3.Qualification Guideline for Microsoft Office 365

7/25/2019 3.Qualification Guideline for Microsoft Office 365

http://slidepdf.com/reader/full/3qualification-guideline-for-microsoft-office-365 1/76

Qualification Guideline

Qualification Guideline for Microsoft Global FoundationServices and Windows Azure

October 2013



Qualification Guideline for Microsoft Global

Foundation and Windows Azure Services

© 2013 Montrium Inc. of 76

Document MTM-MST-GDE-01 Revision 02

Disclaimer:

Th is document is meant as a reference to Li fe Science companies in regards to the M icr osoft Windows Azure platf orm.

Montri um does not warrant that the use of the recommendations contained herein will resul t in a qualif ied system or that a

system vali dated on Azure in accordance with th is document wil l be acceptable to regulator y author iti es.

This document is provided “as- is.” Information and views expr essed in th is document, includi ng URL and other I nternet Web

site references, may change withou t noti ce.

Limitation of Liability:

In no event shall Montrium or any of its affiliates or the officers, directors, employees, members, or agents of each of them, be

liable for any damages of any kind, including without limitation any special, incidental, indirect, or consequential damages,

whether or not advised of the possibility of such damages, and on any theory of liability whatsoever, arising out of or in

connection with the use of this information.







Authors

Michael Zwetkow VP Operations, Montrium Inc.

Stephanie Tanguay Quality Assurance Manager, Montrium Inc.

Paul Fenton CEO, Montrium Inc.

Gabrielle Soucy Sr. Business Analyst, Montrium Inc.







Foreword

Over the last few years, Microsoft has paid an increasing amount of attention to a couple of key

concepts that are represented in this whitepaper: compliance and the cloud. Together these concepts

represent a fairly radical departure from normal business. By enabling cloud technologies, which

provide an ease of use and ease of implementation, with compliance, which provides the ability to work

with information in a regulatory compliant fashion, the implementing party may find the best of both

worlds.

This set of guideline whitepapers show how Microsoft is committed to cloud and compliance, spanning

Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS), a

relatively unique combination of technologies and commitment to compliance.

At the end of the day these are qualification guidelines and do not represent any guarantees from

Microsoft that your processes can be validated in any of the environments discussed or against any ofthe regulations or standards discussed. Yet when paired with the documentation referred to herein

along with customer evidence, these guidelines offer customers a starting point for their own

“compliance in the cloud” efforts, a starting point that may be furthered by the expertise Montrium has

demonstrated in producing these guidelines.

Mohamed Ayad, Cloud Solution Specialist

Les Jordan, Chief Technology Strategist

Health & Life Sciences Industry Unit

Microsoft







Executive Summary

The purpose of this document is to assist Microsoft’s life science customers in establishing aqualification strategy for the Azure platform (Global Foundation Services (GFS) and Windows Azure

services). This guideline identifies the responsibilities shared by Microsoft and its customers for meeting

the regulatory requirements of FDA 21 CFR Part 11 Electronic Records; Electronic Signatures (21 CFR

Part 11) and EudraLex Volume 4 - Annex 11 Computerised Systems (Annex 11).

The intended audience for this guideline is any regulated customer within the life sciences industry,

aiming to use the Azure platform to host GxP regulated computerized systems. It is assumed that these

regulated systems will support GxP activities and produce and/or manage electronic records.

Traditionally GxP computerized systems have been deployed on specific servers either directly or

through the use of virtual machines. This underlying hardware was usually qualified, managed and

specifically identified as being part of a specific instance of a GxP computerized system. With cloud

computing this paradigm changes slightly. The Azure platform is composed of many hardware and

software components which all fall under the same controls that have been identified in this guideline.

Each time a new server or virtual machine is commissioned within the Azure platform, it is done using

the same process and standards. When considering public cloud based systems, it is important to view

the whole public cloud as one system upon which we are able to install and run GxP computerized

systems. This guideline will help companies achieve this by providing references to the 21 CFR Part 11

controls that are present within the Azure platform and that should be identified in customer

qualification documentation.

Microsoft’s Azure platform services have undergone SSAE 16 (SOC 1 and SOC 2) audits and are certified

according to ISO/IEC 27001:2005 standards. Although these standards do not specifically focus on

regulatory compliance, their objectives are very similar to those of 21 CFR Part 11 and Annex 11.

Montrium has therefore decided to leverage the reports produced by independent third party SSAE and

ISO auditors to identify the procedural and technical controls established at Microsoft that could be

used to satisfy the requirements of 21 CFR Part 11 and Annex 11. It was assumed that these audit

reports were generated by qualified third party auditors and that all information contained within the

reviewed audit reports was objective and accurate at the time of the audits. It is expected that

customers will perform an independent analysis and verification of relevant regulatory requirements to

determine if the computerized system supporting GxP activities installed within the Azure platform is fit

for its intended purpose. The customer must also ensure that the GxP computerized system will be

sufficiently documented and validated to further demonstrate compliance.

GFS delivers the core infrastructure and foundation technologies for Microsoft's Online Services

environment. Windows Azure is a cloud services operating system that serves as the development,

service hosting and service management environment for the Azure platform. The Azure platform is

classified as a public, off-premise, third-party managed solution which encompasses both Infrastructure

as a Service (IaaS) and Platform as a Service (PaaS) cloud service models. From the perspective of a

regulated user (customer), the Azure platform is considered to be Category 1 – Infrastructure Software







as defined by GAMP5®. The Azure platform is considered to be an “open system” per 21 CFR Part 11,

therefore additional measures, such as encryption should be employed to further secure information

stored within or transiting from the system.

Audited controls implemented by Microsoft serve to ensure confidentiality, integrity and availability of

data stored on the Azure platform and correspond to the applicable regulatory requirements defined in

21 CFR Part 11 and Annex 11 that have been identified as the responsibility of Microsoft. Microsoft is

responsible for ensuring that the Azure platform meets the terms defined within the governing Service

Level Agreements (SLA). When new virtual machines (VM) are deployed within the Azure Platform, they

are created using the default configuration established by Microsoft. Microsoft is responsible for

ensuring the deployed VM’s are capable of meeting the specifications and the terms of the SLA(s).

In addition to ensuring that computerized systems have the relevant technical controls outlined in the

assessment contained within the guideline, the customer is also responsible for ensuring adequate

procedural controls governing the use of the GxP computerized system are in place. These procedural

controls should cover the technical aspects of system management, including but not limited to logical

security, user management, data backup and recovery and disaster recovery. There should also be

procedural controls relating to the operation of the GxP computerized system. The customer should

determine the GxP requirements that apply to the computerized system based on its intended use and

follow internal procedures governing qualification and/or validation processes to demonstrate that the

GxP requirements are met.

In conclusion, following the assessment performed by Montrium, it is felt that the audited procedural

and technical controls that Microsoft has implemented could serve to demonstrate that the Azure

platform is being maintained in a state of control that is in accordance with the applicable regulatoryrequirements. Moreover, the customer may leverage the audited controls described in this document

and related audit reports as part of the risk analysis and qualification effort of their GxP computerized

system installed on the Azure platform.







Table of Contents

Authors .......................................................................................................................................................... 3

Foreword ....................................................................................................................................................... 4

Executive Summary ....................................................................................................................................... 5

Table of Contents .......................................................................................................................................... 7

1 Introduction .......................................................................................................................................... 8

1.1 Purpose ......................................................................................................................................... 8

1.2 Key Definitions .............................................................................................................................. 8

1.3 Audience and Scope ...................................................................................................................... 9

1.4 Methodology ................................................................................................................................. 9

1.5 Glossary ....................................................................................................................................... 11

2 System Overview................................................................................................................................. 14

2.1 Global Foundation Services......................................................................................................... 14

2.2 Windows Azure ........................................................................................................................... 14

2.3 System Classification ................................................................................................................... 14

2.4 Microsoft Audits and Certifications ............................................................................................ 17

2.5 Microsoft Controls ...................................................................................................................... 18

3 Qualification Approach ....................................................................................................................... 25

3.1 Qualification Activities and Responsibilities ............................................................................... 26

3.2 US FDA 21 CFR Part 11 Electronic Records; Electronic Signatures Compliance Assessment ..... 28

3.3 EudraLex Volume 4 Annex 11 Computerised Systems Compliance Assessment ....................... 42

4 Conclusion ........................................................................................................................................... 72

5 References .......................................................................................................................................... 73

6 Appendices .......................................................................................................................................... 74Appendix A. Recommended Procedures / Policies ............................................................................. 74







1 Introduction

1.1

Purpose

The purpose of this document is to assist Microsoft’s life science customers in establishing a

qualification strategy for the Azure platform (Global Foundation Services (GFS) and Windows

Azure services). The guidance provided within this document is based on the assumption that

Microsoft’s customers will utilize these services to host GxP computerized systems.

This guideline identifies the responsibilities shared by Microsoft and its customers for meeting the

regulations specified within Section 1.2. A summary is provided of the procedural and technical

controls which govern the Azure platform services and that can be leveraged by the regulated

user (customer) to demonstrate compliance with applicable regulatory requirements. Also

summarized within this guideline, are recommended activities and controls that should be

established by customers in order qualify and maintain control over the GxP computerizedsystems installed on the Azure platform.

The qualification approach outlined within this guideline is based on industry best practices with

an emphasis on the concepts presented and described within ISPE’s GAMP® series of Good

Practice Guides (Ref. [7]) and PIC/S PI 011-3 Good Practices for Computerised Systems in

Regulated ‘GxP’ Environments (Ref. [20]).

1.2

Key Definitions

1.2.1

GxP computerized system

A GxP computerized system is defined as a software application that will support activities and

records governed by regulations pertaining to GLP, GCP and GMP environments.

1.2.2

Customer

Within the context of this guideline, the customer is defined as any person or persons using a

GxP computerized system hosted on the Azure platform, who are responsible for the content of

the electronic records produced and/or managed within the GxP computerized system.

1.2.3

Customer Data on Storage

As per the Windows Azure Privacy Statement (Ref. [23]), “Customer Data is all the data,

including all text, sound, software or image files that you provide, or are provided on your

behalf, to us through your use of the Services.” For example, Customer Data on Storage includes

data that customers upload for storage or processing in the Azure platform services, and

applications that customer or customer’s end users upload for hosting in the Services. Customer

Data on Storage does not include configuration or technical settings and information. Microsoft

does not monitor or approve the applications that customers deploy to the Azure platform.

Microsoft does not claim ownership of the Data on Storage. Microsoft’s Windows Azure

Agreement states “Except for Software we license to you, as between the parties, you retain all

right, title and interest in and to Customer Data. We acquire no rights in Customer Data, other







than the right to host Customer Data on Microsoft systems, including the right to use and

reproduce Customer Data within Microsoft systems solely for such hosting purposes.” Data

security beyond the access controls mechanisms, including but not limited to fine-grain accesscontrols or encryption, is the responsibility of the customer.

1.3

Audience and Scope

The intended audience for this guideline is any regulated customer within the life sciences

industry, aiming to use the Azure platform services to host GxP regulated computerized systems.

It is assumed that these regulated systems will support GxP activities and produce and/or manage

electronic records. The specific GxP activities performed within the customer’s GxP computerized

systems are not addressed in this guidance document, as the customer is responsible for defining

the requirements and evaluating the risk associated with each GxP computerized system installed

within the Azure platform.

