Qualification Guideline

Transcription

1 Qualification Guideline June 2013

2 Disclaimer: This document is meant as a reference to Life Science companies in regards to the Microsoft O365 platform. Montrium does not warrant that the use of the recommendations contained herein will result in a qualified system or that a system validated within Office 365 in accordance with this document will be acceptable to regulatory authorities. This document is provided as-is. Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. Limitation of Liability: In no event shall Montrium or any of its affiliates or the officers, directors, employees, members, or agents of each of them, be liable for any damages of any kind, including without limitation any special, incidental, indirect, or consequential damages, whether or not advised of the possibility of such damages, and on any theory of liability whatsoever, arising out of or in connection with the use of this information Montrium Inc. Page 2 of 74

3 Authors Michael Zwetkow Stephanie Tanguay Paul Fenton Gabrielle Soucy VP Operations, Montrium Inc. Quality Assurance Manager, Montrium Inc. CEO, Montrium Inc. Sr. Business Analyst, Montrium Inc Montrium Inc. Page 3 of 74

4 Foreword Over the last few years, Microsoft has paid an increasing amount of attention to a couple of key concepts that are represented in this whitepaper: compliance and the cloud. Together these concepts represent a fairly radical departure from normal business. By enabling cloud technologies, which provide an ease of use and ease of implementation, with compliance, which provides the ability to work with information in a regulatory compliant fashion, the implementing party may find the best of both worlds. This set of guideline whitepapers show how Microsoft is committed to cloud and compliance, spanning Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS), a relatively unique combination of technologies and commitment to compliance. At the end of the day these are qualification guidelines and do not represent any guarantees from Microsoft that your processes can be validated in any of the environments discussed or against any of the regulations or standards discussed. Yet when paired with the documentation referred to herein along with customer evidence, these guidelines offer customers a starting point for their own compliance in the cloud efforts, a starting point that may be furthered by the expertise Montrium has demonstrated in producing these guidelines. Mohamed Ayad, Cloud Solution Specialist Les Jordan, Chief Technology Strategist Health & Life Sciences Industry Unit Microsoft 2013 Montrium Inc. Page 4 of 74

5 Executive Summary The purpose of this document is to assist Microsoft s life science customers in establishing a qualification strategy for the Microsoft Office 365 (O365) software service. This guideline identifies the responsibilities shared by Microsoft and its customers for meeting the regulatory requirements of FDA 21 CFR Part 11 Electronic Records; Electronic Signatures (21 CFR Part 11) and EudraLex Volume 4 - Annex 11 Computerised Systems (Annex 11). The intended audience for this guideline is any regulated customer within the life sciences industry, aiming to use the O365 platform to run GxP regulated applications. It is assumed that these regulated applications will support GxP activities and produce and/or manage electronic records. Traditionally GxP computerized systems have been deployed on specific servers either directly or through the use of virtual machines. This underlying hardware was usually qualified, managed and specifically identified as being part of a specific instance of a GxP computerized system. With cloud computing this paradigm changes slightly. The O365 software solution is composed of many hardware and software components which all fall under the same controls that have been identified in this guideline. Each time a new customer instance of O365 is commissioned, it is done using the same controlled process and standards. When considering public cloud based systems, it is important to view the whole public cloud as one system upon which we are able to install and run GxP computerized systems and applications. This guideline will help companies achieve this by providing references to the 21 CFR Part 11 controls that are present within the O365 environment and that should be identified in customer qualification documentation. Microsoft s GFS and O365 platform services have undergone SSAE 16 Service Organization Control (SOC) audits and are also certified according to ISO/IEC 27001:2005 standards. Although these standards do not specifically focus on regulatory compliance, their objectives are very similar to those of 21 CFR Part 11 and Annex 11. Montrium has therefore decided to leverage the reports produced by independent third party SSAE and ISO auditors to identify the procedural and technical controls established at Microsoft that could be used to satisfy the requirements of 21 CFR Part 11 and Annex 11. It was assumed that these audit reports were generated by qualified third party auditors and that all information contained within the reviewed audit reports was objective and accurate at the time of the audits. It is expected that customers will perform an independent analysis and verification of relevant regulatory requirements to determine if the GxP applications deployed on O365 are fit for their intended purpose. The customer must also ensure that GxP applications system will be sufficiently documented and validated to further demonstrate compliance. GFS delivers the core infrastructure and foundation technologies for Microsoft's Online Services environment. Microsoft Office O365 is subscription-based software service hosted by the Global Foundation Services (GFS) group within Microsoft managed data centers. The services included as part of O365 are Microsoft SharePoint Online, Microsoft Exchange Online, Microsoft Lync Online and Microsoft Forefront Online Protection for Exchange. This guideline focuses on the Microsoft SharePoint Online service, which is the only O365 service which when configured appropriately, provides the ability 2013 Montrium Inc. Page 5 of 74

