What You Need To Know - cbinet.com · What You Need To Know 02 03 04 01 Above The Clouds...
Transcript of What You Need To Know - cbinet.com · What You Need To Know 02 03 04 01 Above The Clouds...
2
Today’s TopicsWhat You Need To Know
02
03
04
01Above The CloudsUnderstanding Cloud Infrastructure Qualification Principles
Regulatory Challenges & Considerations in the CloudWhat Do Regulators Want
How Do You Qualify The CloudFrequently Asked Questions About Cloud Validation
Best Practices For Successful ValidationPractical Tips and Techniques
Bonus MaterialCybersecurity AssessmentSample Cloud SOPs For Governance
8
Cloud Software Deployment
Think About The
Cloud Deployment
Models And How
They Impact
Validation
IaaS SaaS PaaS
9
Cloud
Packaged
Software
Storage
Servers
Networking
O/S
Middleware
Virtualization
Data
Applications
Runtime
Infrastructure(as a Service)
O/S
Middleware
Data
Applications
Runtime
Man
ag
ed
by v
en
do
r
Platform(as a Service)
Man
ag
ed
by v
en
do
r
Storage
Servers
Networking
O/S
Middleware
Virtualization
Applications
Runtime
Data
Software(as a Service)
Man
ag
ed
by v
en
do
r
12
Software Quality Assurance
Think About How
You Ensure
Software Quality
In The Cloud And
On-premise
18
Impact of Standards and Process Maturity
Think About The
Impact Of
Standards And
Validation
Process Maturity
Mobile Applications
Mobile applications are
today’s reality. How do we
address mobility with
respect to IV&V?
Software Quality
How does the cloud impact
software quality when it is
an ever-changing
environment
Cybersecurity
Business losses
from DDoS and other
threats can range from
$10,000
to $100,000 per hour
Data Breaches
The cloud environment
introduces more
vulnerabilities. IV&V should
address this reality.
Data Integrity
How do we protect data
integrity in the cloud
environment over time
Compliance
Regulators are focusing on
compliance issues that could
inadvertently impact
functionality that touches
patient safety/ product quality.
The old way of looking at validation does not work anymore. Progressive, forward-thinking organizations must couple the challenges of today’s reality with realistic solutions that ensure sustained compliance and governance.
Top of Mind Issues in Life SciencesIssues Keeping You Awake At Night
21
Risk Drivers in Life Sciences
Patient Safety & Product Quality
Data Integrity
Privacy and Data Protection
Compliance
Cybersecurity and Vulnerabilities
Shared/Pooled Resources 01
02 04
03 05Metered By Use
Scalable and Elastic
Broad Network Access
On-Demand Self-Service
24
REGULATORY CONSIDERATIONS IN THE CLOUD
01 02 03 04
VULNERABILITY DATA INTEGRITY SECURITY QUALITY
How vulnerable is your cloud
environment?
What is your strategy to
maintain data integrity
How do you keep sensitive
information secure?
How do you minimize risk to
patient safety & product
Quality?
What Keeps Regulators Up At Night?
25
New Proposed FDA Guidance Will Address The following Issues
• Data/Information Security
(VPN and Encryption)
• Service Provider (Need to
Understand Life Sciences)
• Data Migration (changing
providers)
• Data Privacy and Protection
• IV&V
• Operational Risks
• Security & Data Breaches
• Transparency
• System Change Control
• Mobility
• Shared Environments
• Risk Management
26
Principle 04Increase Cloud Supplier Due
Diligence.
Principle 04Increase Cloud Supplier Due
Diligence.
Principle 03Incorporate Cybersecurity Testing
and Qualification.
Principle 03Incorporate Cybersecurity Testing
and Qualification.
Principle 02Ensure Change Control To Maintain
Validated State.
Principle 02Ensure Change Control To Maintain
Validated State.
Principle 01Conduct a Risk Assessment.
Principle 01Conduct a Risk Assessment.
Good Independent Validation & Verification Principles
Use a Risk-Based Approach To Govern The Level of Validation
Due Diligence
Cyber Threats are a REALITY. This is somewhat of a
paradigm shift for IV&V
Regression Testing and Change Control Take on New Dimensions.
Responsibilities Change When Moving To The Cloud. Supplier Audit Is Very Important.
QUESTION 1CLOUD VS ON-PREMISE VALIDATION DELIVERABLES
WHAT ARE THE DIFFERENCES BETWEEN ON-PREMISE AND CLOUD INFRASTRUCTURE VALIDATION?