The regulations within the scope of this qualification guidance document are limited to the

following:

FDA 21 CFR Part 11 Electronic Records; Electronic Signatures - Subpart A and B (Sec 11.10

and Sec 11.30) (Ref. [5])1

EudraLex Volume 4 - Annex 11 Computerised Systems (Ref. [8])2

The Azure platform components which are within scope of this guideline are:

Cloud Services (comprised of stateless Web, Worker and VM roles)

Storage (includes Blobs, Queues, and Tables)

Networking (includes Traffic Manager, Windows Azure Connect) Virtual Network

Virtual Machines

This guideline also covers the underlying infrastructure components provided by the Global

Foundation Services group upon which the Azure platform is delivered to Microsoft customers.

1.4

Methodology

Microsoft’s Azure platform services have undergone SSAE 16 Service Organization Control (SOC)

audits and are also certified according to ISO/IEC 27001:2005 standards (see Section 2.4).

Montrium has leveraged the reports produced by independent third party auditors to identify

1 21 CFR Part 11 subparts related to electronic signatures are out of scope for this guide, as Microsoft does not

provide electronic signature functionality as part of the above services.

2 Although Eudralex Volume 4 Annex 11 specifically discusses GMP systems, it is generally accepted in industry that

the same principals in the most part are applicable to GCP and GLP systems.







procedural and technical controls established at Microsoft which could be used to satisfy

regulatory requirements within US FDA 21 CFR Part 11 (Ref. [5]) and EudraLex Volume 4 - Annex

11 (Ref. [8]). These controls are described in detail in Section 2.5. Montrium based the analysis onthe ISO and SSAE 16 standards as they have similar objectives to 21 CFR Part 11 and EudraLex

Volume 4 - Annex 11 in relation to controls for computerized systems.

The qualification approach summarizes the activities and responsibilities shared between the

regulated user (customer) and the cloud service provider (Microsoft) to qualify the system against

the relevant regulatory requirements. A detailed assessment (see Section 3.2 and 3.3) was

performed on each regulatory requirement to interpret how compliance could be achieved within

the context of a hosted GxP computerized system installed on the Azure platform. The

assessment described the responsibilities of the customer and Microsoft, as well as the activities,

documentation and controls (technical/procedural) that are required to meet the regulatory

requirement.

The contents of this document are based on these assumptions:

Audit reports listed in Section 2.4 were generated by qualified third party auditors.

All information contained within the reviewed audit reports was objective and accurate at

the time of the audits.

Customers will perform an independent analysis and verification of related regulatory

requirements to determine if the computerized system(s) supporting GxP activities installed

within the Azure platform is fit for its intended purpose.

The GxP computerized system will be sufficiently documented and validated by the

customer to demonstrate compliance with all applicable regulations.







1.5 Glossary

Term Definition AICPA American Institute of Certified Public Accountants

CFR Code of Federal Regulations

Closed System An environment in which system access is controlled by persons who are

responsible for the content of electronic records that are on the system.3

Cloud

Infrastructure as a

Service (IaaS).

The capability provided to the consumer is to provision processing, storage,

networks, and other fundamental computing resources where the consumer is

able to deploy and run arbitrary software, which can include operating systems

and applications. The consumer does not manage or control the underlying cloud

infrastructure but has control over operating systems, storage, deployed

applications, and possibly limited control of select networking components (e.g.,

host firewalls).4

Cloud Platform as

a Service (PaaS)

The capability provided to the consumer is to deploy onto the cloud infrastructure

consumer-created or acquired applications created using programming languages

and tools supported by the provider. The consumer does not manage or control

the underlying cloud infrastructure including network, servers, operating systems,

or storage, but has control over the deployed applications and possibly application

hosting environment configurations.4

Computerized

System

Includes hardware, software, peripheral devices, personnel, and documentation;

e.g., manuals and Standard Operating Procedures.5

Customer Windows Azure user using the platform for GxP regulated activities.

CV Curriculum Vitae

Electronic Record Any combination of text, graphics, data, audio, pictorial, or other information

representation in digital form that is created, modified, maintained, archived,

retrieved, or distributed by a computer system.3

FDA United States Food and Drug Administration

GAMP Good Automated Manufacturing Practice

GFS Global Foundation Services

GCP Good Clinical Practice

3 FDA 21 CFR Part 11 (Ref. [4]).

4 NIST Cloud Computing Standards Roadmap (Ref. [9])

5 FDA, Glossary of Computer Systems Software Development Terminology (8/95)







Term Definition

GLP Good Laboratory PracticeGMP Good Manufacturing Practice

GxP Compliance requirements for all good practice disciplines in the regulated

pharmaceutical sector supply chain from discovery to post marketing.6

IaaS Infrastructure as a Service

ICFR Internal Control over Financial Reporting

IEC International Electrotechnical Commission

ISO International Organization for Standardization

ISPE International Society of Pharmaceutical Engineers

IT Information Technology

NDA Non-Disclosure Agreement

NIST National Institute of Standards and Technology

Open System An environment in which system access is not controlled by persons who are

responsible for the content of electronic records that are on the system.3

O/S Operating System

PaaS Platform as a Service

PIC/S Pharmaceutical Inspection Convention and Pharmaceutical Inspection Co-operation Scheme

Procedure The term “procedure” within the context of this document refers to any approved

and effective controlled document governing specific processes (i.e. Policy, SOP,

Standard, Guide, Work Instruction).

SAS Statement on Auditing Standards

SDLC Software Development Lifecycle

SLA Service Level Agreement

SMAPI System Management Application Program Interface

SOC Service Organization Controls

6 PIC/S (Ref. [20])







Term Definition

SOP Standard Operating Procedure

SSAE Statement on Standards for Attestation Engagements

SSL Secure Sockets Layer

STB Microsoft Server and Tools Business

TSP Trust Services Principles

VM Virtual Machine

VPN Virtual Private Network







2 System Overview

2.1

Global Foundation Services

Global Foundation Services delivers the core infrastructure and foundation technologies for

Microsoft's Online Services environment. As described within the GFS SOC 2 report (Ref. [2]), the

GFS operational infrastructure services include the following:

Engineering and operations for core infrastructure (networking, directory services, access

services, data retention and backup, hardware and software procurement, physical and

environmental controls);

Deployment, hosting and data center services;

Service support, monitoring and escalation;

Information security management and compliance monitoring.

2.2 Windows Azure

Windows Azure is a cloud services operating system that serves as the development, service

hosting and service management environment for the Azure platform. Windows Azure provides

developers with on-demand compute and storage to host, scale, and manage web applications on

the Internet through Microsoft data centers.

The Windows Azure team is part of the Microsoft Server and Tools Business (STB) group, which

maintains the Azure platform. The Microsoft Global Foundation Services group administers the

physical infrastructure on which the Azure platform runs and data is stored. Customers provide

and manage the GxP computerized systems and data that are deployed on the Azure platform.

2.3

System Classification

2.3.1

Cloud Service Model

The Azure platform is classified as a public, off-premise, third-party managed solution which

encompasses both IaaS and PaaS cloud service models (see NIST definition in Section ). IaaS is

the foundation of all cloud services, with PaaS being built upon the IaaS layer. The IaaS service

model includes the infrastructure resources from the facilities to the hardware platforms and

virtual machines that reside in them. The PaaS service model adds an additional layer of

integration with application development frameworks, middleware capabilities and functions

such as database, messaging and queuing. The PaaS services allow developers to build and

deploy applications on the platform with programming languages and tools that are supportedby the resource stack.







The Figure 1 depicts which party (Microsoft or Customer) is responsible for managing the

various components of the platforms based on both cloud service models.

Figure 1 – Cloud Service Models (based on Ref. [22])

2.3.2

GAMP5® Category

From the perspective of a regulated user (customer), the Azure platform is considered to be

Category 1 – Infrastructure Software as defined in GAMP5® (Ref. [6]). Infrastructure Software

refers to components linked together within a unified environment allowing the installation and

management of applications and services. This category contains two types of software;

Established or commercially available layered software (e.g. operating systems, database

managers, programming languages, etc.) and Infrastructure software tools (e.g. network

monitoring software, batch job scheduling tools, security software, anti-virus and configuration

management tools).







Component GAMP5® Category

Global Foundation Services Category 1 – Infrastructure Software Tools

-

The installation/configuration of these should be verified,

with the environment falling under the control of the

company’s Change Control and/or Configuration

Management processes.

Windows Azure Category 1 – Commercially Available Layered Software

-

Typically no detailed functional testing will be performed

for components of this category, as the proper functioning

of the software will be inherently verified when theapplication(s) which are installed on it are tested.

-

This software needs to fall under the control of the

company’s internal processes for the management of

information technology systems.

2.3.3

FDA Classification

While Microsoft is not directly responsible for the electronic records contained within the Azure

platform, it is responsible for maintaining the Azure platform. In addition, Microsoft configures

the Azure platform infrastructure and establishes access control requirements for logical and

physical security. The Azure platform is therefore considered to be “open” (refer to definition in

Section ). The FDA requires open systems to meet additional requirements, such as encryption,

as defined in 21 CFR Part 11.30 (Ref. [5]). The customer should evaluate any GxP computerized

system deployed on the Azure platform should to determine whether it should be considered an

open or closed system per 21 CFR Part 11 and whether additional controls / procedures need to

be implemented as a result of the evaluation.







2.4 Microsoft Audits and Certifications

The following table lists the formal audit reports prepared by third parties which were reviewed

by Montrium in order to identify relevant controls which have a potential impact on compliance

with the 21 CFR Part 11 (Ref. [5]) and Annex 11 (Ref. [8]) regulations. Existing Microsoft customers

may request access to these reports subject to NDA terms and conditions, through their

respective Microsoft account representatives.

Audited Service Audit Type Date Reference No.

GFS & Windows Azure

SOC 1 Type II

May 03, 2012 Ref. [1]

GFS

SOC 2 Type II

April 18, 2012 Ref. [2]

Windows Azure

ISO/IEC 27001:2005

November 14, 2011 Ref. [3]

2.4.1

ISO/IEC 27001:2005 Certification

ISO/IEC 27001:2005 specifies the requirements for establishing, implementing, operating,

monitoring, reviewing, maintaining and improving a documented Information Security

Management System within the context of the organization's overall business risks. It specifies

requirements for the implementation of security controls customized to the needs of individual

organizations or parts thereof.

Windows Azure core services (Compute, Storage, Virtual Network and Virtual Machines) are

ISO/IEC 27001:2005 certified.

Included in the above are Windows Azure service management features and the Windows AzureManagement Portal, as well as the information management systems used to monitor, operate,

and update these services.

ISO/IEC 27001:2005 certifications for Windows Azure and Global Foundation Services can be

found by clicking on the following links:

Azure ISO/IEC 27001:2005 certificate

GFS ISO/IEC 27001:2005 certificate

2.4.2

SOC Service Audit Reports

Service Organization Controls (SOC) reports are designed by the American Institute of Certified

Public Accountants (AICPA) to help service organizations that operate information systems andprovide information system services to other entities, build trust and confidence in their service

delivery processes and controls through a report by an independent Certified Public Accountant.