6 to manage electronic records in manner that could satisfy applicable regulatory requirements. The O365 platform is classified as a public, off-premise, third-party managed solution which is offered via the SaaS cloud service model. From the perspective of a regulated user (customer), Microsoft Office is considered to be Category 4 Configured Product as defined in GAMP5. O365 is considered to be an open system per 21 CFR Part 11, therefore additional measures, such as encryption should be employed to further secure information stored within or transiting from the system. It should be noted that only certain versions of O365 is able to meet the 21 CFR Part 11 requirements for open systems. Audited controls implemented by Microsoft serve to ensure confidentiality, integrity and availability of data stored on O365 and correspond to the applicable regulatory requirements defined in 21 CFR Part 11 and Annex 11 that have been identified as the responsibility of Microsoft. Microsoft is responsible for ensuring that O365 meets the terms defined within the governing Service Level Agreements (SLA). In addition to ensuring that computerized systems have the relevant technical controls outlined in the assessment contained within the guideline, the customer is also responsible for ensuring adequate procedural controls governing the use of the GxP computerized system are in place. These procedural controls should cover the technical aspects of system management, including but not limited to logical security, user management, data backup and disaster recovery. There should also be procedural controls relating to the operation of the GxP computerized system. The customer should determine the GxP requirements that apply to the computerized system based on its intended use and follow internal procedures governing qualification and/or validation processes to demonstrate that the GxP requirements are met. In conclusion, following the assessment performed by Montrium, it is felt that the audited procedural and technical controls that Microsoft has implemented could serve to demonstrate that the O365 platform is being maintained in a state of control that is in accordance with the applicable regulatory requirements. Moreover, the customer may leverage the audited controls described in this document and related audit reports as part of the risk analysis and qualification effort of their GxP applications deployed in the O365 environment Montrium Inc. Page 6 of 74

7 Table of Contents Authors... 3 Foreword... 4 Executive Summary... 5 Table of Contents Introduction Purpose Key Definitions Audience and Scope Methodology Glossary System Overview Global Foundation Services Microsoft Office System Classification Microsoft Audits and Certifications Microsoft Controls Qualification Approach Qualification Activities and Responsibilities US FDA 21 CFR Part 11 Electronic Records; Electronic Signatures Compliance Assessment EudraLex Volume 4 Annex 11 Computerised Systems Compliance Assessment Conclusion References Appendices Appendix A. Recommended Procedures / Policies Montrium Inc. Page 7 of 74

8 1 Introduction 1.1 Purpose The purpose of this document is to assist Microsoft s life science customers in establishing a qualification strategy for the Microsoft Office 365 (O365) software service, which is hosted on the infrastructure provided by the Global Foundation Services (GFS) group within Microsoft. The guidance provided in this document is based on the assumption that Microsoft s customers will utilize the O365 service as a GxP application to perform GxP regulated activities. This guideline identifies the responsibilities shared by Microsoft and its customers for meeting the regulations specified within Section 1.2. A summary is provided of the procedural and technical controls which govern the O365 service and can be leveraged by the regulated user (customer) to demonstrate compliance with applicable regulatory requirements. Also summarized within this guideline, are recommended activities and controls that should be established by customers in order qualify and maintain control over the GxP application configured to run on O365. The qualification approach outlined within this guideline is based on industry best practices with an emphasis on the concepts presented and described within ISPE s, GAMP series of Good Practice Guides (Ref. [7]) and PIC/S PI Good Practices for Computerised Systems in Regulated GxP Environments (Ref. [17]). 1.2 Key Definitions GxP computerized system A GxP computerized system is defined as application configured on the O365 platform that will support activities and records governed by regulations pertaining to GLP, GCP and GMP environments GxP activity Any regulated activity performed with the context of GLP, GCP and GMP environments Customer Within the context of this guideline, the customer is defined as any person or persons using a GxP computerized system hosted on the O365 platform, who are responsible for the content of the electronic records produced and/or managed within the GxP computerized system Customer Data on Storage As per the Microsoft O365 Privacy Statement (Ref. [19]), Customer Data is all the data, including all text, sound, software or image files that you provide, or are provided on your behalf, to us through your use of the Services. For example, Customer Data on storage includes data that customers upload for storage or processing in the O365 platform, and applications that customer or customer s end users upload for hosting in the Services. Customer Data on Storage does not include configuration or technical settings and information. Microsoft does not 2013 Montrium Inc. Page 8 of 74

