1 45 min Webinar: November 14th, 2014 The Cloud in Regulatory Affairs - Validation, Risk Management and Chances - Rainer Schwarz Cunesoft Holger Spalt ivigilance 2014 Cunesoft GmbH
2 PART I - INTRODUCTIONS PART II - Cloud Computing Case Study Risk Classification, Validation, Quality Checklist PART III Questions and Answers Rainer Schwarz Cunesoft 2014 Cunesoft GmbH
3 Who of you is using cloud based solutions already? Private Use Business Use 2014 Cunesoft GmbH Confidential Information Do not Distribute 4
4 Types of Cloud Offerings 2014 Cunesoft GmbH Confidential Information Do not Distribute 5
5 Your are probably joining this webinar, because. You have heard about cloud benefits Economies of scale of a cloud Increased operational effectiveness Reduced IT maintenance costs / reduced hardware costs Immediate availability... But how can life sciences regulations be achieved in the cloud Are all cloud environments the same? Do FDA validation requirements apply to the cloud? Can a cloud be maintained in a valdiated state? Can I apply a risk based validation approach? What are the critical risks? Can data center certficates substitute an onsite audit? Cunesoft GmbH Confidential Information Do not Distribute 6
6 PART I - INTRODUCTIONS PART II - Cloud Computing Case Study Risk Classification, Validation, Quality Checklist PART III Questions and Answers Holger Spalt ivigilance 2014 Cunesoft GmbH
7 Cloud Terminology Definitions Risk Assessment and Validation Approach Summary and Cloud Benefits
8 What is Cloud Computing (CC)? Hosted / managed IT services - Software as a Service - Definitions developed by the US National Institute of Standards and Technology (NIST), known as NIST SP The NIST Definition of Cloud Computing NIST Cloud Computing Definition: a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. => 5 essential characteristics which should be fulfilled if a service is considered to be cloud computing
9 5 essential Aspects of CC Characteristics On-Demand Self-Service Broad Network Access Resource Pooling (Resource Sharing) => Pricing Model (PPU) Rapid Elasticity (Scale up & down) => Pricing Model Measured Service => Pricing Model Description A consumer can unilaterally provision computing capabilities, such as computing power or storage, as needed automatically without requiring human interaction with each service provider. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, PC s). The provider s computing resources are pooled to serve multiple consumers using a multi-tenant model with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources: storage, processing, and network bandwidth. Capabilities can be elastically provisioned and released, in some cases, automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time. Cloud systems automatically control and optimize resource use by leveraging a metering capability, at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.
10 Cloud Computing vs. Hosting/ASP Characteristics Cloud Computing On-Demand Self-Service Yes No Dyn. Broad Network Access Yes Yes Hosting or ASP Resource Pooling Yes No Rapid Elasticity Yes Dyn. No Static Measured Service Yes Yes
11 Cloud Categories IaaS (Infrastructure as a Svc)
12 Cloud Categories PaaS (Platform as a Svc) =build your own SW IaaS (Infrastructure as a Svc)
13 Cloud Categories Application User Management/Data Backup Cloud Operator SaaS = OOTB-SW (Software as a Svc) PaaS (Platform as a Svc) =build your own SW Responsibility (=Value) IaaS (Infrastructure as a Svc)
14 Cloud Categories Responsibility of the Pharmaceutical Company Responsibility of the Cloud Service Provider Onsite Software Installation IaaS (Infrastructure as a Svc) = Iron (Hardware) PaaS (Platform as a Svc) =build your own SW SaaS (Software as a Svc) = OOTB-SW
18 Cloud Terminology Definitions Risk Assessment and Validation Approach Summary and Cloud Benefits
19 Risk Management using a Risk Management Framework (used for Risk Assessment, Evaluation/Selection, Validation) Level 1: Level 2: Level 3: Control Domains Controls Control Details Control = Quality Criteria for IT Systems
20 Level 1: Control Domains (17) Class Domain Akr Management Risk Assessment RA Management Planning PL Management System and Services Acquisition SA Management Certification, Accreditation, Security Assessments CA Operational Personnel Security PS Operational Physical and Environmental Protection PE Operational Contingency Planning CP Operational Configuration Management CM Operational Maintenance MA Operational System and Information Integrity SI Operational Media Protection MP Operational Incident Response IR Operational Awareness and Training AT Technical Identification and Authentication IA Technical Access Control AC Technical Audit and Accountability AU Technical System and Communications Protection SC Level 1 Level 2