SOC 1 Service Auditor’s Reports are conducted in accordance with the professional standard

known as Statement on Standards for Attestation Engagements (SSAE) No. 16. SOC 1 reports are

geared towards reporting on controls at service organizations that are relevant to internal

control over financial reporting (ICFR), and replace the SAS 70 auditing standard.

http://www.bsigroup.com/en-GB/our-services/certification/certificate-and-client-directory/search-results/?searchkey=standard%3dISO/IEC+27001%26company%3dmicrosoft&page=1&licencenumber=IS%20577753


http://www.bsigroup.com/en-GB/our-services/certification/certificate-and-client-directory/search-results/?searchkey=standard%3dISO%252fIEC%2b27001%26company%3dmicrosoft&licencenumber=IS%20587621










The Azure platform has been audited by independent third party auditors to generate a SOC 1

Service Auditor’s Report which examined the following Windows Azure features:

Cloud Services (formerly Compute; comprised of stateless Web, Worker and VM roles)

Storage (includes Blobs, Queues, and Tables)

Networking (include Traffic Manager, Connect and Virtual Network)

SOC 2 Service Auditor’s Reports are also conducted in accordance with the professional

standard of SSAE 16. SOC2 reports are intended to meet the needs of a broad range of users

that need to understand internal control at a service organization as it relates to security,

availability, processing integrity, confidentiality and privacy and are intended for use by

stakeholders (e.g., customers, regulators, business partners, suppliers, directors) of the service

organization that have a thorough understanding of the service organization and its internal

controls.The SOC 2 framework is a comprehensive set of criteria known as the Trust Services Principles

(TSP) which are composed of the following five (5) sections:

The security of a service organization' system;

The availability of a service organization's system;

The processing integrity of a service organization's system;

The confidentiality of the information that the service organization's system processes

or maintains for user entities;

The privacy of personal information that the service organization collects, uses, retains,

discloses, and disposes of for user entities.

The GFS services group has also undergone a SOC 2 audit, to examine the suitability of the

design and operating effectiveness of controls to meet the criteria for the security principle set

forth in TSP section 100, Trust Services Principles and Criteria for Security, Availability,

Processing Integrity, Confidentiality, and Privacy (Ref. [12]).

2.5

Microsoft Controls

This section describes the audited controls implemented by Microsoft which serve to ensure

confidentiality, integrity and availability of data stored on the Azure platform. These controls are

also referenced within the compliance assessment sections (see Section 3.2 and 3.3), where they

respond to applicable regulatory requirements.

2.5.1

Security Policies and Procedures

Microsoft has implemented a Security Policy which applies to Microsoft Server Tools Business

properties, products, and services, including Windows Azure. The Security Organization control

objective within the SOC 1 audit reported that the information security policies are

implemented and communicated to the applicable employees.







The SOC 2 audit reported that the security policies are established, periodically reviewed and

approved by a designated individual or group.

2.5.2

Physical and Environmental Security

Microsoft has been audited to verify that proper physical security controls are established to

protect the physical assets forming the foundation of the Azure platform. The SOC 1 audit

reported that policies and procedures provide reasonable assurance that systems and data are

protected against unauthorized physical access and environmental threats.

The following activities/controls were audited in relation to physical security:

Data Center Services;

Physical Security (Access);

Access Controls (Technological/Biometric);

Data Center Security Personnel;

Security Surveillance;

Emergency Power, Facility and Environmental Protection.

The GFS SOC 2 audit reported that the GFS services group has implemented procedures to

restrict physical access to the infrastructure elements including, but not limited to:

Facilities;

Backup media;

Firewalls;

Routers;

Servers.

The ISO/IEC 27001:2005 audit reported that procedural controls are in place for tracking and

monitoring physical infrastructures and services, as well as a documented methodology for

determining the asset security level.

2.5.3

Logical Security

The SOC 1 audit reported that Microsoft has implemented several logical security controls to

provide reasonable assurance that logical access to the Windows Azure production

infrastructure and systems is restricted to authorized personnel.

The following activities/controls were audited in relation to logical security:

User Account Management;

Server / Device Remote Access.

The GFS SOC2 audit reported that the GFS services group has implemented procedures to

restrict logical access to the system including, but not limited to, the following measures:

a.

Logical access security measures to restrict access to information resources not deemed

to be public;







b.

Identification and authentication of users;

c.

Registration and authorization of new users;

d.

The process to make changes and updates to user profiles;e.

Distribution of output restricted to authorized users;

f.

Restriction of access to offline storage, backup data, systems and media;

g.

Restriction of access to system configurations, super-user functionality, master

passwords, power utilities and security devices (for example, firewalls).

The ISO/IEC 27001:2005 audit reported that procedural controls are in place for tracking and

monitoring logical assets, as well as determining the associated asset security level following a

documented methodology.

2.5.4

System Monitoring and Maintenance

The SOC 1 audit reported that proper controls are established to provide reasonable assurancethat the Azure platform is monitored for known security vulnerabilities and potential

unauthorized activity. An automated logging and alerting system is used for detecting

unauthorized activity and security events.

The following activities/controls were audited in relation to system monitoring and

maintenance:

Logging and Monitoring;

Patching.

The GFS SOC 2 audit reported that proper controls are established to monitor the GFS

infrastructure components and proper actions are taken to maintain compliance within itsdefined system security policies. Automated tools are used to monitor the security controls on a

regular basis. The GFS group monitors, logs, reports and takes appropriate action to resolve

events involving critical/suspicious activities.

The ISO/IEC 27001:2005 audit reported that procedural controls are in place for logging and

monitoring of individual components of Windows Azure, patch management, and related

change management. Procedural controls are in place for security incident management. These

controls define roles and responsibilities, resolution methodology, and communication

requirements based on criticality. Performance related to the resolution of security incidents is

tracked, monitored and reported.

2.5.5

Data Backup, Recovery and Retention

The SOC 1 audit reported that Microsoft has implemented processes which manage the backup

of critical Windows Azure components and data, including customer subscriptions, hosted

services, certificates and deployments.

The GFS SOC 2 audit reported that the GFS Data Protection Services group which manages the

secure backup system infrastructure provides secure backup retention and restoration of data in







the Microsoft Online Services environment. The audit also reported that the recovery and

backup process is tested on an annual basis

The ISO/IEC 27001:2005 audit reported that backup of key platform components are performed

on a regular basis and stored in fault tolerant (isolated) facilities. The report also verified that

controls are in place to test backup and recovery and ensure backup related incidents are

documented following procedural documents. A retention period is defined.

Data retention policies and procedures are defined and maintained in accordance to regulatory,

statutory, contractual or business requirements. The Windows Azure backup and redundancy

program undergoes an annual review and validation. Windows Azure backs up infrastructure

data regularly and validates restoration of data periodically for disaster recovery purposes (Ref.

[14]).

2.5.6

Confidentiality

The SOC 1 audit reported that Microsoft provides reasonable assurance that customer secrets

(such as storage account keys) are protected while in transit and at rest within the Azure

platform using cryptographic controls. The audit also verified that customer secrets are

managed in accordance with customer agreements.

The GFS SOC 2 audit reported that encryption or other equivalent security techniques are used

to protect user authentication information and the corresponding session transmitted over the

internet or other public networks.

The ISO/IEC 27001:2005 audit reported that procedures and mechanisms are established for

effective key management to support encryption of data in storage and in transmission for thekey components of the Windows Azure service.

2.5.7

Software Development / Change Management

The SOC 1 audit reported that a formal SDLC process exists, which governs the development of

new features or major changes to the Azure platform. The SOC 1 audit also reported that the

changes performed to the Azure platform are documented, authorized and tested. The Azure

services group uses four physically and logically isolated environments for software

development, integration testing, pre-production and production.

The GFS SOC 2 audit of the GFS services verified adequate IT change management controls are

established surrounding the following topics:

Service Infrastructure and Support Systems Change Management;

Secure Configuration – Imaging;

Network Change Management;

Network Patch Management.







The ISO/IEC 27001:2005 audit reported that a procedural document covering change

management is in place, in which the methodology for change and release management is

defined.

2.5.8

Incident Management

The SOC 1 audit reported that adequate procedures are established governing how incidents

within the production environment are documented and resolved in a timely manner. The

procedures are part of an incident management framework that includes defined process roles,

responsibilities, and communications for managing the detection, escalation and response to

incidents.

The GFS SOC 2 audit reported that procedures exist to identify, report, and act upon system

security breaches and other incidents. The Security Incident Management team ensures the

Security Response procedures are tested annually.

The ISO/IEC 27001:2005 audit reported that procedural controls are in place for security

incident management and define roles and responsibility, resolution methodology, and

communication requirements based on criticality. Performance related to security incidents is

tracked, monitored and reported. Backup and recovery related incidents are managed following

procedural documents.

2.5.9

Service Level Agreements

Microsoft provides Service Level Agreements (SLA) related Azure platform services, which may

be downloaded from the Windows Azure website. The following table is an excerpt the SLA for

Cloud Services, Virtual Machines (VM) and Virtual Network:

Cloud Services, Virtual Machines and Virtual Network SLA

For Cloud Services, we guarantee that when you deploy two or more role instances in

different fault and upgrade domains, your Internet facing roles will have external

connectivity at least 99.95% of the time.

For all Internet facing Virtual Machines that have two or more instances deployed in the

same Availability Set, we guarantee you will have external connectivity at least 99.95% of

the time.

For Virtual Network, we guarantee a 99.9% Virtual Network Gateway availability.

2.5.10

Risk Assessment

The SOC 1 audit reported that Microsoft is accountable for the management of short and long

term corporate risks. Risk management for information security is incorporated into Microsoft’s

Information Security Program (ISP), which consists of policies and processes that provide a

http://www.windowsazure.com/en-us/support/legal/sla/










framework to assess risks to the Azure environment, develop mitigation strategies and

implement security controls.

The ISO/IEC 27001:2005 audit reported that Microsoft effectively follows a risk based

methodology for the management of the Azure platform. Impacts of the risks to assets are

qualitatively assessed based on vulnerability, likelihood, current and planned controls.

Recommended controls are applied based on risk classification and mitigation plans are

established to reduce the risk level to an acceptable limit. Management reviews and approves

residual risks.

2.5.11

Documentation / Asset Management

The procedure governing software development was audited against a control objective which

stipulates that the development of new features or major changes must be documented. In

addition, Microsoft has confirmed to Montrium that a Document and Records Managementprocedure governing protection and retention of documentation is in force. Microsoft has also

indicated to Montrium that the baseline configuration of Windows Azure components is

documented, managed, maintained and controlled for access via access control mechanisms.

Additionally, this configuration is performed according to the Asset management guidelines.

The ISO/IEC 27001:2005 audit reported that an Asset Management procedure is in place, which

provides guidelines for ensuring assets are properly managed. Microsoft defines an asset as

something that supports the delivery of the Windows Azure Service including, source code,

design documents, contracts and agreements, system documentation, standard operating

procedures, business continuity plans, configuration files, etc.

2.5.12

Training Management

The SOC 1 audit reported that employee, contractor and third party’s roles and responsibilities

with regards to information security are defined in a related policy and that training and

awareness is provided on an ongoing basis. The definitions of roles and responsibilities for the

different functions with regards to information security have been established and are

documented. Information security training is provided through different channels on a periodic

basis. Training material was found to cover security policy requirements and training records

were maintained and up-to-date.

The GFS SOC 2 audit reported security policies concerning information security and business

conduct were implemented. Training is mandatory for all employees on these policies.Procedures and standards cover policy training and training requirements. Training is

documented and compliance with training requirements is monitored.

The ISO/IEC 27001:2005 audit reported that training pertaining to security, compliance, and

Microsoft Security Development Lifecycle was mandatory. This audit reported evidence of the

involvement and commitment of management towards achieving full compliance with this

requirement.







2.5.13

Disaster Recovery

The GFS SOC 2 audit reported processes for backing up critical components and data and

credentials are defined and tested on an annual basis. Backup frequency and retention period is

based on the type of data. Data centers used for backup are in a different geographical location

than the primary data center.

The ISO/IEC 27001:2005 audit reported that business continuity management and planning are

controlled in related procedural documents. Periodic mock failure and recovery exercises are

conducted, as reported in both the SOC 1 and ISO/IEC 27001:2005 audits. The audit also

reported that security controls are in place and recovery and backup related incidents are

documented following procedural documents.

2.5.14

Vendor Management

The ISO/IEC 27001:2005 audit provides evidence that Microsoft operates in a way that supports

adequate vendor management. Statement of Work, Service Level Agreement, regular Key

Performance Indicators reporting, Non-Disclosure Agreement, and Privacy and Data center

security controls were found to be in place and effective in an applicable instance of a vendor.