9 monitor or approve the applications that customers configure on O365. Microsoft does not claim ownership of the Data on Storage. Microsoft s Online Services Use Rights (Ref. [20]) states you [the customer] retain all right, title and interest in and to customer data. We [Microsoft] acquire no rights in customer data, other than the rights you grant to us for the applicable online service. This does not apply to software or services we license you. Data security beyond the access controls mechanisms, including but not limited to fine-grain access controls or encryption, is the responsibility of the customer. 1.3 Audience and Scope The intended audience for this guideline is any regulated customer within the life sciences industry, aiming to configure the O365 platform for use as a GxP application(s). It is assumed that the application will support GxP activities and produce and/or manage electronic records. The specific GxP activities performed within the customer s O365 environment are not addressed in this guidance document, as the customer is responsible for defining the requirements and evaluating the risk associated with each GxP application within the O365 environment. The regulations within the scope of this qualification guidance document are limited to the following: FDA 21 CFR Part 11 Electronic Records; Electronic Signatures - Subpart A and B (Sec and Sec 11.30) (Ref. [5]) 1 EudraLex Volume 4 - Annex 11 Computerised Systems (Ref. [8]) 2 The O365 platform consists of several services as described in Section 2.2; however, Microsoft SharePoint Online is the only service which could provide the ability to generate or manage electronic records within the context GxP regulated activities. Therefore, this guidance will focus on the functionality of SharePoint Online as it relates to the management of electronic records. This guideline also covers the underlying infrastructure components provided by the Global Foundation Services group upon which the O365 service is delivered to Microsoft customers. 1.4 Methodology Microsoft s GFS and O365 platform services have undergone SSAE 16 Service Organization Control (SOC) audits and are also certified according to ISO/IEC 27001:2005 standards (see Section 2.4). Montrium has leveraged the reports produced by independent third party auditors to identify procedural and technical controls established at Microsoft which could be used to satisfy 1 21 CFR Part 11 subparts related to electronic signatures are out of scope for this guide, as Microsoft does not provide electronic signature functionality as part of the above services. 2 Although Eudralex Volume 4 Annex 11 specifically discusses GMP systems, it is generally accepted in industry that the same principals in the most part are applicable to GCP and GLP systems Montrium Inc. Page 9 of 74

10 regulatory requirements within US FDA 21 CFR Part 11 (Ref. [5]) and EudraLex Volume 4 - Annex 11 (Ref. [8]). These controls are described in detail in Section 2.5. Montrium based the analysis on the ISO and SSAE 16 standards as they have similar objectives to 21 CFR Part 11 and EudraLex Volume 4 - Annex 11 in relation to controls for computerized systems. The qualification approach summarizes the activities and responsibilities shared between the regulated user (customer) and the cloud service provider (Microsoft) to qualify the system against the relevant regulatory requirements. A detailed assessment (see Section 3.2 and 3.3) was performed on each regulatory requirement to interpret how compliance could be achieved within the context of a GxP computerized system configured on the O365 platform. The assessment described the responsibilities of the customer and Microsoft, as well as the activities, documentation and controls (technical/procedural) that are required to meet the regulatory requirement. The contents of this document are based on these assumptions: Audit reports listed in Section 2.4 were generated by qualified third party auditors; All information contained within the reviewed audit reports was objective and accurate at the time of the audits; Customers will perform an independent analysis and verification of related regulatory requirements to determine if the O365 platform is fit for its intended purpose; The O356 application(s) will be sufficiently documented and validated by the customer to demonstrate compliance with all applicable regulations; The customer will use only out-of-the-box functionality and will not be installing developing any customizations or 3rd party applications within the O365 environment Montrium Inc. Page 10 of 74

