IT System and Data Security: New Developments in Cloud Computing, Virtualisation and GMP Compliance

Transcription

1 Includes a set of IT security documents for the day-to-day business IT System and Data Security: New Developments in Cloud Computing, Virtualisation and GMP Compliance September 2012, Barcelona, Spain GAMP is a trademark of ISPE - SPEAKERS: Regierungspräsidium Darmstadt, Germany Dr F. Hoffmann-La Roche Ltd, Switzerland F. Hoffmann-La Roche Ltd, Switzerland LEARNING OBJECTIVES: To be able to assess the influence of GMP requirements on IT and data security Practical implementation of technical and organisational measures for establishing GMP-compliant IT security Recognising and assessing the risks Building up a security architecture GMP-compliant implementation of these measures GMP-compliant handling of patches Properties of patches Patching strategies Necessary or GMP-critical? Security within new IT developments Cloud Computing Virtualisation Outsourcing services; insourcing risks? This education course is recognised for the ECA GMP Certification Programme Certified Computer Validation Manager. Please find details at

2 IT System and Data Security September 2012, Barcelona, Spain Objectives You get to know the current European and American (GMP) requirements on IT system and data security including the new GAMP 5 and Annex 11 approach You get to know the current threat scenarios and how to master them technically and organisationally You are presented with the possibilities of implementing technical aspects of system and data security, especially the handling of patches, in a GMP-compliant way New technologies like Cloud Computing and Virtualisation influences IT-Security; find out how you can handle these technologies in a GMP environment Background The pharmaceutical regulations require the manufacturer to give proof of his data and systems security. EU GMP Guide Annex 11 Computerised Systems 5.: Computerised systems exchanging data electronically with other systems should include appropriate built-in checks for the correct and secure entry and processing of data, in order to minimize the risks 7.1: Data should be secured by both physical and electronic means against damage. Stored data should be checked for accessibility, readability and accuracy. Access to data should be ensured throughout the retention period 7.2: Regular back-ups of all relevant data should be done. Integrity and accuracy of back-up data and the ability to restore the data should be checked during validation and monitored periodically 12.1: Suitable methods of preventing unauthorised entry to the system may include the use of keys, pass cards, personal codes with passwords, biometrics, restricted access to computer equipment and data storage areas. GAMP 5 Appendix O 11 Security Management Measures should be implemented to ensure that GxP regulated computerized systems and data are adequately and securely protected against wilful or accidental loss, damage, or unauthorized change. Target Audience This Education Course is directed at employees from IT & IT Cloud Service Providers Quality Assurance Production / Engineering who have to deal with IT and Data security. Moderator Dr Programme Introduction: What the delegates expect? IT-Security Legal requirements and Regulations / GAMP 5 and security requirements Annex 11 requirements ISMS GAMP 5 security requirements Product Liability Law Processes and Organisation incl. Case Study Assessment of security vulnerabilities and resulting risks Assessment of patching / change risks Focused testing Template for documenting of IT security alerts Real-life examples Patch Management What is a patch? What are the risks of patching? Handling of patches State-of-the-art patch management Patch Management: Regulatory Point of View Security patches / maintenance patches Collection of patches Minimum test requirements IT Security Inspections: Technical Aspects Main focal points Which departments should be involved? IT Security inspections: Findings European Authorities FDA Technical Aspects of IT Security: Cloud Computing How to secure Cloud Services / Risks Private/Public Cloud Saas-PaaS-IaaS Questions to ask Cloud Providers Contracts with Cloud Computing Providers SLAs Key Performance Indicators Traps and Pitfalls GAMP is a trademark of ISPE -