3 Qualification Approach

Qualification is defined as “a process of demonstrating the ability of an entity to fulfill specified

requirements. In the context of an IT Infrastructure, this means demonstrating the ability of components

such as servers, clients, and peripherals to fulfill the specified requirements for the various platforms

regardless of whether they are specific or of a generic nature.”7

Validation consists of demonstrating, with objective evidence, that a system meets the requirements of

the users and their processes. As such, validation is performed by the regulated users (customer) of the

GxP computerized systems that reside on the Azure platform, whereas the platform must be qualified in

order to maintain a documented account of the specification and adequacy of the infrastructure.

Additional information for GxP computerized system validation can be found within the following

guidance documents:

PIC / S - Good Practices for Computerised Systems in Regulated “GxP” Environments (Ref. [20]); GAMP 5 - A Risk-Based Approach to Compliant GxP computerized systems (Ref. [6]).

In the context of a public IaaS and PaaS cloud service model, the customer does not typically have

control over the underlying infrastructure hardware and software components. The cloud service

provider is responsible for managing and maintaining these components and ensuring that they meet

the terms defined within the governing Service Level Agreement(s).

Figure 2 – Qualification of Infrastructure vs. Validation of Applications

7 ISPE, GAMP Good Practice Guide: IT Infrastructure Control and Compliance (Ref. [7])

Applications

InfrastructureSoftware & Tools

Network Components

Infrastructure Hardware

Data Center Facilities

Validation

Qualification







According to industry best practices as proposed within the GAMP Good Practice Guide: IT

Infrastructure Control and Compliance7, in order for an IT infrastructure platform to be considered

qualified and compliant, the following critical aspects need to be considered:

Installation and operational qualification of infrastructure components;

Configuration management and change control of infrastructure components;

Management of risks to IT Infrastructure;

Involvement of service providers in critical infrastructure processes;

Security management in relation to access controls, availability of services and data integrity;

Data Backup, Restore, Disaster Recovery, Archiving.

Microsoft has implemented controls (see Section 2.5) which encompass these critical aspects of

compliance.

3.1

Qualification Activities and ResponsibilitiesBy utilizing the Azure platform, the customer is effectively outsourcing the management and

operations of their IT infrastructure to Microsoft. However, it is important to note that, “the

regulated company remains responsible for the regulatory compliance of their IT operations

regardless of whether they choose to outsource/offshore some or all of their IT Infrastructure

processes to external service provider(s). Compliance oversight and approvals cannot be

delegated to the outsource partner.”8

A summary of the Customer’s and Microsoft’s responsibilities, as they relate to the qualification

and validation activities is provided below. A detailed description of each party’s responsibilities,

as they relate to the applicable regulatory requirements, is provided in Section 3.2 (21 CFR Part

11) and Section 3.3 (Annex 11).

3.1.1

Summary of Microsoft Responsibilities

Microsoft is responsible for ensuring that Windows Azure meets the terms defined within the

governing Service Level Agreements (see Section 2.5.9). When new virtual machines are

deployed within the Azure Platform, they are created using the default configuration established

by Microsoft. Microsoft is responsible for ensuring the deployed VM’s are capable of meeting

the specifications and the terms of the SLA(s).

8 ISPE, GAMP Good Practice Guide: IT Infrastructure Control and Compliance (Ref. [7])







The Azure platform must be managed in a controlled and secured manner, so as to provide the

following key elements:

Confidentiality - ensuring that information is accessible only to those authorized to have

access;

Integrity - safeguarding the accuracy and completeness of information and processing

methods;

Availability - ensuring that authorized users have access to information and associated

assets when required.

The controls identified in Section 2.5 are implemented, managed and maintained by Microsoft

to ensure that the above key requirements can be met.

3.1.2

Summary of Customer Responsibilities

The customer is responsible for performing the following activities for each GxP computerized

system requiring qualification and validation within the Azure platform:

1)

Develop or identify procedural controls governing the use of the GxP computerized

system. These procedural controls should cover the topics as described in Appendix A,

as well as any other controlled processes which are impacted by the GxP computerized

system including the following:

a.

Procedural controls for use of Microsoft IDs and passwords;

b.

Procedural controls for account access to Virtual Machines applications;

c.

Procedural controls for compliance management with applicable laws and

regulations;d.

Planning and implementation of customer data encryption requirements ;

e.

Securing Windows Azure SMAPI access certificates;

f.

Data access method (public or signed access) for data contained with the Azure

Platform;

g.

Procedural controls to determine the configuration of Virtual Machines

deployed within Windows Azure;

h.

Procedural controls for data backup upon Windows Azure subscription

termination;

i.

Procedural controls for protection of secrets associated with accounts;

j.

Procedural controls for application software development using a SecurityDevelopment Lifecycle on Windows Azure;

k.

Procedural controls for quality assurance of applications before moving to

Windows Azure;

l.

Procedural controls for security monitoring for applications developed on

Windows Azure;







m.

Procedural controls for assessing public Windows Azure security and patch

updates;

n.

Procedural controls for patch application when not subscribed to auto-upgrade;

o.

Procedural controls for incident and alert reporting to Microsoft when those are

specific to customer systems and Windows Azure;

p.

Support Windows Azure team when responding to incidents by providing

appropriate and timely information;

2)

Determine the GxP requirements that apply to the VM based on its intended use;

3)

Follow internal procedures governing Qualification and/or Validation processes,

expected deliverables would include but are not limited to:

a.

Qualification / Validation plan describing the activities, responsibilities and

deliverables to be produced for each GxP computerized system installed withinthe Azure platform;

b.

Specification documentation describing the GxP computerized system’s

requirements, functionality and intended use;

c.

Risk Assessments covering both the decision to install the GxP computerized

system within the Azure platform, and a functional risk assessment of the GxP

computerized system. The assessments should include mitigation actions

required to address identified risks;

d.

Adaptation and verification of VM configuration to meet the specific resource

requirements of the GxP computerized system which will be installed on theVM;

e.

Verification documentation providing evidence that the GxP computerized

system meets its intended use as defined within relevant specification

documents;

4)

Maintain and operate the GxP computerized system in a secure and controlled manner

according to internally developed procedures as defined in point 1) above.

3.2

US FDA 21 CFR Part 11 Electronic Records; Electronic Signatures Compliance Assessment

The following table outlines the assessment that was performed on each regulatory requirement

of US FDA 21 CFR Part 11 which were identified as in scope in Section 1.2 of this document. Theprimary objective of the assessment is to identify the procedural and technical controls that are

required to satisfy the different regulatory requirements.

In conjunction with the responsibilities identified in Section 3.1, we further identify which controls

fall within the responsibility of Microsoft versus the controls that are considered the responsibility

of the customer when using the Azure platform for regulated GxP computerized systems.







11.10(b)

11.10 (b)

The ability to generate accurate and complete copies of records in both human readable and electronic

form suitable for inspection, review, and copying by the agency. Persons should contact the agency if

there are any questions regarding the ability of the agency to perform such review and copying of the

electronic records.

Customer – Regulated User

The customer is responsible for implementing adequate controls to secure the GxP computerized systems

which contain electronic records and provide appropriate system monitoring. These controls should

ensure that the electronic records which are stored within the GxP computerized systems on the Azure

platform are protected to prevent corruption or loss of information. The customer is also responsible for

ensuring that GxP computerized systems installed on the Azure platform are capable of generating

accurate and complete copies of records in both human readable and electronic form suitable for

inspection, review, and copying by the agency.

Description of activities, documentation and controls:

Establish Procedure(s) to govern the protection of records to ensure accurate and complete copies

are readily available including:

o

Documentation Management – to define who is responsible for managing documentation

within the organization;

o

Records Retention and Archiving – to ensure adequate record retention policies and

archive management processes are in place;

o

Backup and Restoration – to ensure proper protection of records through backup

mechanisms with regular restoration tests;

o

Disaster recovery – to ensure that electronic records can be retrieved properly in the

event of a disaster and that this retrieval is tested periodically;

o

System Monitoring – to ensure consistent availability and performance of GxP

computerized system;

Verify accurate and complete copies of electronic records can be retrieved from the GxP

computerized systems;

Verify that data transfer from GxP computerized systems which store electronic records on the

Azure Platform does not impact data integrity;

Ensure that record retention procedures establish long term archiving controls so that electronic

records can be retrieved throughout the required retention period from the Azure platform (or

until they are moved to another long term archiving environment outside of the Azure platform).







11.10 (b)

The ability to generate accurate and complete copies of records in both human readable and electronic

form suitable for inspection, review, and copying by the agency. Persons should contact the agency ifthere are any questions regarding the ability of the agency to perform such review and copying of the

electronic records.

Microsoft – Cloud service provider

Microsoft is responsible for implementing adequate controls to secure the Azure platform and provide

appropriate system monitoring. By protecting and monitoring the Azure platform, these controls help to

satisfy the above regulatory requirement, such that the GxP computerized systems are protected and are

continually available.

Microsoft meets these requirements through the following controls:

Security Policies and Procedures (see Section 2.5.1)

Physical Security (see Section 2.5.2)

Logical Security (see Section 2.5.3)

System Monitoring and Maintenance (see Section 2.5.4)







11.10(c)

11.10 (c)

Protection of records to enable their accurate and ready retrieval throughout the records retention

period.


The customer is responsible for ensuring that appropriate controls are established to protect records

pertaining to GxP activities performed within GxP computerized systems which are deployed on the Azure

platform and to ensure the records are readily available throughout their retention period.


Establish procedure(s) that govern the following topics:

o

Logical security - describing the security controls which are required in order to prevent

unauthorized access to the application;

o

Records Retention and Archiving – to ensure adequate record retention policies and

archive management processes are in place;

o

Backup and Restoration – to ensure proper protection of records through backup

mechanisms with regular restoration tests;

o


computerized system;

Data repatriation plans are established and tested in the case of contract termination with

Microsoft for Azure services.


Microsoft is responsible for implementing adequate controls to secure the Azure platform, provideappropriate system backup and data retention policies. Data backup and retention policies/procedures are

defined and maintained in accordance to regulatory, statutory, contractual or business requirements.

These controls help to satisfy the above regulatory requirement, such that Microsoft backs up Windows

Azure infrastructure data regularly and validates restoration of data periodically for disaster recovery

purposes.






Data Backup, Recovery and Retention (see Section 2.5.5)







11.10(d)

11.10 (d)

Limiting system access to authorized individuals.


The customer is responsible for ensuring that an individual must have a valid user account in order to

access both the Azure platform and any relevant GxP computerized system. Within the Azure platform and

GxP computerized system, user permissions must be managed by the System Administrator to specify

what areas of the computerized system are accessible to authorized users.


Windows Azure customers register for the service by creating a subscription through the Windows

Azure Portal web site. Customers manage applications and storage through their subscription

using the Windows Azure management portal;

Ensure proper procedures are established to govern logical and physical security over the terminaldevices (e.g. workstations, laptops, etc.) used to access the Azure platform. The procedure should

clearly describe how access to the system is managed, as well as how user system access is

documented;

Appropriate System Administration practices are followed for GxP computerized systems installed

on the Azure platform based on predefined system administration procedures.


Microsoft is responsible for ensuring adequate controls are established to ensure access to the Azure

platform is restricted to authorized individuals.

Microsoft meets these requirements through the following controls: Security Policies and Procedures (see Section 2.5.1)









11.10(e)

11.10 (e)

Use of secure, computer-generated time-stamped audit trails to independently record the date and time

of operator entries and actions that create, modify, or delete electronic records. Record changes shall

not obscure previously recorded information. Such audit trail documentation shall be retained for a

period at least as long as that required for the subject electronic records and shall be available for

agency review and copying.


