The Cloud in Regulatory Affairs - Validation, Risk Management and Chances -

45 min Webinar: November 14th, 2014 The Cloud in Regulatory Affairs - Validation, Risk Management and Chances - www.cunesoft.com Rainer Schwarz Cunesoft Holger Spalt ivigilance 2014 Cunesoft GmbH

PART I - INTRODUCTIONS PART II - Cloud Computing Case Study Risk Classification, Validation, Quality Checklist PART III Questions and Answers www.cunesoft.com Rainer Schwarz Cunesoft 2014 Cunesoft GmbH

Who of you is using cloud based solutions already? Private Use Business Use 2014 Cunesoft GmbH Confidential Information Do not Distribute 4

Types of Cloud Offerings 2014 Cunesoft GmbH Confidential Information Do not Distribute 5

Your are probably joining this webinar, because. You have heard about cloud benefits Economies of scale of a cloud Increased operational effectiveness Reduced IT maintenance costs / reduced hardware costs Immediate availability... But how can life sciences regulations be achieved in the cloud Are all cloud environments the same? Do FDA validation requirements apply to the cloud? Can a cloud be maintained in a valdiated state? Can I apply a risk based validation approach? What are the critical risks? Can data center certficates substitute an onsite audit?... 2014 Cunesoft GmbH Confidential Information Do not Distribute 6

PART I - INTRODUCTIONS PART II - Cloud Computing Case Study Risk Classification, Validation, Quality Checklist PART III Questions and Answers www.cunesoft.com Holger Spalt ivigilance 2014 Cunesoft GmbH

Cloud Terminology Definitions Risk Assessment and Validation Approach Summary and Cloud Benefits

What is Cloud Computing (CC)? Hosted / managed IT services - Software as a Service - Definitions developed by the US National Institute of Standards and Technology (NIST), known as NIST SP 800-145 The NIST Definition of Cloud Computing NIST Cloud Computing Definition: a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. => 5 essential characteristics which should be fulfilled if a service is considered to be cloud computing

5 essential Aspects of CC Characteristics On-Demand Self-Service Broad Network Access Resource Pooling (Resource Sharing) => Pricing Model (PPU) Rapid Elasticity (Scale up & down) => Pricing Model Measured Service => Pricing Model Description A consumer can unilaterally provision computing capabilities, such as computing power or storage, as needed automatically without requiring human interaction with each service provider. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, laptops, PC s). The provider s computing resources are pooled to serve multiple consumers using a multi-tenant model with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources: storage, processing, and network bandwidth. Capabilities can be elastically provisioned and released, in some cases, automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time. Cloud systems automatically control and optimize resource use by leveraging a metering capability, at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported, providing transparency for both the provider and consumer of the utilized service.

Cloud Computing vs. Hosting/ASP Characteristics Cloud Computing On-Demand Self-Service Yes No Dyn. Broad Network Access Yes Yes Hosting or ASP Resource Pooling Yes No Rapid Elasticity Yes Dyn. No Static Measured Service Yes Yes

Cloud Categories IaaS (Infrastructure as a Svc)

Cloud Categories PaaS (Platform as a Svc) =build your own SW IaaS (Infrastructure as a Svc)

Cloud Categories Application User Management/Data Backup Cloud Operator SaaS = OOTB-SW (Software as a Svc) PaaS (Platform as a Svc) =build your own SW Responsibility (=Value) IaaS (Infrastructure as a Svc)

Cloud Categories Responsibility of the Pharmaceutical Company Responsibility of the Cloud Service Provider Onsite Software Installation IaaS (Infrastructure as a Svc) = Iron (Hardware) PaaS (Platform as a Svc) =build your own SW SaaS (Software as a Svc) = OOTB-SW

1:1 Deployment Models many : 1 Private Cloud (dedicated resources) Public Cloud (shared resources) On-Premise (internal resouces) Off-Premise (external resouces)

1:1 Deployment Models many : 1 Private Cloud (dedicated resources) Public Cloud (shared resources) 1:1 1:1 On-Premise (internal resouces) Off-Premise (external resouces)

