal or archival preservation of
records.
System Administration and
Maintenance
Provide the company’s personnel direction on the technical
management and engineering practices to be used in planning,
acquisition, operation, maintenance, and termination of information
technology systems.
User Access Management Describe the management of computing accounts that facilitate access
or changes to the company’s data. An account, at a minimum, consists of
a username and password; supplying account information will usually
grant access to the company’s resources. User access management also
establishes clear standards for issuing accounts, creating password
values, and managing accounts.
Backup and Restoration Provide for the continuity, restoration and recovery of critical
documents, all electronic records and systems in the event of an
equipment failure, intentional destruction of data or disaster.
Qualification Guideline for Microsoft Office 365
© 2013 Montrium Inc. Page 74 of 74
Document MTM-O365-GDE-01 Revision 01
Procedure / Policy Topic Purpose
Training Management Define an internal training program and to ensure that personnel have
the competencies required to access and work within the application
contained within the controlled cloud platform. Additional training needs
may need to be defined for each controlled application within the cloud
platform.
Documentation
Management
Establish the framework under which official records and documents are
created and managed. The intent is to ensure that the company’s
business areas have the appropriate governance and supporting
structure and resources established to enable them to manage their
records and documents in a manner that is planned, controlled,
monitored, recorded and audited, using authorized systems.
Incident and Problem
Management (Helpdesk)
Define a formal Helpdesk Process to ensure that issues are raised,
recorded and resolved in a formal and controlled manner
Change / Configuration
Management
Define a formal process for change management that will ensure that
system changes are implemented in a controlled fashion. This procedure
must also establish the framework for proposing, reviewing, and
approving changes to a system.
The purpose for addressing Configuration Management is to ensure that
all updates to baseline items are controlled and traceable.
Vendor Management Define a formal process to ensure that vendor’s are identified, assessed,
selected and managed in a formal and controlled manner.
Disaster Recovery and
Business Continuity
Assist in the recovery of the company’s information technology
infrastructure and to ensure the continued operation of identified
business critical systems in the event of a serious disruption.