The GxP computerized system installed on the Azure platform should have an auditing feature which

captures an audit trail of actions performed on electronic records.


The audit trail feature of the GxP Computerized System deployed on the Azure platform should:

o

Record the information required for audit trails as defined in 21 CFR Part 11.10(e);o

Store read-only audit trail entries in a secure database and ensure the audit trail remains

linked to its respective record throughout its retention period;

o

Ensure that Audit trail information can be accessed and exported from the GxP

Computerized System as human readable records;

Procedure(s) are established governing the following activities:

o

Record retention and archiving - should define how audit trails will be protected

throughout their corresponding records lifetime;

o

Logical security – to ensure adequate protection and integrity of audit trails as electronic

records in their own right;

o

System Administration procedures for the GxP computerized systems deployed on theAzure platform to ensure the proper management of audit trails;

o


computerized system.


Microsoft does not provide GxP computerized systems as the part Azure platform and therefore do not

need to implement audit trails. Microsoft is however responsible for implementing adequate controls to

secure the Azure platform and provide appropriate system monitoring. By securing and monitoring the

Azure platform, these controls help to satisfy the above regulatory requirement, such that the GxP

computerized systems are protected and are continually available.













11.10(f)

11.10 (f)

Use of operational system checks to enforce permitted sequencing of steps and events as appropriate.Customer – Regulated User

Operational checks are typically present in the process control mechanisms of GxP computerized systems

to ensure that operations are not executed outside of the predefined order established by the operating

group.

The customer should ensure that GxP computerized system installed on the Azure platform have been

assessed and are capable of fulfilling this requirement.


Within the context of the Azure platform, Microsoft does not have control over operational checks, as

these would be implemented within the GxP computerized system installed and managed by thecustomer.







11.10(g)

11.10 (g)

Use of authority checks to ensure that only authorized individuals can use the system, electronically sign

a record, access the operation or computer system input or output device, alter a record, or perform the

operation at hand


The customer is responsible for ensuring that adequate authority checks are implemented where

necessary through the application of security policies and the centralized management of user permissions

within the GxP computerized system. The customer is responsible for managing the access mechanism to

the GxP computerized system on the Azure platform (see Section 3.1.2).


Establish a procedure describing the process for managing user accounts and user permissions for

the GxP Computerized System; The verification that only authorized users are able to access and alter records contained within

the GxP computerized system and Azure platform should be performed as part of the validation

effort.


The customer is primarily responsible for implementing and verifying the proper application of authority

checks in order to fulfill this regulatory requirement. Microsoft may maintain the system which

authenticates users of the GxP computerized system, and must also manage authentication and security

for the Azure platform. Microsoft is therefore responsible for ensuring proper controls are established to

securely manage the user access control system.











11.10(h)

11.10 (h)

Use of device (e.g. terminal) checks to determine, as appropriate, the validity of the source of data inputor operational instruction.


The customer must determine whether the implementation of device checks is required based on the

intended use of the GxP computerized system and the associated risks. Device checks are warranted in an

environment where only certain devices have been selected as legitimate sources of data input or

commands. In such cases, the device checks would be used to determine if the data or command source

was authorized. If required, the customer is responsible for defining which devices are authorized to

provide data or operational instructions and implement the necessary controls within the GxP

computerized system installed on the Azure platform.


Within the context of the Azure cloud services, Microsoft does not have control over device checks, as

these would be implemented within the GxP computerized system installed and managed by the

customer.

11.10(i)

11.10 (i)

Determination that persons who develop, maintain, or use electronic record/electronic signature

systems have the education, training, and experience to perform their assigned tasks.


The customer is responsible for establishing procedural controls that which define the employee training

process and requirements which ensuring that adequate training is provided to an end user prior to using

the GxP computerized system. The customer is also responsible for ensuring that the adequate education

and experience requirement is met for persons who develop, maintain or use the GxP computerized

system(s).


Ensure that appropriate training policies are established and that training and personnel

qualification are documented (i.e. training records, CV).


Microsoft is responsible for maintaining the Windows Azure infrastructure and services that which store

electronic records, therefore must ensure appropriate training policies are established and that training

and personnel qualification are documented (i.e. training records, CV) for personnel managing and

monitoring the Azure services.


Training Management (see Section 2.5.12)







10.10(j)

11.10 (j)

The establishment of, and adherence to, written policies that hold individuals accountable andresponsible for actions initiated under their electronic signatures, in order to deter record and signature

falsification.


This requirement would be applicable if the customer has implemented a GxP computerized system which

provides users with the ability to apply electronic signatures to sign electronic records (see definition in

Section ). The customer would in this case be responsible for implementing controls governing the use of

electronic signatures ensuring that individuals are aware that they are accountable and responsible for

actions initiated under their electronic signatures.


A written policy should be established that holds individuals accountable and responsible for

actions initiated under or authorized by their electronic signatures;

Ensure that appropriate Training policies are established and that training and personnel

qualification are documented (i.e. training records, CV).


Microsoft does not participate in the generation of electronic records or application of electronic

signatures, therefore does not have any responsibilities with regards to this regulatory requirement.







11.10(k)(1)

11.10 (k) Use of appropriate controls over systems documentation including :

11.10 (k)(1) Adequate controls over the distribution of, access to, and use of documentation for system operation

and maintenance.


This regulation applies to system documentation which describes how a system operates and is

maintained, including standard operating procedures. Some highly sensitive documentation, such as

instructions on how to modify system security features, should not be widely distributed. Hence, the

customer is responsible for controlling the distribution of, access to, and use of such documentation which

is typically managed via the Document Management and Training Management processes.


Procedures governing controlled documentation management should be established in order to

ensure that employees have access to the correct and updated versions of standard operating and

maintenance procedures for the GxP Computerized System installed on the Azure platform;

Ensure that procedural controls are established to appropriately manage the distribution, access

and use of system documentation for GxP computerized systems installed on the Azure platform.


Microsoft is responsible for ensuring access to system operation and maintenance documentation related

to the Azure platform is properly controlled and that adequate controls are established to control the

distribution and use of these documents. Employee training is performed in order to ensure proper use of

the system documentation.Microsoft meets these requirements through the following controls:

Documentation / Asset Management (see Section 2.5.11)








11.10(k)(2)

11.10 (k) Use of appropriate controls over systems documentation including :

11.10 (k)(2)Revision and change control procedures to maintain an audit trail that documents time-sequenced

development and modification of systems documentation.


The customer is responsible for establishing controls which govern changes to system and corresponding

documentation. Documents within the scope of this requirement include GxP Computerized system

specification, design, installation and validation documents and all other system operating procedures and

manuals.


Establish procedures for proper documentation management including document change control;

Ensure proper versioning and audit trail controls on GxP computerized systems documentation;

Establish system change control procedures which trigger appropriate documentation revisions for

GxP computerized systems.


This regulation stipulates that any change to Microsoft system’s hardware or software components should

be documented. The Microsoft change control procedure governs the process of applying changes to the

system and associated documentation. Microsoft has implemented Document and Records Management

procedure governing protection and retention of documentation in conjunction with its Asset

Management procedure.


Software Development / Change Management (see Section 2.5.7)








Sec.11.30Controlsfor OpenSystem

SEC. 11.30 CONTROLS FOR OPEN SYSTEMS

11.30

Persons who use open systems to create, modify, maintain, or transmit electronic records shall employ

procedures and controls designed to ensure the authenticity, integrity, and as appropriate, the

confidentiality of electronic records from the point of their creation to the point of their receipt. Such

procedures and controls shall include those identified in 11.10, as appropriate and additional measures

such as document encryption and use of appropriate digital signature standards to ensure, as necessary

under the circumstances, record authenticity, integrity, and confidentiality.


The customer is responsible for ensuring that appropriate controls are implemented to ensure record

authenticity, integrity, and confidentiality. These controls include those identified in Section 3.1.2.

As the GxP computerized system is hosted and the internet is used to transmit and/or view electronic

records within the Azure platform, in addition to controls for the proper authentication of users (as with a

closed system), there should also be encryption controls (i.e. SSL or VPN) established to ensure that

records that transit across public networks (such as the Internet) cannot be intercepted or interpreted by

unauthorized individuals. Customers are also responsible for determining and implementing encryption

requirements for data stored within the GxP computerized system(s).


Applications installed within the Azure platform must be assessed for this requirement;

Customer may implement encryption of customer data within the customer’s application;

Ensure that encryption and access controls are established to ensure that the integrity of data ismaintained.


Microsoft is responsible for ensuring controls are established to ensure the availability, integrity and

confidentiality of data within the Azure platform and during transit. Microsoft provides customers the

option of encrypting data transmitted to and from Microsoft data centers over public networks.




Logical Security (see Section 2.5.3) System Monitoring and Maintenance (see Section 2.5.4)

Confidentiality (see Section 2.5.6)







3.3 EudraLex Volume 4 Annex 11 Computerised Systems Compliance Assessment

The following table outlines the assessment that was performed on each regulatory requirement of

EudraLex Volume 4 Annex 11 which were identified as in scope in Section 1.2 of this document. The

primary objective of the assessment is to identify the procedural and technical controls that are

required to satisfy the different regulatory requirements.

We further identify which controls fall within the responsibility of Microsoft versus the controls that are

considered the responsibility of the customer when using the Azure platform for regulated GxP

computerized systems.

PRINCIPLE

This annex applies to all forms of computerised systems used as part of a GMP regulated activities. A

computerised system is a set of software and hardware components which together fulfill certain functionalities.

The application should be validated; IT infrastructure should be qualified.

Where a computerised system replaces a manual operation, there should be no resultant decrease in

product quality, process control or quality assurance. There should be no increase in the overall risk of

the process.


The customer must interpret this regulation as applying to all GxP Computerized Systems supporting GxP

related activities that will be installed on the Azure platform (IaaS & PaaS).

The customer is responsible for validating the GxP computerized systems installed within the Azureplatform along with ensuring that the Microsoft Azure VM that has been deployed for their use has been

appropriately qualified.


Microsoft’s responsibility towards their customers is to ensure that the components supporting the Azure

platform have been developed, verified and deployed in a controlled fashion and managed according to

approved procedures.







1 – Risk Management

GENERAL

1 - Risk Management

Risk management should be applied throughout the lifecycle of the computerised system taking into

account patient safety, data integrity and product quality. As part of a risk management system,

decisions on the extent of validation and data integrity controls should be based on a justified and

documented risk assessment of the computerised system.


The customer is responsible for ensuring that risk management is part of the process of assessing,

selecting or developing and implementing GxP computerized systems within the Azure platform.


Ensure risk management policies are effective and implemented and/or risk management is

integrated into the relevant procedures used for the development, deployment and management

of GxP Computerized Systems;

Integrate risk management into your software development lifecycle procedure;

Use a risk based approach when performing and documenting the qualification/validation

activities surrounding the deployment of the GxP Computerized Systems on the Azure platform.


Microsoft is responsible for ensuring that risk management has been applied in the selection and

implementation of the components of its Azure platform.

Microsoft meets this requirement through the following control:

Risk Assessment (see Section 2.5.10)







2- Personnel

2 - Personnel

There should be close cooperation between all relevant personnel such as Process Owner, System Owner,

Qualified Persons and IT. All personnel should have appropriate qualifications, level of access and

defined responsibilities to carry out their assigned duties.


The customer is responsible for ensuring that controls are established to govern the training and the

activities assigned to their personnel. They should also document the method used to confirm or verify an

individual’s qualifications and experience against formal job descriptions to ensure they are qualified to

perform assigned tasks.

