Pharma CloudAdoption. and Qualification Trends



Similar documents
Clinical Trials in the Cloud: A New Paradigm?

Services Providers. Ivan Soto

Validating Enterprise Systems: A Practical Guide

Validation of a Cloud-Based ERP system, in practice. Regulatory Affairs Conference Raleigh. 8Th September 2014

Time to Value: Successful Cloud Software Implementation

Qualification Guideline

Cloud models and compliance requirements which is right for you?

Considerations for firms thinking of using third-party technology (off-the-shelf) banking solutions

Welcome. Panel. Cloud Computing New Challenges in Data Integrity and Security 13 November 2014

Cloud Computing demystified! ISACA-IIA Joint Meeting Dec 9, 2014 By: Juman Doleh-Alomary Office of Internal Audit

Cloud Vendor Evaluation

SYLOGENT DEDICATED HOSTING

White Paper How Noah Mobile uses Microsoft Azure Core Services

Cloud Computing: What needs to Be Validated and Qualified. Ivan Soto

Cloud Computing in GxP Environment

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer

Using SharePoint 2013 for Managing Regulated Content in the Life Sciences. Presented by Paul Fenton President and CEO, Montrium

How To Run A Cloud Based Data Centre

Securing Oracle E-Business Suite in the Cloud

GAMP 5 as a Suitable Framework for Validation of Electronic Document Management Systems On Premise and 'In the Cloud' Keith Williams CEO GxPi

Managing Cloud Computing Risk

Cloud Security and Managing Use Risks

GAMP 4 to GAMP 5 Summary

Cloud Computing in a GxP Environment: The Promise, the Reality and the Path to Clarity

Anypoint Platform Cloud Security and Compliance. Whitepaper

SSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch

Regulated Applications in the Cloud

How to ensure control and security when moving to SaaS/cloud applications

NCTA Cloud Architecture

Cloud Computing. What is Cloud Computing?

Cloud Computing In a Post Snowden World. Guy Wiggins, Kelley Drye & Warren LLP Alicia Lowery Rosenbaum, Microsoft Legal and Corporate Affairs

Orchestrating the New Paradigm Cloud Assurance

Cloud Computing An Auditor s Perspective

Cloud Risk Management: How to Consolidate your CSP and Corporate Risk Profile

Cloud Computing in a Regulated Environment

Hosting Services VITA Contract VA AISN (Statewide contract available to any public entity in the Commonwealth)

Hedge Funds & the Cloud: The Pros, Cons and Considerations

Cloud Security & Risk. Adam Cravedi, CISA Senior IT Auditor acravedi@compassitc.com

Cloud Computing in the Federal Sector: What is it, what to worry about, and what to negotiate.

Table of Contents. FME Cloud Architecture Overview. Secure Operations. Application Security. Shared Responsibility.

John Essner, CISO Office of Information Technology State of New Jersey

OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT

Hans Bos Microsoft Nederland.

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

CLOUD COMPUTING An Overview

Daren Kinser Auditor, UCSD Jennifer McDonald Auditor, UCSD

Third Party Cloud Services Its Adoption in the New Age

IT Audit in the Cloud

Virginia Government Finance Officers Association Spring Conference May 28, Cloud Security 101

Developing a Risk-Based Cloud Strategy

The Cloud is Not Enough Why Hybrid Infrastructure is Shaping the Future of Cloud Computing

Keeping up with the World of Cloud Computing: What Should Internal Audit be Thinking About?