Cloud Models & Risk Classification Higher Risk Lower Risk Public Cloud (shared) SaaS PaaS IaaS Private Cloud (dedicated) On-Premise Off-Premise

Cloud Terminology Definitions Risk Assessment and Validation Approach Summary and Cloud Benefits

Risk Management using a Risk Management Framework (used for Risk Assessment, Evaluation/Selection, Validation) Level 1: Level 2: Level 3: Control Domains Controls Control Details Control = Quality Criteria for IT Systems

Level 1: Control Domains (17) Class Domain Akr Management Risk Assessment RA Management Planning PL Management System and Services Acquisition SA Management Certification, Accreditation, Security Assessments CA Operational Personnel Security PS Operational Physical and Environmental Protection PE Operational Contingency Planning CP Operational Configuration Management CM Operational Maintenance MA Operational System and Information Integrity SI Operational Media Protection MP Operational Incident Response IR Operational Awareness and Training AT Technical Identification and Authentication IA Technical Access Control AC Technical Audit and Accountability AU Technical System and Communications Protection SC Level 1 Level 2

Level 1: Control Domains Details.. Access Control (AC): Organizations must limit information system access to authorized user processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise. Awareness and Training (AT): Organizations must: (i) ensure that managers and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, or procedures related to the security of organizational information systems; and (ii) ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities. Audit and Accountability (AU): Organizations must: (i) create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and (ii) ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions. Certification, Accreditation, and Security Assessments (CA): Organizations must: (i) periodically assess the security controls in organizational information systems to determine if the controls are effective in their application; (ii) develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems; (iii) authorize the operation of organizational information systems and an associated information system connections; and (iv) monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls. Configuration Management (CM): Organizations must: (i) establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles; and (ii) establish and enforce security configuration settings for information technology products employed in organizational information systems.

Level 1: Control Domains Details.. Contingency Planning (CP): Organizations must establish, maintain, and effectively implement plans for emergency response, backup os, and post-disaster recovery for organizational information systems to ensure the availability of critical information resources and ops-continuity in emergency situations. Identification and Authentication (IA): Organizations must identify information system users, processes acting on behalf of users, or devices and authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. Incident Response (IR): Organizations must: (i) establish an operational incident handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities; and (ii) track, document, and report incidents to appropriate organizational officials and/or authorities. Maintenance (MA): Organizations must: (i) perform periodic and timely maintenance on organizational information systems; and (ii) provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance. Media Protection (MP): Organizations must: (i) protect information system media, both paper and digital; (ii) limit access to information on information system media to authorized users; and (iii) sanitize or destroy information system media before disposal or release for reuse. Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; (v) provide appropriate environmental controls in facilities containing information systems. Planning (PL): Organizations must develop, document, periodically update, and implement security plans for organizational information systems that describe the security controls in place or planned for the information systems and the rules of behavior for individuals accessing the information systems.

Level 1: Control Domains Details.. Personnel Security (PS): Organizations must: (i) ensure that individuals occupying positions of responsibility within organizations (including third-party service providers) are trustworthy and meet established security criteria for those positions; (ii) ensure that organizational information and information systems are protected during and after personnel actions such as terminations and transfers; and (iii) employ formal sanctions for personnel failing to comply with organizational security policies and procedures. Risk Assessment (RA): Organizations must periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of organizational information. System and Services Acquisition (SA): Organizations must: (i) allocate sufficient resources to adequately protect organizational information systems; (ii) employ system development life cycle processes that incorporate information security considerations; (iii) employ software usage and installation restrictions; and (iv) ensure that third-party providers employ adequate security measures to protect information, applications, and/or services outsourced from the organization. System and Communications Protection (SC): Organizations must: (i) monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems; and (ii) employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational information systems. System and Information Integrity (SI): Organizations must: (i) identify, report, and correct information and information system flaws in a timely manner; (ii) provide protection from malicious code at appropriate locations within organizational information systems; (iii) monitor information system security alerts and advisories and take appropriate actions in response.