11 1.5 Glossary Term AICPA CFR Closed System Cloud Infrastructure as a Service (IaaS). Cloud Platform as a Service (PaaS) Cloud Software as a Service (SaaS) Computerized System Customer CV Definition American Institute of Certified Public Accountants Code of Federal Regulations An environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system. 3 The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls). 4 The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations. 4 The capability provided to the consumer is to use the provider s applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a Web browser (e.g., Webbased ). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user specific application configuration settings. Includes hardware, software, peripheral devices, personnel, and documentation; e.g., manuals and Standard Operating Procedures. 5 O365 user using the software service for GxP regulated activities. Curriculum Vitae 3 FDA 21 CFR Part 11 (Ref. [4]). 4 NIST Cloud Computing Standards Roadmap (Ref. [9]) 5 FDA, Glossary of Computer Systems Software Development Terminology (8/95) 2013 Montrium Inc. Page 11 of 74

12 Term Electronic Record FDA GAMP GFS GCP GLP GMP GxP IaaS ID IEC ISO ISPE IT NDA NIST Open System O/S PaaS PIC/S Procedure Definition Any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system. 3 United States Food and Drug Administration Good Automated Manufacturing Practice Global Foundation Services Good Clinical Practice Good Laboratory Practice Good Manufacturing Practice Compliance requirements for all good practice disciplines in the regulated pharmaceutical sector supply chain from discovery to post marketing. 6 Infrastructure as a Service Identifier International Electrotechnical Commission International Organization for Standardization International Society of Pharmaceutical Engineers Information Technology Non-Disclosure Agreement National Institute of Standards and Technology An environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system. 3 Operating System Platform as a Service Pharmaceutical Inspection Convention and Pharmaceutical Inspection Cooperation Scheme The term procedure within the context of this document refers to any approved and effective controlled document governing specific processes (i.e. Policy, SOP, Standard, Guide, Work Instruction). 6 PIC/S (Ref. [17]) 2013 Montrium Inc. Page 12 of 74

13 Term SaaS SDLC SLA SMAPI SOC SOP SSAE SSL STB TLS TSP VM VPN Definition Software as a Service Software Development Lifecycle Service Level Agreement System Management Application Program Interface Service Organization Controls Standard Operating Procedure Statement on Standards for Attestation Engagements Secure Sockets Layer Microsoft Server and Tools Business Transport Layer Security Trust Services Principles Virtual Machine Virtual Private Network 2013 Montrium Inc. Page 13 of 74

14 2 System Overview 2.1 Global Foundation Services Global Foundation Services (GFS) delivers the core infrastructure, foundation technologies and operational support for Microsoft's Online Services environment, including O365. As described within the GFS SOC 2 report (Ref. [2]), the GFS operational infrastructure services include the following: Engineering and operations for core infrastructure (networking, directory services, access services, data retention and backup, hardware and software procurement, physical and environmental controls) Deployment, hosting and data center services Service support, monitoring and escalation Information security management and compliance monitoring 2.2 Microsoft Office 365 Microsoft Office O365 is subscription-based software service hosted by the Global Foundation Services group within Microsoft managed data centers. As described within the O365 SOC 1 report (Ref. [1]), the O365 hosted service is offered in two ways: Microsoft Office 365 where all customers receive a standard set of features they subscribe to, hosted on a multi-tenant basis Microsoft Office 365 Dedicated (O365-D) hosts applications and services with a separate, secured hardware infrastructure dedicated to a single customer The services included as part of O365 and O365-D are: Microsoft SharePoint Online, Microsoft Exchange Online, Microsoft Lync Online and Microsoft Forefront Online Protection for Exchange. This guideline will focus on the Microsoft SharePoint Online service, which is the only O365 service which when configured appropriately, provides the ability to manage electronic records in manner that could satisfy applicable regulatory requirements (see Section 1.3). SharePoint Online allows users to create and store data as well as documents in lists and libraries within SharePoint which can be configured with audit trails and versioning. In addition, user permissions can be configured to control access to the content stored with the various lists and libraries Montrium Inc. Page 14 of 74

15 In order to be able to meet regulatory requirements for encryption, the software service must also provide the ability to encrypt data which is stored within the application. The Active Directory Rights Management functionality can be configured to encrypt documents stored with SharePoint. However, this functionality is only available with the SharePoint Online Plan 2 option, which is included in the following O365 plans: Office 365 Enterprise E3 Office 365 Education A3 Office 365 Government G3 Office 365 Enterprise E4 Office 365 Education A4 Office 365 Government G4 2.3 System Classification Cloud Service Model The O365 platform is classified as a public, off-premise, third-party managed solution which is offered via the SaaS cloud service model (see NIST definition in Section 1.5). The following diagram depicts the various components of the software service which are managed by Microsoft as part of the SaaS service model. Figure 1 SaaS Cloud Service Model (based on Ref. [18]) 2013 Montrium Inc. Page 15 of 74