What’s Old Is New AgainIntended Use, Intended Use, Intended Use
Still Need To Perform Validation Due Diligence
Supplier Audit Is Mandatory
Backup And Recovery
IQ/OQ/PQ
Availability
Training
SLAs
Certifications
Audits
An activity of confirmation by
examination and provision of
objective evidence that software
specifications conform to user needs
and intended uses, and that the
particular requirements implemented
through software can be consistently
fulfilled.U.S. FDA
VMP Project PlanRisk
Assessment
Configuration
Specification
Security Plan21 CFR Pt 11
Assessment
Supplier Audit
(COTS)URS/FRS/DRS
Validation Test
Plan
IQ/OQ/PQ/
UATTrace Matrix
Validation
Summary
Report
01 02 03 04
08 07 06 05
09 10 11 12
Processes Required For Infrastructure QualificationThe Cloud Provider Should Have These Processes In Place
Disaster Recovery
Backup, Restore and Archiving
Server Management
Security Management
Help Desk (Service Desk ITIL)
Problem Management
Configuration Management
Change Management
Supplier Management
Performance Monitoring
Network Management
Client Management
32
Your Cloud Validation PackageThe Basic Principles of Validation Endure
VMPPROJECT
PLAN
RISK
ASSESS’MT
CONFIG
SPEC.
SECURITY
PLAN
SOC 1 & 2
REPORTS
CLOUD
CONTROLS
MATRIX
URS/FRS/
DRS
VALIDATION
TEST PLAN
IQ/OQ/PQ/
UAT
TRACE
MATRIX
VALIDATION
SUMMARY
REPORT
01 02 03 04
08 07 06 05
09 10 11 12
Test, Test, Test
Anything That Is Not Tested Will Not Work (For Long)
Automated System TestsVerify You Can Continue To Deploy Servers Consistently
Positive And Negative Security Tests
On-going Vulnerability Scans
Simulated FailuresUntested Failovers And Redundancies Will NOT Work!
Backup Verification
Test The Processes Too!
Installation
Qualification
Operational
Qualification
Performance
Qualification
Is The Cloud Environment Built
Properly in a Repeatable Manner
Does The Cloud Application Operate
According To Its Intended Use
Does The Cloud Environment Meet
Predefined Service/Performance
Criteria?
• The Application Should Be Validated; IT Infrastructure Should Be Qualified.” (EU GMP Annex 11, 2011)
• GAMP®
(Good Automated Manufacturing Practice) Provides Guidance On Infrastructure Qualification As Well As Validation Of Applications
• Typical Qualification Documents Include Specifications, IQ Documentation Scripts, Plans And Reports, Agreements With Service Providers, Operational Procedures… Etc.
• Infrastructure Qualification Documents Are Still Needed When A Regulated / Validated Application Is Hosted In A Cloud Environment
• The Need For Validation Does Not Change Based On The Cloud
“Qualifying” A Cloud-based Environment Versus “Validating” An Application In A Regulatory Framework
38
TWO KEY PRINCIPLES FOR VALIDATION TESTING
VALIDATION CHANGE CONTROL REGRESSION TESTING
INFRASTRUCTURE QUALIFICATION
QUESTION 3MAINTAINING THE VALIDATED STATE IN THE CLOUD
By nature, the cloud is always changing. This affects the validated state of the system.
How do you deal with change control in the cloud?
Performance management across the application lifecycleContinuous Testing
3 Keys to better
performance:
• Test early
• Test often
• Leverage data from
monitoring as
baseline for test
QUESTION 4REGULATORY EXPECTATIONS FOR CLOUD INFRASTRUCTURE VALIDATION
WHAT ARE REGULATORY EXPECTATIONS FOR INFRASTRUCTURE, APPLICATIONS, AND DATA IN THE CLOUD?
FDA Working Group On Cloud Computing• Global Regulators Are Interested In The Growing Utilization
Of Cloud Environments
• Regulators Are Not Averse To Cloud Computing, Like All New “Hot Topics” They Need To Understand The Risks And Required Controls
• FDA New Working Group On Cloud Computing. FDA Wants To Better Understand:
• What Systems Are Currently Outsourced?
• What Issues Or Concerns Have Come Up?
• What Resolutions/Mitigations Were Employed?
• Common Terminology And Definitions For Outsourcing It Systems
• What Type Of Systems Will Be Outsourced In The Future?