The customer is also responsible for ensuring that an individual has a valid user account in order access the

Azure platform and any relevant GxP computerized system. Within both the Azure platform and the GxPcomputerized system, user permissions must be managed by the customer’s assigned System

Administrator to specify what areas of the system are accessible to authorized users.


Ensure that appropriate training policies are established and that training and personnel

qualifications are documented (i.e. training records, CV);

Ensure that personnel are aware of their roles and responsibilities through approved and signed

documentation such as Job Descriptions;

User Account Management procedures should be established to govern the assessment, enabling

and disabling of IT system user accounts;

Different levels of system access should be formally defined for each GxP Computerized System

deployed on Azure and users should be assigned to the different levels through the User Account

Management procedure.


Microsoft is responsible for maintaining the Azure platform infrastructure and services which store

customer electronic records, and therefore must ensure appropriate training policies are established and

that training and personnel qualifications are documented (i.e. training records, CV).


platform is restricted to authorized individuals.












3- Suppliers

3.1

3 - Suppliers

3.1 When third parties (e.g. suppliers, service providers) are used e.g. to provide, install, configure,

integrate, validate, maintain (e.g. via remote access), modify or retain a computerised system or related

service or for data processing, formal agreements must exist between the manufacturer and any third

parties, and these agreements should include clear statements of the responsibilities of the third party.

IT-departments should be considered analogous.


The customer is responsible for assessing third party suppliers that have an impact on relevant GxP

computerized systems. They are responsible for ensuring that controls addressing the identification,

assessment, selection and management of third party suppliers are established.


Ensure that a vendor selection process has been defined and is covered within an effective

procedure;

Ensure that when needed appropriate contracts are established (i.e. NDA, SLAs);

Ensure that contracts establish clear statements of responsibility;

Ensure that vendor selection evidence and documentation is maintained following governing

Record Retention policies.


Microsoft would be considered a third party service provider to the client within the context of thisrequirement and formal agreements will be in place between the customer and Microsoft which include a

service level agreement which clearly defines responsibility of each party. In addition, Microsoft is

responsible for ensuring that they appropriately document and control the services provided by third party

suppliers within the context of their Azure platform offering.



Vendor Management (see Section 2.5.14)







3.2

3 - Suppliers

3.2 The competence and reliability of a supplier are key factors when selecting a product or service

provider. The need for an audit should be based on a risk assessment.


The customer is responsible for assessing third party suppliers that have an impact on relevant GxP

computerized systems. The level of impact that a supplier may have on a GxP computerized systems

should be part of the supplier assessment process. This should be taken into account in order to determine

the need for a formal audit of the supplier.


Establish a vendor selection procedure and an external audit procedure to define when a vendor

audit is required;

Ensure that risk assessment is part of the vendor selection process.


Microsoft is responsible for ensuring that they appropriately document and control the selection of third

party suppliers of components/services which form part of the Azure platform offering used by customers

to deploy GxP computerized systems.



Vendor Management (see Section 2.5.14)







3.3

3 - Suppliers

3.3 Documentation supplied with commercial off-the-shelf products should be reviewed by regulated

users to check that user requirements are fulfilled.


The customer is responsible for implementing controls ensuring the review of documentation related to

commercial off-the-self applications supporting GxP activities to verify that the system meets user

requirements.


Establish procedures for selecting and deploying off the shelf software solutions and services

which includes the verification of supplied documentation to ensure the solutions or services meet

user requirements.


This regulatory requirement does not apply to Microsoft as they are not regulated users of third party

commercial off-the-shelf products.

As Microsoft is the provider of commercial off-the-self products to regulated users, they are required to

provide these customer’s with sufficient documentation to allow the customer to meet this requirement.3.4

3 - Suppliers

3.4 Quality system and audit information relating to suppliers or developers of software and

implemented systems should be made available to inspectors on request.


The customer is responsible for implementing appropriate controls which ensure that quality system and

audit information relating to suppliers is available to inspectors.


Ensure that quality system and vendor selection evidence and documentation is maintained

following governing record management policies.


As Microsoft is a third party vendor of cloud services to their customer’s, they are not required to meetthis requirement.







4 – Validation

4.1

4 - Validation

4.1 The validation documentation and reports should cover the relevant steps of the life cycle.

Manufacturers should be able to justify their standards, protocols, acceptance criteria, procedures and

records based on their risk assessment.


The customer is responsible for ensuring that GxP computerized systems are defined, developed, verified,

deployed, and validated according to approved and effective software development lifecycle procedures.


Establish formal risk based software development lifecycle and computer systems validation

procedures; Ensure GxP computerized systems installed on the Azure platform that manage electronic records

are validated to confirm they are fit for their intended purpose based on a formal risk assessment;

Document the qualification/validation activities surrounding the deployment of the GxP

computerized systems on the Azure platform per the formal procedures.


Microsoft is not responsible for validation of the GxP computerized systems installed within the Azure

platform, as this is the responsibility of the customer. Microsoft is responsible for ensuring that the

components used within the Azure platform have been defined, developed, verified, deployed, and

validated according to approved and effective software development lifecycle procedures.

Microsoft meets these requirements through the following control:








4.2

4 - Validation

4.2 Validation documentation should include change control records (if applicable) and reports on any

deviations observed during the validation process.


The customer is responsible for ensuring that controls are established to govern the management of issues

encountered within the validation process, along with the administration of changes to GxP computerized

systems and corresponding documentation.

The customer’s validation process should also describe methods used to track and manage deviations

issues encountered within the validation process. Additional details regarding the qualification / validation

activities are provided in Section 3.1.2.


Ensure computer system validation and change control procedures are established, including

specific security controls;

Ensure that documentation management controls are established to manage documents produced

within the validation and change management processes;

Documents within the scope of this requirement include validation, change control and deviation

documents.


Microsoft is responsible for ensuring that controls are established to manage the deployment and

verification of customer Azure VMs, documentation generated as evidence of this effort must beefficiently controlled.

Microsoft is also responsible for the implementation of upgrades or patches to the Azure platform. Any

changes to hardware or software components supporting the Azure platform should be documented and

tested prior to being placed into production.









4.3

4 - Validation

4.3 An up to date listing of all relevant systems and their GMP functionality (inventory) should be

available.

For critical systems an up to date system description detailing the physical and logical arrangements,

data flows and interfaces with other systems or processes, any hardware and software pre-requisites,

and security measures should be available.


The customer is responsible for ensuring that controls are established to determine the need and content

of system documentation required to manage applicable GxP computerized systems.


Produce system description document for all GxP computerized systems, including Azure and

relevant systems which describes the GxP computerized systems and components installed within

the Azure platform;

Reference the Azure virtual machines or services that will be used to deploy the GxP computerized

system in the system description document.


As customers may implement critical GxP computerized systems within the Azure platform, Microsoft is

responsible for ensuring the management of assets within the GFS environment supporting the Azure

platform.

Microsoft meets this requirement through the following control:








4.4

4 - Validation

4.4 User Requirements Specifications should describe the required functions of the computerised

system and be based on documented risk assessment and GMP impact. User requirements should be

traceable throughout the life-cycle


The customer is responsible for ensuring that controls are in place which define the method for gathering

and documenting the needs of their users. The approach must include the assessment and mitigation of

risk and regulatory impact. The customer’s documented User Requirements must be traced throughout

the GxP computerized system’s lifecycle.


Establish procedures for the development and management of user requirements;

Establish traceability mechanisms for user requirements.


This regulatory requirement does not apply to Microsoft as they are not users of regulated computerized

systems.







4.5

4 - Validation

4.5 The regulated user should take all reasonable steps, to ensure that the system has been developed

in accordance with an appropriate quality management system. The supplier should be assessed

appropriately


The customer is responsible for ensuring that controls addressing the management of third party suppliers

are established. The customer must also ensure that regulated systems have been developed according to

or meet the requirements of an approved SDLC process.


Ensure that a vendor selection process has been defined and is covered within an effective

procedure;

Ensure that when needed appropriate contracts are established (i.e. NDA, SLAs);

Ensure that vendor selection evidence and documentation is maintained following governing

Record Retention policies;

Ensure that the vendors quality system has the appropriate controls in place to govern the SDLC

process;

Ensure that system development activities are performed as defined within the governing the

SDLC or computer system validation procedure.



systems.

As Microsoft is the provider of commercial off-the-self products to regulated users, they are required to

provide these customer’s with sufficient documentation to allow the customer to meet this requirement.







4.6

4 - Validation

4.6 For the validation of bespoke or customised computerised systems there should be a process

established that ensures the formal assessment and reporting of quality and performance measures for

all the life-cycle stages of the system.


The customer is responsible for establishing controls that will ensure the continuous assessment and

measurement of quality and performance throughout the GxP computerized system’s lifecycle.


Ensure computer system validation and change control policies are established.


As customers may implement GxP computerized systems within the Azure platform, Microsoft is

responsible for establishing appropriate controls to ensure the monitoring and change management of

assets supporting the Azure platform.



Software Development / Change management (see Section 2.5.7)







4.7

4 - Validation

4.7 Evidence of appropriate test methods and test scenarios should be demonstrated. Particularly,

system (process) parameter limits, data limits and error handling should be considered. Automated

testing tools and test environments should have documented assessments for their adequacy.


The customer is responsible for establishing appropriate controls to govern the testing of their GxP

computerized systems and that relevant tests are performed and adequately documented.


Ensure adequate computer system validation and change control policies are established;

Ensure that all testing activities are properly documented.


As customers may implement GxP computerized systems within the Azure platform, Microsoft is

responsible for establishing appropriate controls to ensure the controlled and verified deployment of

customer VMs within the Azure platform.




4.8

4 - Validation

4.8 If data are transferred to another data format or system, validation should include checks that

data are not altered in value and/or meaning during this migration process.


The customer is responsible for establishing appropriate controls to ensure that the process of data

migration is tested and documented accordingly when migrating data to/from GxP computerized systems

deployed on the Azure platform.


Establish change management procedures which govern data migration;

Establish data migration plans which include controls for the verification that data has not altered

in value and/or meaning following migration.


Microsoft is not responsible for the migration of data between GxP computerized systems hosted on the

Azure platform.







5 – Data

OPERATIONAL PHASE

5 - Data

Computerised systems exchanging data electronically with other systems should include appropriate

built-in checks for the correct and secure entry and processing of data, in order to minimize the risks.


The customer is responsible for establishing the controls required to ensure the authenticity, integrity and

confidentiality of data related to GxP computerized systems hosted within the Azure platform. In addition

to controls for the proper authentication of users (as with a closed system), there should also be

encryption controls (i.e. SSL or VPN) established to ensure that records that transit across public networks

(such as the Internet) cannot be intercepted or interpreted by unauthorized individuals. These controls

should include related topics as identified in Section 3.1.2.


Applications installed within the Azure platform must be assessed to this requirement;

Ensure that encryption and access controls are established to ensure that the integrity of data is

maintained within the GxP computerized system and when data is transiting from the Azure

platform across the internet.



appropriate system monitoring. By securing and monitoring the Azure platform, these controls help to

satisfy the above regulatory requirement, such that the GxP computerized systems on the Azure platform

are protected. Microsoft provides customers the option of encrypting data transmitted to and from

Microsoft data centers over public networks.






Confidentiality (see Section 2.5.6)







6 – Accuracy Checks

6 - Accuracy Checks

For critical data entered manually, there should be an additional check on the accuracy of the data. This

check may be done by a second operator or by validated electronic means. The criticality and the

potential consequences of erroneous or incorrectly entered data to a system should be covered by risk

management.


The customer is responsible for implementing controls to ensure that data entered into GxP computerized

systems are accurate. Verification controls should be implemented to determine the risk and impact that

inaccurate or mistakenly entered data would have on the GxP computerized system.