21 Level 1: Control Domains Details.. Access Control (AC): Organizations must limit information system access to authorized user processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise. Awareness and Training (AT): Organizations must: (i) ensure that managers and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, or procedures related to the security of organizational information systems; and (ii) ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities. Audit and Accountability (AU): Organizations must: (i) create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and (ii) ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions. Certification, Accreditation, and Security Assessments (CA): Organizations must: (i) periodically assess the security controls in organizational information systems to determine if the controls are effective in their application; (ii) develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems; (iii) authorize the operation of organizational information systems and an associated information system connections; and (iv) monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls. Configuration Management (CM): Organizations must: (i) establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles; and (ii) establish and enforce security configuration settings for information technology products employed in organizational information systems.
22 Level 1: Control Domains Details.. Contingency Planning (CP): Organizations must establish, maintain, and effectively implement plans for emergency response, backup os, and post-disaster recovery for organizational information systems to ensure the availability of critical information resources and ops-continuity in emergency situations. Identification and Authentication (IA): Organizations must identify information system users, processes acting on behalf of users, or devices and authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. Incident Response (IR): Organizations must: (i) establish an operational incident handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities; and (ii) track, document, and report incidents to appropriate organizational officials and/or authorities. Maintenance (MA): Organizations must: (i) perform periodic and timely maintenance on organizational information systems; and (ii) provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance. Media Protection (MP): Organizations must: (i) protect information system media, both paper and digital; (ii) limit access to information on information system media to authorized users; and (iii) sanitize or destroy information system media before disposal or release for reuse. Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; (v) provide appropriate environmental controls in facilities containing information systems. Planning (PL): Organizations must develop, document, periodically update, and implement security plans for organizational information systems that describe the security controls in place or planned for the information systems and the rules of behavior for individuals accessing the information systems.
23 Level 1: Control Domains Details.. Personnel Security (PS): Organizations must: (i) ensure that individuals occupying positions of responsibility within organizations (including third-party service providers) are trustworthy and meet established security criteria for those positions; (ii) ensure that organizational information and information systems are protected during and after personnel actions such as terminations and transfers; and (iii) employ formal sanctions for personnel failing to comply with organizational security policies and procedures. Risk Assessment (RA): Organizations must periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of organizational information. System and Services Acquisition (SA): Organizations must: (i) allocate sufficient resources to adequately protect organizational information systems; (ii) employ system development life cycle processes that incorporate information security considerations; (iii) employ software usage and installation restrictions; and (iv) ensure that third-party providers employ adequate security measures to protect information, applications, and/or services outsourced from the organization. System and Communications Protection (SC): Organizations must: (i) monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems; and (ii) employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational information systems. System and Information Integrity (SI): Organizations must: (i) identify, report, and correct information and information system flaws in a timely manner; (ii) provide protection from malicious code at appropriate locations within organizational information systems; (iii) monitor information system security alerts and advisories and take appropriate actions in response.