3 Contracts (with Cloud Computing Providers): Inspector s point of view Regulatory requirements EU GMP Chapter 7 Annex 11 Technical Aspects of IT Security: Virtualisation How to secure a virtual environment Technical Aspects of IT Security: Others Secure remote access Wireless Solution Security Consumer devices (Tablet PCs, Handhelds, Smartphones) Data Backup, Archiving and Business Continuity: Industry s point of view Data Backup The data backup strategy Data recovery process common pitfalls Long time data retention in the System Lifecycle Business continuity management Disaster recovery - experience Data Backup and Archiving: Inspector s point of view Annex 11 requirements Frequency of backups Storage of backups Archiving and migration How to ensure plant security Protection of MES Environments Shielding Stuxnet, Duqu and Co. Security Risk Management Case Study Tools and Experience Integration in the SDLC and implementation lifecycle IT Security Framework and Security Architectures Practical implementation on an Information security Management System (ISMS) IT and information security policies, directives, guidelines Security architecture IT Security KPIs Meaningful Security metrics / Key Performance Indicators (KPIs) for IT security Measuring success (and failure) Early warning signals Outsourcing Contracts QA involvement Pain points Experience from audits Outsourcing from the inspector s point of view Types of outsourcing Contracts Responsibility matrix Additional documentation: All participants will get IT security documents for their day-to-day business Information Security Policy Information Security Directive according ISO (ISO 17799) Password Policy List of Banned Software and Services Security Alerts (some practical examples) Evaluation of security gaps according CVSS Speakers, Regierungspräsidium Darmstadt, Germany He is Inspector for over 25 years and currently Head of the German Inspectors Working Group. He is also a member of GAMP D-A-CH steering committee and the German delegate of the PIC/S Expert Circle for computerised systems. Mr Menges has also contributed to Annex 11, PIC/S document PI 011 Recommendations on Computerised Systems and several GAMP GPGs. Dr F. Hoffmann-La Roche Ltd., Basel, Switzerland Dr Schumacher studied chemistry and pharmacy. At Asta Medica, he headed different positions in Research and QA. In 2001 he joined the Pharma Division of F. Hoffmann-La Roche, Basel, where he is now Head of the Quality Computer Systems Area in Global Technical Operations. He is a member of the ECA Advisory Board. F. Hoffmann-La Roche Ltd., Basel, Switzerland Since 1989, has been working as IT expert in the pharmaceutical industry. From 2000 to 2011, he was globally responsible for IT security in the Roche Pharmaceuticals Division. In his current role as Global Head of Integration Competency Center, he is responsible for system integration (EAI), interfaces and middleware in the Roche Diagnostics Division. Social Event On 18 September you are cordially invited to a social event. This is an excellent opportunity to share your experiences with colleagues from other companies in a relaxed atmosphere.

4 Easy Registration Reservation Form: P.O. Box Heidelberg, Germany Reservation Form: info@concept-heidelberg.de Date Internet: Reservation Form (Please complete in full) If the bill-to-address deviates from the specifications on the right, please fill out here: IT System and Data Security : New Developments in Cloud Computing, Virtualisation and GMP Compliance September 2012, Barcelona, Spain Computer Validation: Maintaining Control of Operation, September, 2012 Barcelona, Spain * Mr. * Ms. Title, first name, surname Company Department Important: Please indicate your company s VAT ID Number P.O. Number if applicable Street/P.O. Box P.O. Box Fax +49 (0) 62 21/ City Zip Code Country Phone/Fax (please fill in) D Heidelberg GERMANY fee will then be calculated according to the point of time at which we receive your message. In case you do not appear at the event without having informed us, you will have to pay the full registration fee, even if you have not made the payment yet. Only after we have received your payment, you are entitled to participate in the conference (receipt of payment will not be confirmed)! reserves the right to change the materials, instructors, or speakers without notice or to cancel an event. If the event must be cancelled, registrants will be notified as soon as possible and will receive a full refund of fees paid. will not be responsible for discount airfare penalties or other costs incurred due to a cancellation. Terms of payment: Payable without deductions within 10 days after receipt of invoice. Important: This is a binding registration and above fees are due in case of cancellation or non-appearance. If you cannot take part, you have to inform us in writing. The cancellation General terms and conditions If you cannot attend the conference you have two options: 1. We are happy to welcome a substitute colleague at any time. 2. If you have to cancel entirely we must charge the following processing fees: Cancellation until 2 weeks prior to the conference 10 %, until 1 weeks prior to the conference 50 % within 1 week prior to the conference 100 %. Tuesday, 18 September 2012, h h (Registration and coffee h h) Wednesday, 19 September 2012, h h Venue NH-Hotel Constanza C/ Deu i Mata Barcelona, Spain Phone Fax Fees ECA Members 1,490 per delegate plus VAT APIC Members 1,590 per delegate plus VAT (does not include ECA Membership) Non-ECA Members 1,690 per delegate plus VAT EU GMP Inspectorates 845 per delegate plus VAT The conference fee is payable in advance after receipt of invoice and includes conference documentation, dinner on the first day, lunch on both days and all refreshments. VAT is reclaimable. Save up to 390 and book Computer Validation: Maintaining Control of Operation on September simultaneously: ECA Members 2,790.- per delegate plus VAT APIC Members 2,890.- per delegate plus VAT Non-ECA Members 2,990.- per delegate plus VAT (does not include ECA Membership) EU GMP Inspectorates 1,495.- per delegate plus VAT Accommodation CONCEPT has reserved a limited number of rooms in the conference hotels. You will receive a room reservation form when you have registered for the course. Please use this form for your room reservation or be sure to mention ECA7307 to receive the specially negotiated rate (single room 143,- + 8% VAT per night, incl. breakfast) for the duration of your stay. Reservation should be made directly with the hotel not later than 21 August Early reservation is recommended. Registration Via the attached reservation form, by or by fax message. Or you register online at Conference Language The official conference language will be English. Organisation and Contact P.O. Box , Heidelberg, Germany Phone +49 (0) 62 21/ , Fax +49 (0) 62 21/ info@concept-heidelberg.de For questions regarding content: Dr Andreas Mangel (Operations Director) at +49-(0)62 21 / , or per at mangel@concept-heidelberg.de. For questions regarding reservation, hotel, organisation etc.: Ms Marion Grimm (Organisation Manager) at at +49-(0)62 21 / or per at grimm@concept-heidelberg.de. wa/vers1/