Ensure GxP computerized have controls for detecting inaccurate or erroneous data.


This requirement is the customer’s responsibility as Microsoft is not providing GxP computerized systems

used for data entry.







7- Data Storage

7.1

7 - Data Storage

7.1 Data should be secured by both physical and electronic means against damage. Stored data should

be checked for accessibility, readability and accuracy. Access to data should be ensured throughout the

retention period.


The customer is responsible ensure adequate authority checks are implemented where necessary through

the application of security policies and the centralized management of user permissions with the GxP

computerized system. The customer is also responsible for ensuring that appropriate controls are

established to protect data and records pertaining to GxP activities performed within GxP computerized

systems deployed on the Azure platform, and to ensure accurate data is readily available throughout its

retention period.


The verification that only authorized users are able to access, read and alter records contained

within the GxP computerized system should be performed as part of the validation effort;

Procedure(s) are established governing the following topics:

o

Logical security - describes the security controls which are required in order to prevent

unauthorized access to the application;

o

User Account Management - describes the process for requesting new user accounts and

how to provide end users with relevant permissions;

o

Data backup and recovery - describes the process for the backup and recovery of data

housed within the Azure platform;

o

Records retention and archiving - describes how records will be protected and archived

throughout their lifecycle;

Ensure that mechanism for Disaster Recovery and Business Continuity are established and tested,

should any issue arise with the Azure VMs;

Data repatriation plan are established and tested in the case of contract termination.







7 - Data Storage

7.1 Data should be secured by both physical and electronic means against damage. Stored data shouldbe checked for accessibility, readability and accuracy. Access to data should be ensured throughout the

retention period.


Microsoft manages the security component which authenticates users of the Azure platform, therefore is

responsible for ensuring proper controls are established to securely manage the user access control

system.



satisfy the above regulatory requirement, such that the GxP computerized systems are protected and are

continually available.







Service Level Agreements (see Section 2.5.9)







7.2

7 - Data Storage

7.2 Regular back-ups of all relevant data should be done. Integrity and accuracy of backup data and

the ability to restore the data should be checked during validation and monitored periodically.


The customer is responsible for defining the backup scheme for data housed within GxP computerized

systems which are deployed on the Azure platform and ensuring that the implemented backup mechanism

functions appropriately and consistently.


Ensure that controls and procedures are established to oversee the backup and recovery of data.

These controls should be tested periodically to ensure that they are still functional;

Ensure data repatriation plans are established and tested in the case of contract termination.


Microsoft is responsible for ensuring that appropriate controls are in place to manage the backup systems

and provide assurance to customers that their defined backup schemes are implemented and function

correctly and will provide the expected level of retention. Controls to govern the maintenance and

verification of the backup system should be implemented.










8 – Printouts

8.1

8 - Printouts

8.1 It should be possible to obtain clear printed copies of electronically stored data.


The customer is responsible for ensuring that GxP computerized systems installed on the Azure platform

are capable of generating accurate and complete copies of records.


Procedure(s) are established governing the protection of records to ensure accurate and complete

copies are readily available;

Verify accurate and complete copies of electronic records can be retrieved and printed from the

system during validation; Verify data transfer from applications which store electronic records in GxP computerized systems

deployed on the Azure platform does not impact data integrity.


Microsoft is not responsible for ensuring it is possible to print copies of customer data stored within the

GxP computerized systems hosted on the Azure platform. However, Microsoft is responsible for

implementing adequate controls to secure the Azure platform and provide appropriate system monitoring.

By securing and monitoring the Azure platform, these controls help to satisfy the above regulatory

requirement, such that the GxP computerized systems are protected and are continually available.













8.2

8 - Printouts

8.2 For records supporting batch release it should be possible to generate printouts indicating if any of

the data has been changed since the original entry.


The customer should ensure that GxP computerized systems installed on the Azure platform have been

assessed and are capable of fulfilling this requirement. This requirement is typically met through the

generation of audit trails for batch records and ensuring that the batch records with audit trail can be

printed.


Microsoft is not responsible for customer data stored within the GxP computerized systems hosted on the

Azure platform. However, Microsoft is responsible for implementing adequate controls to secure the

Azure platform and provide appropriate system monitoring. By securing and monitoring the Azure

platform, these controls help to satisfy the above regulatory requirement, such that the GxP computerized

systems are protected and are continually available. .













9 – Audit Trails

9 - Audit Trails

Consideration should be given, based on a risk assessment, to building into the system the creation of a

record of all GMP-relevant changes and deletions (a system generated "audit trail"). For change or

deletion of GMP-relevant data the reason should be documented. Audit trails need to be available and

convertible to a generally intelligible form and regularly reviewed.


The customer is responsible for ensuring that GxP computerized systems installed on the Azure platform

have an auditing feature which captures an audit trail of actions performed on electronic records. The

need for maintaining an audit trail should be determined by assessing the risk related to the data managed

within the GxP computerized system. The audit trail feature of the GxP Computerized System deployed on

the Azure platform should:

Record the reference to the record being changed or deleted, the identity of the individual or

system making the change or deletion, the date and time of the change or deletion, the old and

new value for the record being changed and the reason for change or deletion;

Store read-only audit trail entries in a secure database and ensure the audit trail remains linked to

its respective record throughout its retention period;

Ensure that Audit trail information can be accessed and exported from the GxP Computerized

System as human readable records.


Establish Procedure(s) governing the following activities:

o

Record retention and archiving - should define how audit trails will be protectedthroughout their corresponding records lifetime;

o

Logical security – to ensure adequate protection and integrity of audit trails as electronic

records in their own right;

o

System Administration procedures for the GxP computerized systems deployed on the

Azure platform to ensure the proper management of audit trails;

Verify that audit trail entries are being generated correctly and are adequately protected during

validation.







9 - Audit Trails

Consideration should be given, based on a risk assessment, to building into the system the creation of arecord of all GMP-relevant changes and deletions (a system generated "audit trail"). For change or

deletion of GMP-relevant data the reason should be documented. Audit trails need to be available and

convertible to a generally intelligible form and regularly reviewed.


Microsoft does not provide GxP computerized systems as the part Azure platform and therefore do not

need to implement audit trails. However, Microsoft is responsible for implementing adequate controls to

secure the Azure platform and provide appropriate system monitoring. By securing and monitoring the

Azure platform, these controls help to satisfy the above regulatory requirement, such that the GxP

computerized systems on the Azure platform are protected and are continually available.







10 – Change andConfigurationManagement

10 - Change and Configuration Management

Any changes to a computerised system including system configurations should only be made in a

controlled manner in accordance with a defined procedure.


The customer is responsible for establishing controls to govern the change and configuration management

processes related to GxP computerized systems deployed on the Azure platform.


Ensure that appropriate System Change Control, Configuration Management, Application Quality

and Security procedures along with documentation management controls are established.


Microsoft is responsible for ensuring that controls are in place to govern the management of GFS and

Azure components used for GxP computerized systems deployed on the Azure platform.









11 – Periodicevaluation

11 - Periodic evaluation

Computerised systems should be periodically evaluated to confirm that they remain in a valid state and

are compliant with GMP. Such evaluations should include, where appropriate, the current range of

functionality, deviation records, incidents, problems, upgrade history, performance, reliability, security

and validation status reports.


The customer is responsible for ensuring that controls are established to govern the maintenance of the

GxP computerized systems’ validated state throughout its lifecycle. These controls should include related

topics as identified in Section 3.1.2.


Ensure computer system validation and change control policies are established for GxP

computerized systems deployed on the azure platform;

Ensure that systems maintenance procedures are in place to manage GxP computerized systems

deployed on the azure platform;

Ensure that deviation and incident management procedures are in place to manage deviations,

incidents and problems that arise with GxP computerized systems deployed on the azure platform.


Microsoft is not responsible for validation of systems to verify compliance with GMP regulations. However,


appropriate system monitoring. By securing and monitoring the Azure platform, these controls help tosatisfy the above regulatory requirement, such that the GxP computerized systems on the Azure platform

are protected and are continually available.













12 – Security

12.1

12 - Security

12.1 Physical and/or logical controls should be established to restrict access to computerised system to

authorised persons. Suitable methods of preventing unauthorised entry to the system may include the

use of keys, pass cards, personal codes with passwords, biometrics, restricted access to computer

equipment and data storage areas.


The customer is responsible for ensuring that an individual has a valid user account in order to access the

Azure platform and GxP computerized system. Within the Azure platform and GxP computerized system,

user permissions must be managed by the System Administrator to specify which areas of the system are

accessible to each user.


Ensure proper procedures are established to govern logical and physical security. The procedure

should clearly describe how access to the system is managed, as well as how user system access is

documented;

A procedure describing the process for requesting new user accounts and how to provide the

correct permissions should be developed;

The verification that only authorized users are able to access and alter records contained within

the system should be performed as part of the validation effort;

Appropriate System Administration practices are followed for applications installed on the Azure

platform;

Ensure that encryption and access controls are established to ensure that the integrity of data is

maintained.



infrastructure components is restricted to authorized individuals.











12.2

12 - Security

12.2 The extent of security controls depends on the criticality of the computerised system.


The customer is responsible for establishing controls to ensure that appropriate security controls are

implemented. The level and complexity of security controls should be based on the GxP impact of the GxP

computerized system.


Ensure proper procedures are established to govern logical and physical security;

Ensure risk management policies are established.





are protected and are continually available.





Risk Assessment (see Section 2.5.10)







12.3

12 - Security

12.3 Creation, change, and cancellation of access authorisations should be recorded.


The customer is responsible for ensuring that the management of user accounts is controlled and

documented. It should be noted that user accounts should not be deleted but deactivated, allowing

traceability within electronic records to be maintained. This control of access also applies to physical

components related to the GxP computerized systems (i.e. computer rooms, office space, server rooms)

which must equally be controlled and documented.


Ensure proper procedures are established to govern logical and physical security. The procedure

should clearly describe how access to GxP computerized systems is managed;

Establish a user access control list to record all granting of, changes to or cancellation of user

access to GxP computerized systems;

Ensure appropriate System Administration practices are followed for GxP computerized systems

installed on the Azure platform.





are protected.Microsoft meets these requirements through the following controls:










12.4

12 - Security

12.4 Management systems for data and for documents should be designed to record the identity of

operators entering, changing, confirming or deleting data including date and time.


The GxP computerized systems installed on the Azure platform should capture the identity of users

creating or performing actions on data. The information captured should include the following:

Date and time when electronic records are created, initiated, changed, confirmed, and deleted;

The identity of the user who performed the action.


Procedure(s) are established governing the following activities:

o

The defined Computer System Validation process should ensure that this requirement is

present and functions in the GxP computerized system.



systems for the collection and management of regulated electronic records.13 – Incident Management

13 - Incident Management

All incidents, not only system failures and data errors, should be reported and assessed. The root cause

of a critical incident should be identified and should form the basis of corrective and preventive actions.


The customer is responsible for ensuring that appropriate tools or controls are established to govern the

documentation, assessment and tracking of reported issues related to GxP computerized systems. These

controls should include related topics as identified in Section 3.1.2.


Ensure that procedural controls such as incident management and CAPA are implemented to

manage all incidents related to GxP computerized systems.


Microsoft is responsible for ensuring that appropriate tools or controls are established to govern the

documentation, assessment and tracking of reported issues related to the Azure platform on which GxP

computerized systems are deployed.


Incident Management (see Section 2.5.8)








14- ElectronicSignature

14 - Electronic Signature

Electronic records may be signed electronically. Electronic signatures are expected to:

a. have the same impact as hand-written signatures within the boundaries of the company,

b. be permanently linked to their respective record,

c. include the time and date that they were applied.