16 2.3.2 GAMP5 Category From the perspective of a regulated user (customer), Microsoft Office is considered to be Category 4 Configured Product as defined in GAMP5 (Ref. [6]). A configured product refers to a commercially available software product which is configured to meet a specific business requirement FDA Classification While Microsoft is not directly responsible for the electronic records contained within the O365 platform, it is responsible for maintaining the O365 platform. In addition, Microsoft configures the O365 platform and establishes access control requirements for logical and physical security. The O365 platform is therefore considered to be open (refer to definition in Section 1.5). The FDA requires open systems to meet additional requirements, such as encryption, as defined in 21 CFR Part (Ref. [5]). 2.4 Microsoft Audits and Certifications The following table lists the formal audit reports prepared by third parties which were reviewed by Montrium in order to identify relevant controls which have a potential impact on compliance with the 21 CFR Part 11 (Ref. [5]) and Annex 11 (Ref. [8]) regulations. Existing Microsoft customers may request access to these reports subject to NDA terms and conditions, through their respective Microsoft account representatives. Audited Service Audit Type Date Reference No. GFS SOC 2 Type II April 18, 2012 Ref. [2] Office 365 SOC 1 Type II June 14, 2012 Ref. [1] Office 365 ISO/IEC 27001:2005 November 16, 2012 Ref. [3] ISO/IEC 27001:2005 Certification ISO/IEC 27001:2005 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented information security management system within the context of the organization's overall business risks. It specifies requirements for the implementation of security controls customized to the needs of individual organizations or parts thereof. ISO/IEC 27001:2005 certifications for O365 and Global Foundation Services can be found by clicking on the following links: Microsoft Office 365 ISO/IEC 27001:2005 certificate GFS ISO/IEC 27001:2005 certificate 2013 Montrium Inc. Page 16 of 74

17 2.4.2 SOC Service Audit Reports Service Organization Controls reports are designed by the American Institute of Certified Public Accountants (AICPA) to help service organizations that operate information systems and provide information system services to other entities, build trust and confidence in their service delivery processes and controls through a report by an independent Certified Public Accountant. SOC 1 Service Audit Reports are conducted in accordance with the professional standard known as Statement on Standards for Attestation Engagements (SSAE) No. 16. SOC 1 reports are geared towards reporting on controls at service organizations that are relevant to Internal Control over Financial Reporting, and replace the SAS 70 auditing standard. The O365 services group has been audited by independent third party auditors to generate a SOC 1 Service Auditor s report which examined the following control areas: Logical Access Change Management Backup and Restoration Monitoring and Incident Management Software Development Lifecycle (SDLC) Network Services SOC 2 Service Auditor s Reports are also conducted in accordance with the professional standard of SSAE 16. SOC2 reports are intended to meet the needs of a broad range of users that need to understand internal control at a service organization as it relates to security, availability, processing integrity, confidentiality and privacy and are intended for use by stakeholders (e.g., customers, regulators, business partners, suppliers, directors) of the service organization that have a thorough understanding of the service organization and its internal controls. The SOC 2 framework is a comprehensive set of criteria known as the Trust Services Principles (TSP) which are composed of the following five (5) sections: The security of a service organization' system The availability of a service organization's system The processing integrity of a service organization's system The confidentiality of the information that the service organization's system processes or maintains for user entities The privacy of personal information that the service organization collects, uses, retains, discloses, and disposes of for user entities The GFS services group has undergone a SOC 2 audit, to examine the suitability of the design and operating effectiveness of controls to meet the criteria for the security principle set forth in TSP section 100, Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (Ref. [11]) Montrium Inc. Page 17 of 74

