Pharma CloudAdoption. and Qualification Trends

Transcription

1 Pharma CloudAdoption and Qualification Trends

2 OurCloudExperience Numerous implementations of EDMS systems with external hosting for smaller life science clients Development of qualification strategy for tier-1 pharma company for potentially GxP critical solution based on Amazon (SaaS) Development of qualification strategy for tier-1 pharma company for MS Office 365 implementation (PaaS) Development of qualification strategy for tier-1 pharma company for MS Azure (IaaS)

3 Going Cloud A number of challenges need to be addressed by regulated life science companies Which Cloud model do I choose (IaaS, PaaS, SaaS)? How do I set forth a validation strategy? Can I rely on vendor processes and procedures? Has anyone else done it before? What do inspectors say? Where to get guidance on cloud validation? Data Security and Data Privacy

4 Responsibility The responsibility does not disappear when you outsource The regulated company remains responsible for the regulatory compliance of their IT operations regardless of whether they choose to outsource/offshore some or their entire IT Infrastructure processes to external service provider(s). Compliance oversight and approvals cannot be delegated to the outsource partner. GAMP Good Practice Guide: IT Infrastructure Control and Compliance. Appendix 8: Outsourcing

5 What is Cloud? NIST National Institute of Standards and Technology The NIST Definition of Cloud Computing

6 Regulatory Considerations Overall regulatory requirements, in reality, the same as for on-premise IT systems We are responsible for everything in the cloud including infrastructure We need to adopt the vendor s processes and procedures and we need to defend these during audits Overall Risk Assessments required Adoption of vendor documentation required Potential gaps need to be filled

7 QMS and Cloud How do we adjust the QMS to include Cloud and how do we overcome the challenge of inexperienced inspectors? Accept your regulatory responsibility for everything in the cloud and the infrastructure of the cloud Align QMS with approach for Cloud validation, so known approach for a normal validation is linked to approach for cloud The inspector will understand the approach better, since it is directly comparable to onpremise systems

8 Overall Process

9 Compliance Approach

10 Specifications Requirement Specification Gather requirements according to standard company process Technical Specification Describing technical interfaces to solution, technical requirements etc. Describing interfaces (e.g. Active Directory set-up) etc. On-premise interfaces Encryption Solution

11 Assessments Use a Cloud Navigation Tool for assessing cloud suitability : GxP, 21 CFR Part 11 and business criticality Data Classification Security Risk Level of control required? Where can data be stored? Encryption required?

12 Service and Deployment The Service and Deployment Model must be chosen Evaluate based on the assessments -which Service and Deployment Model best fit the requirements and assessments IaaS, PaaS, SaaS? Type of Cloud?

13 Service Provider The Supplier must be assessed Perform an audit of Service Provider in order to assess level of quality and controls Capability as software vendor Capability as service provider If not possible make an assessment of material provided by the supplier, certifications and 3rd party reports and take this into account in the risk assessment and qualification strategy. (Standard Operating Procedures) from Service Provider

14 Contracts and SLA s The contract and especially the Service Level Agreement must reflect the requirements for a GxP solution and a sufficient level of control Note that some major Service Providers only offer a standard SLA. This may require additional controls All services delivered from the Service Provider must be evaluated against both business and GxP requirements. Where it is evaluated that the level of control is insufficient, the customer must either request extra controls from the Service Provider or establish own control mechanisms.

15 CloudControl Identify relevant controls for chosen service using a Cloud Control Matrix The matrix lists company requirements for e.g. Change Control. These are compared to the service provided and control objectives and gaps are identified. Gaps are filled with revised SLAs, internal procedures and controls

16 InfrastructureControls

17 Control Objectives Changes Regular reviews of Change Log Monitor changes in production environment Follow-up on release plan from supplier Test documentation Training records User Access Periodic User Access Review Security Yearly Penetration testing Yearly review of SSAE16 SOC1 Type 2 Audit Report Periodic review of Certifications and Accreditations from Service Provider Review of Configuration Item List

18 AnnualControl Wheel Yearly Customer Periodic Review of Technical Accounts Service Provider Disaster Recovery Test Penetration Testing SSAE16 SOC 1 Type 2 Audit Report Quarterly Monthly Quarterly Monthly Customer Revocation of User Accounts and Shared Accounts Service Provider Back-up Report Monthly Update (summary of updates and patches, incidents) Quarterly Customer Periodic Review of Administrator Accounts Periodic review of User Accounts Periodic review of Shared Accounts Service Provider Evaluate the security of one site against recognized standards Audit one site for adherence to best practice for high performance + performance assessment report Monthly Quarterly Monthly Daily/ weekly Monthly Monthly Quarterly Yearly Daily/weekly Customer XX Service Provider YY

19 First Steps 1. Create a Cloud Governancepolicy to establish a standardized and effective approach to the selection, integration, ongoing management and subsequent decommissioning of cloud based IT services (System Life Cycle) 2. Establish a Cloud Navigation Tool is cloud a suitable solution? Which type of cloud? Do the service provider and the service fit? 3. Establish a Cloud Control Matrix with all requirements for controls. Evaluate the services delivered against internal control requirements. Fill in the blanks by updating the SLA, creating internal controls etc.

20 Extra Material

21 CloudControls Ensure that all processes are controlled either by the Service Provider, the company or both.

22 Implementation Develop a Qualification Plan: Identified gaps from the Service assessment are documented in internal procedures and listed in a Qualification Plan Summary of Service Provider assessment Conclusion on risk assessment

23 Verification A Qualification must be executed, including: Testing of technical specifications Test and verification of requirements Checklist for verification of additional controls that is not provided by Service Provider Test and verification of internal company controls