The customer is responsible for ensuring through verification that GxP computerized systems installed

within the Azure VMs applying electronic signatures meet this requirement.


Ensure that the use and elucidation of Electronic Signatures are defined within a proceduralcontrol;

Ensure procedure controls are established to govern the assignment of Electronic Signatures.


This regulatory requirement does not apply to Microsoft as this functionality is not provided as a part of

the Azure platform.

15- Batchrelease

15 - Batch release

When a computerised system is used for recording certification and batch release, the system shouldallow only Qualified Persons to certify the release of the batches and it should clearly identify and record

the person releasing or certifying the batches. This should be performed using an electronic signature.


The customer is responsible for ensuring that GxP computerized systems to be implemented within the

Azure platform have been assessed to this requirement.


The defined Computer System Validation process should ensure that this requirement is assessed

and appropriate supporting documentation must be produced;

Ensure that controls have been defined and implemented to govern the use of electronicsignatures.


This requirement does not apply to Microsoft. Microsoft does not have direct control over GxP activities,

as these would be implemented within GxP computerized systems that are installed and managed by the

customer on the Azure platform.

Microsoft does not provide electronic signature functionality as part of the Azure platform.







16- BusinessContinuity

16 - Business Continuity

For the availability of computerised systems supporting critical processes, provisions should be made to

ensure continuity of support for those processes in the event of a system breakdown (e.g. a manual or

alternative system). The time required to bring the alternative arrangements into use should be based

on risk and appropriate for a particular system and the business process it supports. These arrangements

should be adequately documented and tested.


The customer is responsible for ensuring that mechanisms for Disaster Recovery and Business Continuity

are established and tested, should any issue arise with either the GxP computerized system or with the

Azure platform.


Establish a comprehensive disaster recovery and business continuity plan and test it regularly. This

plan should include provisions in the case that the Azure platform becomes unavailable. The plan

should also integrate risk and impact assessment mechanisms;

Ensure that backup infrastructure and policies are established and have been tested for GxP

computerized systems installed on the Azure platform;

Ensure the data repatriation plans are established and tested.


Microsoft is responsible for implementing adequate controls to ensure the Azure platform remains

available in the event of disaster. Backup and retention policies/procedures are defined and maintained inaccordance to regulatory, statutory, contractual or business requirements. These controls help to satisfy

the above regulatory requirement, such that Microsoft backs up Windows Azure infrastructure data

regularly and validates restoration of data periodically for disaster recovery purposes.





Disaster Recovery (see Section 2.5.13)







17- Archiving

17 - Archiving

Data may be archived. This data should be checked for accessibility, readability and integrity. If relevant

changes are to be made to the system (e.g. computer equipment or programs), then the ability to

retrieve the data should be ensured and tested.


The customer is responsible for establishing controls to implement appropriate archiving mechanisms.

Archived data should be regularly verified to ensure its accessibility, readability and integrity.


Ensure that appropriate security controls are established;

Ensure that backup infrastructure and policies are established and have been tested for GxP

computerized systems installed on the Azure platform;

Ensure that record retention policies have been defined;

Ensure that mechanism for Disaster Recovery and Business Continuity are established and tested,

should any issue arise with the Azure platform;

Data repatriation plan are established and tested;

Ensure that audit trails have been properly defined and verified.


Microsoft is not responsible for archiving data contained within the GxP computerized systems hosted on

the Azure platform. However, Microsoft is responsible for implementing adequate controls to secure the

Azure platform and provide appropriate system monitoring. By protecting and monitoring the Azure

platform, these controls help to satisfy the above regulatory requirement, such that the GxP computerized

systems are protected and are continually available.














4 Conclusion

In summary, when considering the use of a public, off-premise, third party managed cloud service to

host GxP computerized systems it is important to assess the adequacy of the cloud service provider’s

controls which ensure confidentiality, integrity and availability of data stored on the hosted platform.

Defining roles and responsibilities shared between the regulated user and the cloud service provider is

essential.

As outlined within this guidance document, Microsoft has implemented procedural and technical

controls which are relevant to regulatory requirements stipulated within US FDA 21 CFR Part 11 and

EudraLex Volume 4 Annex 11. These controls have been independently audited and could serve to

demonstrate that the Azure platform is maintained in a state of control that is in accordance with the

applicable regulatory requirements. The assessment has shown that the audited controls are similar to

those required to satisfy the applicable regulatory requirements, therefore the customer may leveragethese audits as part of the risk analysis and qualification effort of their GxP computerized system

installed on the Azure platform.

Of equal importance are the activities and controls which must be implemented by the customer to

ensure that GxP computerized systems are maintained in a secured and qualified state. A summary of

these activities was provided in Section 3.1.2. The customer should identify the specific activities within

a qualification plan for each GxP computerized system installed on the Azure platform. In order to

qualify the system and maintain it in a qualified state, Montrium recommends implementing

procedures/policies which cover the topics as outlined in Appendix A.







5 References

Ref ID ReferenceRef. [1]

Report on a Description of Microsoft's Windows Azure Service and the Suitability of the Design

and Operating Effectiveness of Controls (SOC 1)

Ref. [2]

Report on Controls at a Service Organization Relevant to Security (SOC 2)

Ref. [3] Assessment Report Microsoft Corporation Windows Azure, ISO/IEC 27001:2005, IS 577753

Ref. [4]

U.S. Food and Drug Administration, Code of Federal Regulations, Title 21 Part 11, Electronic

Records; Electronic Signatures.

Ref. [5]

U.S. Food and Drug Administration, Guidance for Industry - Part 11, Electronic Records;

Electronic Signatures - Scope and Application.

Ref. [6]

ISPE, GAMP 5 - A Risk-Based Approach to Compliant GxP computerized systems, 2008.

Ref. [7]

ISPE, GAMP Good Practice Guide: IT Infrastructure Control and Compliance

Ref. [8]

EudraLex The Rules Governing Medicinal Products in the European Union - Volume 4 - Good

Manufacturing Practice - Medicinal Products for Human and Veterinary Use- Annex 11:

Computerised Systems

Ref. [9] NIST Cloud Computing Standards Roadmap

Ref. [10] Introducing Geo-replication for Windows Azure Storage

Ref. [11]

Windows Azure™ Security Overview

Ref. [12] Appendix B: Trust Services Principles and Criteria for Security, Availability,

Processing Integrity, Confidentiality, and Privacy

Ref. [13]

Validation Guidance for FDA Regulated Companies

Ref. [14]

Standard Response to Request for Information – Security and Privacy

Ref. [15]

Microsoft Server Tools Business Information Security Policy

Ref. [16]

Summary Scope of Attestation SAS No. 70 Type II

Ref. [17]

Windows Azure ISO 27001 Controls

Ref. [18]

Cloud Security Alliance, Security Guidance for Critical Areas of Focus on Cloud Computing, V3.0

Ref. [19]

Cloud Security Alliance “Cloud Controls Matrix (CCM)”

Ref. [20]

PIC / S PI 011-3 - Good Practices for Computerised Systems in Regulated “GxP” Environments

Ref. [21]

Introducing Windows Azure

http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfcfr/CFRSearch.cfm?CFRPart=11&showFR=1




http://www.fda.gov/RegulatoryInformation/Guidances/ucm125067.htm




http://ec.europa.eu/health/files/eudralex/vol-4/annex11_01-2011_en.pdf




http://www.nist.gov/itl/cloud/upload/NIST_SP-500-291_Jul5A.pdf


http://blogs.msdn.com/b/windowsazurestorage/archive/2011/09/15/introducing-geo-replication-for-windows-azure-storage.aspx


http://go.microsoft.com/?linkid=9740388&clcid=0x409


http://www.aicpa.org/interestareas/informationtechnology/resources/trustservices/downloadabledocuments/final_trust_services_pc_only_0609.pdf



http://www.microsoft.com/downloads/details.aspx?familyid=3e275377-4776-4e1b-9f1b-2ac32e7ffdcf&displaylang=en&tm


http://www.microsoft.com/en-us/download/details.aspx?id=26647




https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf



http://www.picscheme.org/pdf/27_pi-011-3-recommendation-on-computerised-systems.pdf



http://www.windowsazure.com/en-us/develop/net/fundamentals/intro-to-windows-azure/

























Ref ID Reference

Ref. [22]

Windows Azure Introducing Virtual Machines (IaaS)

Ref. [23]

Windows Azure Privacy Statement

Ref. [24]

Windows Azure Agreement

6 Appendices

Appendix A.

Recommended Procedures / Policies

http://download.microsoft.com/download/4/F/0/4F04BDE4-64C1-40A3-9FE5-7C9E893ADAF8/02%20Windows%20Azure%20Virtual%20Machines.pptx


http://www.windowsazure.com/en-us/support/legal/privacy-statement/


http://www.windowsazure.com/en-us/support/legal/subscription-agreement/











Appendix A - Recommended Procedures / Policies

The following topics should be covered within the customer’s internal procedures or policies to managethe qualified state of the GxP system.

Procedure / Policy Topic Purpose

Computer Systems

Validation

Define the management of the validation of computer systems and so

must describe the activities, deliverables and individuals required to

achieve and maintain computer systems in a validated state and in

compliance with applicable GxP regulations.

Physical Security Describe the company’s application of security measures to facilities

(buildings, server rooms, laboratory and other controlled physical

environments), in order to protect data and users.

Logical Security Describe the company’s application of security measures to all

information technology systems in order to protect data and users.

System Monitoring Describe the tools used to monitor the systems to ensure consistent

availability and performance.

Records Retention and

Archiving

Ensure that all the company’s records are managed in conformance with

applicable regulations and requirements. This should include the

identification, classification and retrieval, storage and protection, receipt

and transmission, retention, and disposal or archival preservation of

records.

System Administration and

Maintenance

Provide the company’s personnel direction on the technical

management and engineering practices to be used in planning,

acquisition, operation, maintenance, and termination of information

technology systems.

User Access Management Describe the management of computing accounts that facilitate access

or changes to the company’s data. An account, at a minimum, consists of

a username and password; supplying account information will usually

grant access to the company’s resources. User access management also

establishes clear standards for issuing accounts, creating passwordvalues, and managing accounts.

Backup and Restoration Provide for the continuity, restoration and recovery of critical

documents, all electronic records and systems in the event of an

equipment failure, intentional destruction of data or disaster.





Procedure / Policy Topic Purpose

Training Management Define an internal training program and to ensure that personnel havethe competencies required to access and work within the application

contained within the controlled cloud platform. Additional training needs

may need to be defined for each controlled application within the cloud

platform.

Documentation

Management

Establish the framework under which official records and documents are

created and managed. The intent is to ensure that the company’s

business areas have the appropriate governance and supporting

structure and resources established to enable them to manage their

records and documents in a manner that is planned, controlled,

monitored, recorded and audited, using authorized systems.

Incident and Problem

Management (Helpdesk)

Define a formal Helpdesk Process to ensure that issues are raised,

recorded and resolved in a formal and controlled manner

Change / Configuration

Management

Define a formal process for change management that will ensure that

system changes are implemented in a controlled fashion. This procedure

must also establish the framework for proposing, reviewing, and

approving changes to a system.

The purpose for addressing Configuration Management is to ensure that

all updates to baseline items are controlled and traceable.

Vendor Management Define a formal process to ensure that vendor’s are identified, assessed,

selected and managed in a formal and controlled manner.

Disaster Recovery and

Business Continuity

Assist in the recovery of the company’s information technology

infrastructure and to ensure the continued operation of identified

business critical systems in the event of a serious disruption.

3.Qualification Guideline for Microsoft Office 365

Documents

Transcript of 3.Qualification Guideline for Microsoft Office 365