5 Computer Validation: Maintaining Control of Operation Keep your regulated systems in compliance throughout their operational life! September 2012, Barcelona, Spain SPEAKERS: Frank Behnisch CSL Behring GmbH, Germany Dr David Selby Selby Hope International, UK Dr Robert Stephenson Rob Stephenson Consultancy, UK HIGHLIGHTS: The New EU GMP Guide Annex 11 The GAMP 5 Risk-Based Approach to Operation of GxP Computerized Systems Handover and Establishing Support Services Keeping the System Running Smoothly CAPA Record and Document Management Periodic Review Change Control and Configuration Management System/Data Migration / Back-up / Restore Archiving and Retrieval Decommissioning / Retirement / Disposal Learning by doing: up to 9 Workshops This education course is recognised for the ECA GMP Certification Programme Certified Computer Validation Manager. Please find details at

6 Computer Validation: Maintaining Control of Operation September 2012, Barcelona, Spain Learning Goals Four good reasons why you should attend: Delegates will gain understanding of the controls needed to maintain validated systems in compliance throughout their operational lifecycle. Taking a risk-based approach, you will learn how these controls can be scaled across a wide range of computerised systems, allowing you to focus your resources on the most critical systems and the most critical parts of systems You will learn the importance of role clarity and making best use of Subject Matter Experts and the Quality Unit. In workshops, you will get the chance to put the theory into practice and discuss suitable solution strategies with your colleagues Background The greatest part of the system life cycle is represented by daily operation. It is now a clear regulatory requirement that GxP computerised systems must be kept in compliance throughout their operational lifetime. Audit experience shows that companies struggle with this task. Once the implementation project is complete and the computerised system is handed over for use how can the validated state be maintained? What exactly is required and how can these requirements be successfully established and maintained? The course reflects the requirements of the new EU Annex 11 and the approaches contained in the ISPE/GAMP Good Practice Guide A Risk-Based Approach to Operation of GxP Computerized Systems A Companion Volume to GAMP 5. Experts from the GAMP Committee will give you the answers to these questions and give you the opportunity to deepen your understanding by participating in a set of training workshops based on practical real-life examples. Target Group This Education Course is directed at anyone who has to deal with the validation and operation of computerised systems and the maintenance of the validated state. Typically delegates come from: Manufacturing and Production Quality Control /Quality Assurance /IT Compliance Engineering /Automation/IT Software Suppliers and IT Service Providers Programme Introduction Understanding Delegate Experience and Background Workshop 1: What Delegates want to know? Capturing delegates expectations Sharing and reducing to key points in groups Sharing with all delegates and tutors Working in groups delegates derive their requirements from the training event and share them with tutors. Overview of the Operation Phase Regulatory Context and links with Annex 11 Business process approach, Operational Activities and Information Flows Roles and Responsibilities, the RACI Model Periodic Assessment, checks and triggers Scalability and Risk Management Other Support Processes This section introduces the key principles and concepts which can be applied to all operational activities How well do you maintain the Validated State? Delegates score themselves Results consolidated and fed back Allows delegates to compare their maintenance against best practice and other practitioners Open session in which delegates discuss how well they maintain the validated state of their systems against current best practices. Handover and Establishing Support Services Why does Handover go wrong? Roles and Responsibilities Handover Planning Handover Review and Reporting Putting Support Services in Place Effective transition from the Project Phase to the Operation Phase is crucial in order to ensure that the validated status of the system is maintained. This session discusses the handover process, potential causes of failure and how they can be successfully addressed. Workshop 2: Establishing Responsibilities What tasks are required? What roles are involved? What are their responsibilities? GAMP and RACI roles are applied to one of the Operational Support Processes GAMP is a trademark of ISPE -