26 Level Controls => Questions => Answers Contigency Planning Backup Relevant for X as a Service P I S Example Topic: Backup
27 Cloud Terminology Definitions Risk Assessment and Validation Approach Summary and Cloud Benefits
28 Summary Q: Can a cloud based regulatory environment be validated (according to FDA standards)? A: Yes Q: How? A: By establishing appropriate Quality Criteria (Controls) and assessing them (by yourself and/or with the vendor)
29 Benefits of cloud based ectd system 1. Commercial On Demand Subscription Save (IT) Preparation, Pay Per Use Pricing Model, No upfront investment CAPEX free 2. Time to Use Available within very short setup period, Pre-configured acc.best- Practice-Guidelines, Location independence (Anywhere Anytime 3. Performance & Software Management Automatic Software Updates, Optimized Performance (due Platform), Metered/Monitored Performance, Constant Backup, Guaranteed Uptime 4. Collaboration Parallel working on a Submission, Add staff on demand, Share Submission Output to secure area, Submit directly to CESP Gateway
30 Costs: On-Premises vs. Cloud Computing Software Licenses 30% Implementation 70% Customization & Implementation Hardware IT Personnel Maintenance Training Subscription Fee 70% Implementation 30% Customization, Implementation, Training Ongoing Costs - Annual Support & Maintenance Fee - Training - Configuration - Apply Fixes, Patches, Upgrade - Downtime - Performance tuning - Upgrade dependent applications - Ongoing burden on IT - Maintain & upgrade network / security / database On-Premises Ongoing Costs - Subscription Fee - Training - Configuration Cloud Computing
31 Backup Slides
32 Risks for a cloud-based ectd system 1. Compliance 2. Data Security 3. Service Reliability 4. Software Management
33 Mitigation of Risks 1. Compliance Without full control over the infrastructure, how can IQ, OQ, PQ validation be completed. Cloud Provider Responsibilities: 1)Infrastructure provided with full IQ validation 2)Provide OQ, PQ validation scripts and support 3)Support Datacenter Audits 4)Functional compliance such as electronic signatures, lifecylce management and audit trail
34 Mitigation of Risks 2. Data Security Limited transparency/control into security elements used by the cloud provider. Risk of possible data breach/theft. Cloud Provider Responsibilities: 1) Secure connection to the cloud (VPN) 2) System access protection & user management 3) Seperate, secure data storage including encryption 4) Data center location (EU data protection act) 5) Certifications: ISO 27001, PCI DSS
35 Firewall & Application Firewall Mitigation of Risks 2. Data Security Limited transparency/control into security elements used by the cloud provider. Risk of possible data breach/theft. Cloud Provider technical Architecture:.... User SSL Encryption and/or VPN Application Application. Encrypted customer storage DB Storage Encrypted customer storagee DB Storage
36 Mitigation of Risks 3. Service Reliability Cloud provider subject to data center outages. Cloud Provider Responsibilities: 1)Local Data Synchronization (i.e. dropbox concept) 2)Backup Strategy (redundant data center) 3)Detailed Service Level Agreement (SLA) 4)Service Monitoring and Reporting 5)Scalable server sizing & load balancing 6)Provide caching concepts for large data sets
37 Mitigation of Risks 4. Software Management Without control over the software, the software update process is intransparent/cannot be validated Cloud Provider Responsibilities: 1)Each customer/tenant has ist own Database 2)Upgrade concept without interrupting business 3)Quick-Fallback/Switchback-Scenario
38 PART I - INTRODUCTIONS PART II - Cloud Computing Case Study Risk Classification, Validation, Quality Checklist PART III Questions and Answers Rainer Schwarz - Cunesoft Holger Spalt ivigilance 2014 Cunesoft GmbH
Special Publication 800-146 DRAFT Cloud Computing Synopsis and Recommendations Recommendations of the National Institute of Standards and Technology Lee Badger Tim Grance Robert Patt-Corner Jeff Voas NIST
INTRODUCTION Legal practices are increasingly using cloud storage and software systems as an alternative to in-house data storage and IT programmes. The cloud has a number of advantages particularly flexibility
Checklist to Assess Security in IT Contracts Federal Agencies that outsource or contract IT services or solutions must determine if security is adequate in existing and new contracts. Executive Summary
Special Publication 800-145 The NIST Definition of Cloud Computing Recommendations of the National Institute of Standards and Technology Peter Mell Timothy Grance NIST Special Publication 800-145 The NIST
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
Cloud Service Level Agreement Standardisation Guidelines Brussels 24/06/2014 1 Table of Contents Preamble... 4 1. Principles for the development of Service Level Agreement Standards for Cloud Computing...