18 2.5 Microsoft Controls This section describes the audited controls implemented by Microsoft which serve to assure confidentiality, integrity and availability of data stored on the O365 platform. These controls are also referenced within the compliance assessment sections (see Section 3.2 and 3.3), where they respond to applicable regulatory requirements Security Policies and Procedures Microsoft has implemented a Security Policy which applies to Microsoft O365. The Security Organization control objective within the SOC 1 audit reported that the information security policies are implemented and communicated to the applicable employees. The GFS SOC 2 audit reported that the security policies are established, periodically reviewed and approved by a designated individual or group. The O365 ISO/IEC 27001:2005 audit reported that an approved information security policy has been published and communicated to all employees and relevant external parties Physical and Environmental Security The physical assets on which the O365 system resides Microsoft has been audited to verify that proper physical security controls are established to protect the physical assets forming the foundation of the O365 platform as part of the GFS SOC 2 audit report. The GFS SOC 2 audit reported that the GFS services group has implemented procedures to restrict physical access to the infrastructure elements including, but not limited to: Facilities Backup media Firewalls Routers Servers The GFS ISO/IEC 27001:2005 audit reported that procedural controls are in place for tracking and monitoring physical infrastructures and services, as well as a documented methodology for determining the asset security level Logical Security The O365 SOC 1 audit reported that Microsoft has implemented logical security controls to provide reasonable assurance that logical access to the O365 production infrastructure and systems is restricted to authorized personnel. User Account Management is performed using Active Directory which centralizes the authentication and authorization to the O365 environment. Policies and standards have been implemented to enforce appropriate user account password expiration, length, complexity and history Montrium Inc. Page 18 of 74

19 The GFS SOC2 audit reported that the GFS services group has implemented procedures to restrict logical access to the system including, but not limited to, the following measures: a. Logical access security measures to restrict access to information resources not deemed to be public b. Identification and authentication of users c. Registration and authorization of new users d. The process to make changes and updates to user profiles e. Distribution of output restricted to authorized users f. Restriction of access to offline storage, backup data, systems and media g. Restriction of access to system configurations, super-user functionality, master passwords, power utilities and security devices (for example, firewalls) The O365 ISO/IEC 27001:2005 audit reported that the logical access to the system is restricted to authorized personnel in accordance with an enforced access control policy System Monitoring and Maintenance The O365 SOC 1 audit reported that proper controls are established to provide reasonable assurance that the O365 platform is monitored to detect and remediate any security vulnerabilities. The following activities/controls were audited in relation to system monitoring and maintenance: Vulnerability and Patch Management Security Incident Management The GFS SOC 2 audit reported that proper controls are established to monitor the GFS infrastructure components and proper actions are taken to maintain compliance within its defined system security policies. Automated tools are used to monitor the security controls on a regular basis. The GFS group monitors, logs, reports and takes appropriate action to resolve events involving critical/suspicious activities Data Backup, Recovery and Retention The O365 SOC 1 audit reported that O365 utilizes secure backup system infrastructure delivered by the Global Foundation Services Data Protection Services. The GFS SOC 2 audit reported that the GFS Data Protection Services group provides secure backup retention and restoration of data in the Microsoft Online Services environment. The audit also reported that the recovery and backup process is tested on an annual basis Confidentiality The following excerpt for the publicly available Office 365 Standard Response to Request for Information - Security and Privacy (Ref. [13]) describes the technical controls which help to ensure confidentiality of data as it transmits between the customer and the O365 platform: 2013 Montrium Inc. Page 19 of 74

20 Customer access to services provided over the Internet originates from users Internet-enabled locations and ends at a Microsoft data center. These connections established between customers and Microsoft data centers are encrypted using industry-standard Transport Layer Security (TLS) /Secure Sockets Layer (SSL). The use of TLS/SSL effectively establishes a highly secure browser-to-server connection to help provide data confidentiality and integrity between the desktop and the data center. Filtering routers at the edge of the Office 365 services network provides security at the packet level for preventing unauthorized connections to Office 365 Services. The GFS SOC 2 audit reported that encryption or other equivalent security techniques are used to protect user authentication information and the corresponding session transmitted over the internet or other public networks Software Development / Change Management The O365 SOC 1 audit reported that a formal SDLC process is defined which governs the development of new features or major changes to the O365 platform with the goal of minimizing processing errors and security vulnerabilities within the environment. The SDLC process encompasses the following phases: Requirements gathering Design Implementation Verification Release Key stakeholders are required to provide approval of the tested code prior to deployment of newly developed or changed code into the production environment. The O365 SOC 1 audit also reported that a formal change control process has been established to provide reasonable assurance that changes to the production environment are made in a controlled manner. Ticketing systems are used to track changes which contain documented details including appropriate authorizations and approvals. The GFS SOC 2 audit of the GFS services verified adequate IT change management controls are established surrounding the following topics: Service Infrastructure and Support Systems Change Management Secure Configuration Imaging Network Change Management Network Patch Management The O365 ISO/IEC 27001:2005 audit reported that a procedural document covering change management is in place which covers security impact analysis, change control and component inventory management Montrium Inc. Page 20 of 74