7 Keeping the System Running Smoothly 1 Service Management and Performance Monitoring What Support services are required? How will Service Delivery be controlled? Defining Quality Requirements Performance Monitoring Periodic Review considerations Taking a risk-based approach A closer look at how internal and external support services are defined, agreed and managed. Keeping the System Running Smoothly 2 Incident Management, CAPA and System Administration Dealing with unexpected events Capturing and Tracking Preventative Actions and Corrective Actions Preventing Failures and Driving Continuous Improvement Taking a risk-based approach A detailed look at two critical processes that will assist in keeping the system running smoothly. The role of the System Administrator in supporting these processes is discussed. Workshop 3: Record and Document Management - Audit of System Documentation What procedures would you expect to see to confirm a system is under control? Which procedures must QA sign? What records would you expect to see to confirm a system is under control? What standards would you reference to support your arguments? Delegates prepare to audit systems documentation, making an aide memoire of documentation to check. Workshop 4: Establishing a simple Service Level Agreement What are the customer requirements? What is the supplier specification? How is performance to be measured? Delegates are given the opportunity to develop a simple Service Level Agreement for a specific Operational Control task Security and Training The role of the System Administrator Security Training for everyone! Training records A review of the importance of security and training when creating, managing and maintaining GxP records and a discussion of good-practice controls. Workshop 5: Security Hierarchy What is a security hierarchy? What security controls are available? What are the risks? How should they be applied? The participants will choose a list of appropriate controls for different types of e-records and justify their selection Periodic Review and Assessment What is a periodic review? Which systems are most important? How do I decide? How do you perform a periodic review? Annex 11 states that Computerised systems should be periodically evaluated to confirm that they remain in a valid State. This presentation discusses in detail what this periodic evaluation includes and how it may be carried out. Workshop 6: Planning a Periodic Review Organise the team Communicate the requirements/scope Define the process What is the difference between a periodic review and a surveillance audit? Delegates will work on two different scenarios to work out the differences between an internal periodic review and the surveillance audit of a supplier. Operational Change Control and Configuration Management Roles and Responsibilities Sources of changes Types of changes Scaling Change and Configuration Management based on Risk A topic which is critical to maintaining control; this session will provide practical guidance on the set-up of a risk-based operational change and configuration management process for computerised systems Workshop 7: Change Management for IT Infrastructure Create a process flow diagram for change management How can this be modified for simple infrastructure changes? What is the involvement of QA in each of these processes? Delegates will create process flow diagrams for efficient change management and specifically consider how it may be modified for application to the IT infrastructure.

8 System/Data Migration, Back-up and Restore Regulatory expectations for record retention What are the considerations for migration? It will not be perfect process! Which techniques are most appropriate? The importance of back-up and its management The difficulties encountered These are key areas of regulatory interest. The issues surrounding data or system migration will be discussed. Then the process of back-up and restore will be reviewed. Workshop 8: Data Migration What are the issues with data mapping? What is the sequence of a migration? Must all the data be migrated? Impact of data migration on interfaces Record Archiving and Retrieval When is archiving necessary? It will not be a perfect process! How should it be indexed? What are the security issues? Periodic electronic regeneration Archiving is appropriate once data volumes are high or the records need to be consulted infrequently. The process needs to be controlled so that the records can still be located and still need to be accessible - sometimes at quite short notice in case of emergency. Workshop 9: Business Continuity Planning In a pharmaceutical manufacturing company what systems typically need 24/7 up-time Which of these systems has a regulatory requirement for 24/7 up-time? What are the key elements of a business continuity plan for IT? Whose responsibility is it to product the plan? How would you test it? Decommissioning, Retirement and Disposal Withdrawal from active service Shutting down the system and transfer of data Disposal of the system At the end of the operational life, the system must be withdrawn from service and the records managed. This session will look at the phases of retirement, decommissioning and disposal.