Global Regulatory Expectations
• Global Regulators Expect:
• Applications Should Be Validated
• IT Infrastructure Should Be Qualified
• Data Integrity And Security Must Be Maintained
• Accountability For Compliance Remains With The Regulated Company
• Compliance Controls May Be Delegated With Appropriate Management Control
• GAMP® And Cross Industry Guides Such As ITIL, ISO 27001, IEEE, ASTM, TickIT, CMMi Provide Guidance On Application And Infrastructure Development,
• Basic Validation Principles Do Not Change - What Changes Is The Chain Of Command And Trust
44
Three Service Models
SOFTWARE AS A SERVICE (SaaS)
Vendor-provided software (e.g., SFDC, Cliqbook, United Way)
running in a cloud infrastructure via a thin client interface
INFRASTRUCTURE AS A SERVICE (IaaS)
Vendor-provided infrastructure services (e.g., Google Apps,
Microsoft Azure) ) to create and deploy applications
PLATFORM AS A SERVICE (PaaS)
Vendor-provided infrastructure services (e.g., operating systems, storage, network infrastructure)
Amazon’s EC2
Infrastructure
Platform
Software
Vendor Provided
Customer Provided
Vendor Provided
Customer Provided
Vendor Provided
Software
Platform
Infrastructure
Software
Platform
Infrastructure
Sources: Burton, NIST, GAO Report, dated May 2010
QUESTION 5UNDERSTANDING THE CLOUD SECURITY ALLIANCE (CSA) TOOLS
HOW CAN THE CLOUD SECURITY ALLIANCE (CSA) HELP WITH INFRASTRUCTURE QUALIFICATION EFFORTS?
CLOUD SECURITY ALLIANCE RELEASES NEW CLOUD CONTROLS MATRIX
HOT OFF THE PRESS!
Provides Fundamental Security Principles To Guide Cloud Vendors
Assist Cloud Customers In Assessing The Overall Security Risk Of A Cloud Provider
Strengthens Security Control By Delineating Control Guidance By Service Provider, Consumer, Cloud Model Type, And Environment
Provides A Controls Framework In 16 Domains That Are Cross-Referenced To Other Industry-accepted Security Standards
Seeks To Normalize Security Expectations, Cloud Taxonomy, Terminology, and Security Measures
January 21, 2016
QUESTION 6THE QUESTION OF ACCOUNTABILITY
WILL THE FDA AND OTHER REGULATORS STILL HOLD MY FIRM ACCOUNTABLE IF I DEPLOY MY APPLICATIONS IN A CLOUD ENVIRONMENT?
Implications of Enterprise Applications In The Cloud
• Compliance Oversight And Approvals Cannot Be Delegated To The Cloud Provider.
QUESTION 7GETTING STARTED WITH INFRASTRUCTURE AND CLOUD VALIDATION
“I am thinking of deploying enterprise applications in the cloud…”
WHAT SHOULD I DO TO GET STARTED TO VALIDATE THE INFRASTRUCTURE AND APPLICATIONS?
Considerations For Cloud Validation
•Determine appropriate server specification and architecture taking into consideration scalability and performance needs (i.e. Availability Sets & Affinity Groups) System Architecture
•Use of automated scripts to deploy VMs within The CloudVM Deployment
•User Account and Password Management
•Procedural controls for use of Microsoft IDs and passwordsUser Access Management
•Configuration and change management of virtual machines deployed within The CloudConfiguration and Change
Management
•Implementation of technical controls to manage server and application level data backupData Backup and Restoration
•Implementation of technical controls to protect applications and data from external threatsSecurity Monitoring
•Planning and implementation of data encryption requirements Data Encryption
•Procedural controls for assessing Cloud security and OS patch updatesOS Patch and Upgrade
•Procedural controls for incident and alert reporting to vendors when those are specific to customer systems and The CloudIncident Management
Key Items To Be Verified In IQVirtual Machines Are Deployed And Configured According The Specifications
Network Topology And Server Landscape Diagrams Are Accurate
Client Access Verification (Local or Terminal Server)
Minimum Software / Hardware (Virtual) Requirements For The GxP Application Are Met. These Typically Included:
• Amount Of Memory And Disk Space• Number Of CPUs • Operating System (Service Packs, Hot Fixes, And Security
Patches)• Other Software Dependencies Or Service Programs
IT Infrastructure Qualification Phases
Planning
Specification and Design
Risk Assessment and Qualification Test Planning
Procurement, Installation and IQ
OQ and Acceptance
Reporting and HandoverReference: ISPE, GAMP Good Practice Guide: IT Infrastructure Control and Compliance
EmbeddedValidation & quality processes
are embedded into each
implementation
Common UseOnce the transition is complete,
cloud computing will be the
norm
TransitionIt is wise to transition to the
cloud in stages learning as
you go along
Building The FoundationTo get it right, companies
need good pilot projects to
get the foundation right
EducationLife Sciences companies must
be educated about the risks &
benefits of cloud computing
Cloud Computing Maturity Model
IT INFRASTRUCTURE
Business Applications & Processes Infrastructure Applications & Processes
• ERP
• LIMS
• Training Tracker
• Sales Forecast
• Finance
• …etc.