WHITEPAPER CLOUD Possible Use of Cloud Technologies in Public Administration Version 1.0.0 2012 Euritas THE BEST WAY TO PREDICT THE FUTURE IS TO CREATE IT. [Willy Brandt] 2 PUBLISHER'S IMPRINT Publisher:
Seeing Though the Clouds A PM Primer on Cloud Computing and Security NIH Project Management Community Meeting Mark L Silverman Are You Smarter Than a 5 Year Old? 1 Cloud First Policy Cloud First When evaluating
Security Standard The security and risk management baseline for the lottery sector worldwide Updated by the WLA Security and Risk Management Committee V1.0, November 2006 The WLA Security Standard is the
Standard: Version: 2.0 Date: June 2011 Author: PCI Data Security Standard (PCI DSS) Virtualization Special Interest Group PCI Security Standards Council Information Supplement: PCI DSS Virtualization Guidelines
Standards for Internal Control in New York State Government October 2007 Thomas P. DiNapoli State Comptroller A MESSAGE FROM STATE COMPTROLLER THOMAS P. DINAPOLI My Fellow Public Servants: For over twenty
CLOUD COMPUTING: IS YOUR COMPANY WEIGHING BOTH BENEFITS & RISKS? Toby Merrill CLOUD COMPUTING: IS YOUR COMPANY WEIGHING BOTH BENEFITS & RISKS? Toby Merrill Toby Merrill, Thomas Kang April 2014 Cloud computing
GOVERNANCE STRATEGIES New Requirements for Security and Compliance Auditing in the Cloud Cloud computing poses new challenges for IT security, compliance, and audit professionals who must protect corporate
Cloud Computing This information leaflet aims to advise organisations on the factors they should take into account in considering engaging cloud computing. It explains the relevance of the Personal Data
The Critical Security Controls for Effective Cyber Defense Version 5.0 1 Introduction... 3 CSC 1: Inventory of Authorized and Unauthorized Devices... 8 CSC 2: Inventory of Authorized and Unauthorized Software...
CLOUD COMPUTING READINESS VOLKER RATH VOLKER RATH 1 CONTENTS HOW SHOULD THIS GUIDE BE USED? 2 WILL MY COMPANY BENEFIT FROM 2 TRANSITIONING SERVICES TO THE CLOUD? CLOUD READINESS OVERVIEW 3 SECURITY CONCERNS
U. S. Department of Justice Federal Bureau of Investigation Criminal Justice Information Services Division Criminal Justice Information Services (CJIS) Security Policy Version 5.3 Prepared by: CJIS Information
Reducing the Cyber Risk in 10 Critical Areas Information Risk Management Regime Establish a governance framework Enable and support risk management across the organisation. Determine your risk appetite
Institute of Architecture of Application Systems University of Stuttgart Universittsstrae 38 D 70569 Stuttgart Diplomarbeit Nr. 3538 Risk assessment-based decision support for the migration of applications
FDA 21 CFR Part 11 Electronic records and signatures solutions for the Life Sciences Industry The Rule 21 CFR Part 11 Handwritten signature means the scripted name or legal mark of an individual handwritten
A COALFIRE WHITE PAPER Using s Cloud & Data Center Security Solution to meet PCI DSS 3.0 Compliance Implementing s Deep Security Platform in a Payment Card Environment April 2015 Page 1 Executive Summary...
Risk perception and risk management in cloud computing: Results from a case study of Swiss companies Nathalie Brender Haute Ecole de Gestion de Genève Campus de Battelle, Bâtiment F 7 route de Drize, 1227
Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Please insert supplier details below Supplier name Address Isuz Ltd. trading as Schoolcomms
Xerox Litigation Services In the Cybersecurity Hot Seat: How Law Firms are Optimizing Security While Reducing Cost and Risk Your Highest Priority is also Your Greatest Challenge Data breaches are not just