9 Easy Registration Reservation Form: P.O. Box Heidelberg Germany Reservation Form: info@concept-heidelberg.de Internet: Date Social Event Thursday, 20 September 2012, h h (Registration and coffee h h) Friday, 21 September 2012, h h Venue nh-hotel Constanza C/Deu i Mata, Barcelona, Spain Phone Fax Fees ECA Members 1,490.- per delegate plus VAT APIC members 1,590,- per delegate plus VAT (does not include ECA membership) Non-ECA Members 1,690.- per delegate plus VAT EU GMP Inspectorates per delegate plus VAT The conference fee is payable in advance after receipt of invoice and includes conference documentation, dinner on the first day, lunch on both days and all refreshments. VAT is reclaimable. Save up to 390 and book IT System and Data Security on September simultaneously: ECA Members 2,790.- per delegate plus VAT APIC Members 2,890.- per delegate plus VAT Non-ECA Members 2,990.- per delegate plus VAT (does not include ECA Membership) EU GMP Inspectorates 1,495.- per delegate plus VAT The fee is payable in advance after receipt of invoice and includes conference documentation, social event and dinner, lunch on all days and all refreshments. VAT is reclaimable. Registration Via the attached reservation form, by or by fax message. Or you register online at Accommodation CONCEPT has reserved a limited number of rooms in the conference hotel. You will receive a room reservation form when you have registered for the course. Please use this form for your room reservation or be sure to mention ECA7245 to receive the specially negotiated rate (single room 143,- per night, incl. breakfast + 8% VAT) for the duration of your stay. Reservation should be made directly with the hotel not later than 22 August Early reservation is recommended. Conference language The official conference language will be English. Organisation and Contact P.O. Box D Heidelberg, Germany Phone +49 (0) 62 21/ , Fax +49 (0) 62 21/ info@concept-heidelberg.de, For questions regarding content: Dr Andreas Mangel (Operations Director) at / , or per at mangel@concept-heidelberg.de. For questions regarding reservation, hotel, organisation etc.: Ms Marion Grimm (Organisation Manager) at / , or per at grimm@concept-heidelberg.de. On 20 September you are cordially invited to a social event. This is an excellent opportunity to share your experiences with colleagues from other companies in a relaxed atmosphere. Speakers Frank Behnisch CSL Behring GmbH, Germany Frank is Senior Manager Project Engineering at CSL Behring GmbH in Marburg, Germany. He is member of the GAMP D-A-CH steering committee and chairman of a GAMP Special Interest Group (SIP) for Small Systems Dr David Selby Selby Hope International, UK David Selby, BSc., PhD., was with Glaxo for many years in different positions. He occupied the role of Site Quality Assurance Manager there and latterly, he was the Site Manager. He is a founder member and Chairman of the GAMP Forum and 2004 Chairman on the International Board of ISPE. He has established his own consultancy, Selby Hope International, specialising in the compliance of computerised systems and automated equipment used in pharmaceutical manufacturing. Dr Robert Stephenson Rob Stephenson Consultancy, UK Rob has had extensive experience with the implementation and operational control of a wide range of applications within the Pharmaceutical and Personal Products sector. He joined Pfizer Sandwich UK in 2000 as member of their Quality Unit operating within the IT group where his responsibilities included coordinating the manufacturing site s initiative to achieve 21 CFR Part 11 compliance and authoring their IT Quality Management System. As a long-standing member of the GAMP Europe Steering Committee Rob has contributed material to GAMP 5 and the ISPE GAMP Good Practice Guide on A Risk-Based Approach to Operation of GxP Computerized Systems for which he was co-leader. Rob now works as an independent IT Systems Validation Consultant. wa/vers1/

10 If the bill-to-address deviates from the specifications on the right, please fill out here: Reservation Form (Please complete in full) Computer Validation: Maintaining Control of Operation, September, 2012 Barcelona, Spain IT System and Data Security: New Developments in Cloud Computing, Virtualisation and GMP Compliance September 2012, Barcelona, Spain Mr Ms Title, first name, surname Company Department Important: Please indicate your company s VAT ID Number P.O. Number (if applicable) P.O. Box Fax +49 (0) 62 21/ D Heidelberg GERMANY Street/P.O. Box City Zip Code Country Phone/Fax (please fill in) General terms and conditions If you cannot attend the conference you have two options: 1. We are happy to welcome a substitute colleague at any time. 2. If you have to cancel entirely we must charge the following processing fees: Cancellation until 2 weeks prior to the conference 10 %, until 1 weeks prior to the conference 50 % within 1 week prior to the conference 100 %. reserves the right to change the materials, instructors, or speakers without notice or to cancel an event. If the event must be cancelled, registrants will be notified as soon as possible and will receive a full refund of fees paid. will not be responsible for discount airfare penalties or other costs incurred due to a cancellation. Terms of payment: Payable without deductions within 10 days after receipt of invoice. Important: This is a binding registration and above fees are due in case of cancellation or non-appearance. If you cannot take part, you have to inform us in writing. The cancellation fee will then be calculated according to the point of time at which we receive your message. In case you do not appear at the event without having informed us, you will have to pay the full registration fee, even if you have not made the payment yet. Only after we have received your payment, you are entitled to participate in the conference (receipt of payment will not be confirmed)! #