• Change Management
• Configuration Management
• Security Management
• Server Management
• Problem/Help Desk Support
• …etc.
Network Environment ● Operating System ● RDBMS ● Server Hardware ● Clients
Bu
sin
ess
Syst
ems
(GxP
an
d N
on
-GxP
)
Infr
astr
uct
ure
Sys
tem
s (G
xP a
nd
No
n-G
xP)
What Is IT Infrastructure?IT Infrastructure applications may share platforms with business applications. Qualification of the shared platform permits and efficient, cost-effective option.
SHARED PLATFORMS
Qualification Guideline Objectives
Identify Host Provider’s Procedural And Technical Controls
Which Can Be Leveraged By ECI To Demonstrate Compliance.
Identify Activities And Controls That Should Be Established
ECI To Qualify And Maintain Control Over BatchMaster SAP
BusinessOne®.
Identify Key Deliverables Which Should Be Produced As Part
Of The Qualification Effort.
Identify The Responsibilities Shared By Cloud Provider & ECI
To Meet Regulatory Requirements
Summary of Host Provider Responsibilities
• Ensure Host Provider Is Managed In A Controlled And Secured Manner To Provide The Following Key Services:
• Confidentiality
• Integrity
• Availability
• Ensure The Virtual Machines Deployed Within The Host Provider Fabric Meet The Specifications.
• Ensure The Host Provider Service Meets The Terms Defined Within The Governing Service Level Agreements (SLA).
Qualification Approach
• ISPE’s GAMP® Series of Good Practice Guides:
• ISPE, GAMP 5®
- A Risk-Based Approach to Compliant GxP computerized systems, 2008
• ISPE, GAMP Good Practice Guide: Testing of GxP Systems
• ISPE, GAMP Good Practice Guide: IT Infrastructure Control and Compliance, 2005
• PIC/S PI 011-3 Good Practices for Computerized Systems in Regulated ‘GxP’ Environments, 2007
Elements Verified During IT Infrastructure Qualification
Facility
Network
Servers
• Environmental controls
• Power redundancy
• Physical security
• Cabling, connectors, routers,
switches, etc.
• Network inventory
• Topology
• Key configuration settings
• Server specifications
• Server inventory
• Key configuration settings
CLOUD
(Physical)
Customer
(Virtual)
Considerations When Deploying Using Host Provider
•Determine appropriate server specification and architecture taking into consideration scalability and performance needs (i.e. Availability Sets & Affinity Groups) System Architecture
•Use of automated scripts to deploy VMs within Host ProviderVM Deployment
•User Account and Password Management
•Procedural controls for use of Microsoft IDs and passwordsUser Access Management
•Configuration and change management of virtual machines deployed within Host Provider
Configuration and Change Management
•Implementation of technical controls to manage server and application level data backupData Backup and Restoration
•Implementation of technical controls to protect applications and data from external threatsSecurity Monitoring
•Planning and implementation of data encryption requirements Data Encryption
•Procedural controls for assessing Host Provider security and OS patch updatesOS Patch and Upgrade
•Procedural controls for incident and alert reporting to Microsoft when those are specific to customer systems and Host ProviderIncident Management
Summary of Recommended Approach
Identify Which Regulations Apply Based On The Intended Use And The Controls Needed To Achieve Compliance
Review Independent Audits To Determine Acceptability Of Host Provider Controls
Map Individual Controls To Regulatory Requirements To Demonstrate Compliance And Identify Responsibilities Shared Between Host Provider And ECI Internal System Owners (IT)
Develop Installation Qualification Plan And Perform Verification Activities
72
ESTABLISH GOOD GOVERNANCE
AUDIT CLOUD SUPPLIERS CAREFULLY
CONTINUOUS MONITORING & TESTING IN THE CLOUD
DEVELOP A SECURITY PLAN
CONDUCT CYBERSECURITY & PERFORMANCE TESTING
01
02
03
05Cloud Validation Best Practicesis to replace the Lorem Ipsum text with whatever text you prefer. Lorem ipsum is placeholder text. In fact, I think it means “holder of place text” in latin. Well, maybe not exactly…
04
73
SUPPLIER AUDITS ARE CRITICAL
AUTOMATED REGRESSION TESTING
CYBERSECURITY THREATS
LEVERAGE EXISITING TOOLS FOR SUCCESS
SECURITY IS PARAMOUNT
FINAL THOUGHTS
Thank You!Mastering Regulatory Compliance, Governance and Risk
Valarie King-Bailey, M.B.A.
505 N. Lake Shore Drive, Suite 220
Chicago, Illinois 60611 +1 312.321.1450
+1 312.321.6400 [email protected]
www.onshoretech.com