Level 2: Controls (ca.300) Control Domain => (Level 1) Control Domain => (Level 1) Controls (Level 2) Controls (Level 2)

Level 3: Control Details

Level 3 300+ Controls => Questions => Answers Contigency Planning Backup Relevant for X as a Service P I S Example Topic: Backup

Cloud Terminology Definitions Risk Assessment and Validation Approach Summary and Cloud Benefits

Summary Q: Can a cloud based regulatory environment be validated (according to FDA standards)? A: Yes Q: How? A: By establishing appropriate Quality Criteria (Controls) and assessing them (by yourself and/or with the vendor)

Benefits of cloud based ectd system 1. Commercial On Demand Subscription Save (IT) Preparation, Pay Per Use Pricing Model, No upfront investment CAPEX free 2. Time to Use Available within very short setup period, Pre-configured acc.best- Practice-Guidelines, Location independence (Anywhere Anytime 3. Performance & Software Management Automatic Software Updates, Optimized Performance (due Platform), Metered/Monitored Performance, Constant Backup, Guaranteed Uptime 4. Collaboration Parallel working on a Submission, Add staff on demand, Share Submission Output to secure area, Submit directly to CESP Gateway

Costs: On-Premises vs. Cloud Computing Software Licenses 30% Implementation 70% Customization & Implementation Hardware IT Personnel Maintenance Training Subscription Fee 70% Implementation 30% Customization, Implementation, Training Ongoing Costs - Annual Support & Maintenance Fee - Training - Configuration - Apply Fixes, Patches, Upgrade - Downtime - Performance tuning - Upgrade dependent applications - Ongoing burden on IT - Maintain & upgrade network / security / database On-Premises Ongoing Costs - Subscription Fee - Training - Configuration Cloud Computing

Backup Slides

Risks for a cloud-based ectd system 1. Compliance 2. Data Security 3. Service Reliability 4. Software Management

Mitigation of Risks 1. Compliance Without full control over the infrastructure, how can IQ, OQ, PQ validation be completed. Cloud Provider Responsibilities: 1)Infrastructure provided with full IQ validation 2)Provide OQ, PQ validation scripts and support 3)Support Datacenter Audits 4)Functional compliance such as electronic signatures, lifecylce management and audit trail

Mitigation of Risks 2. Data Security Limited transparency/control into security elements used by the cloud provider. Risk of possible data breach/theft. Cloud Provider Responsibilities: 1) Secure connection to the cloud (VPN) 2) System access protection & user management 3) Seperate, secure data storage including encryption 4) Data center location (EU data protection act) 5) Certifications: ISO 27001, PCI DSS

Firewall & Application Firewall Mitigation of Risks 2. Data Security Limited transparency/control into security elements used by the cloud provider. Risk of possible data breach/theft. Cloud Provider technical Architecture:.... User SSL Encryption and/or VPN Application Application. Encrypted customer storage DB Storage Encrypted customer storagee DB Storage

Mitigation of Risks 3. Service Reliability Cloud provider subject to data center outages. Cloud Provider Responsibilities: 1)Local Data Synchronization (i.e. dropbox concept) 2)Backup Strategy (redundant data center) 3)Detailed Service Level Agreement (SLA) 4)Service Monitoring and Reporting 5)Scalable server sizing & load balancing 6)Provide caching concepts for large data sets

Mitigation of Risks 4. Software Management Without control over the software, the software update process is intransparent/cannot be validated Cloud Provider Responsibilities: 1)Each customer/tenant has ist own Database 2)Upgrade concept without interrupting business 3)Quick-Fallback/Switchback-Scenario

PART I - INTRODUCTIONS PART II - Cloud Computing Case Study Risk Classification, Validation, Quality Checklist PART III Questions and Answers www.cunesoft.com Rainer Schwarz - Cunesoft Holger Spalt ivigilance 2014 Cunesoft GmbH

Cunesoft GmbH Marsstrasse 4 80335 Munich Germany Phone: +49 (89) 235 14741 E-mail: info@cunesoft.com Internet: www.cunesoft.com November 2014 2014 Cunesoft GmbH