3 rd Party Vendor Risk Management

5 Things to Look for in a Cloud Provider When it Comes to Security

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

Cloud Computing: Background, Risks and Audit Recommendations

Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider

Securing the Microsoft Cloud

Leveraging Regulatory Compliance to Improve Cyber Security

Cloud Courses Description

A Strategic Advantage: Cloud

12/1/2014. Cybersecurity and Cloud Services Compliance Considerations. Community Medical Centers. Cedars-Sinai. Dec. 5, 2014 San Francisco

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

Clo l ud d C ompu p tin i g

Auditing Cloud Computing and Outsourced Operations

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice

Secure Cloud Computing through IT Auditing

Client Security Risk Assessment Questionnaire

Security Issues in Cloud Computing

Cloud Courses Description

Altius IT Policy Collection Compliance and Standards Matrix

Cloud Assurance: Ensuring Security and Compliance for your IT Environment

Service Desk as a Service

The Elephant in the Room: What s the Buzz Around Cloud Computing?

Refresher on cloud computing

How To Understand Cloud Computing

A Comparison of IT Governance & Control Frameworks in Cloud Computing. Jack D. Becker ITDS Department, UNT & Elana Bailey

Is it Time to Look at an Ektron Managed Cloud Strategy? Copyright 2014 Ektron, Inc.

Transcription:

Pharma CloudAdoption and Qualification Trends

OurCloudExperience Numerous implementations of EDMS systems with external hosting for smaller life science clients Development of qualification strategy for tier-1 pharma company for potentially GxP critical solution based on Amazon (SaaS) Development of qualification strategy for tier-1 pharma company for MS Office 365 implementation (PaaS) Development of qualification strategy for tier-1 pharma company for MS Azure (IaaS)

Going Cloud A number of challenges need to be addressed by regulated life science companies Which Cloud model do I choose (IaaS, PaaS, SaaS)? How do I set forth a validation strategy? Can I rely on vendor processes and procedures? Has anyone else done it before? What do inspectors say? Where to get guidance on cloud validation? Data Security and Data Privacy

Responsibility The responsibility does not disappear when you outsource The regulated company remains responsible for the regulatory compliance of their IT operations regardless of whether they choose to outsource/offshore some or their entire IT Infrastructure processes to external service provider(s). Compliance oversight and approvals cannot be delegated to the outsource partner. GAMP Good Practice Guide: IT Infrastructure Control and Compliance. Appendix 8: Outsourcing

What is Cloud? NIST National Institute of Standards and Technology The NIST Definition of Cloud Computing - 2011

Regulatory Considerations Overall regulatory requirements, in reality, the same as for on-premise IT systems We are responsible for everything in the cloud including infrastructure We need to adopt the vendor s processes and procedures and we need to defend these during audits Overall Risk Assessments required Adoption of vendor documentation required Potential gaps need to be filled

QMS and Cloud How do we adjust the QMS to include Cloud and how do we overcome the challenge of inexperienced inspectors? Accept your regulatory responsibility for everything in the cloud and the infrastructure of the cloud Align QMS with approach for Cloud validation, so known approach for a normal validation is linked to approach for cloud The inspector will understand the approach better, since it is directly comparable to onpremise systems

Overall Process

Compliance Approach

Specifications Requirement Specification Gather requirements according to standard company process Technical Specification Describing technical interfaces to solution, technical requirements etc. Describing interfaces (e.g. Active Directory set-up) etc. On-premise interfaces Encryption Solution

Assessments Use a Cloud Navigation Tool for assessing cloud suitability : GxP, 21 CFR Part 11 and business criticality Data Classification Security Risk Level of control required? Where can data be stored? Encryption required?

Service and Deployment The Service and Deployment Model must be chosen Evaluate based on the assessments -which Service and Deployment Model best fit the requirements and assessments IaaS, PaaS, SaaS? Type of Cloud?

Service Provider The Supplier must be assessed Perform an audit of Service Provider in order to assess level of quality and controls Capability as software vendor Capability as service provider If not possible make an assessment of material provided by the supplier, certifications and 3rd party reports and take this into account in the risk assessment and qualification strategy. (Standard Operating Procedures) from Service Provider

Contracts and SLA s The contract and especially the Service Level Agreement must reflect the requirements for a GxP solution and a sufficient level of control Note that some major Service Providers only offer a standard SLA. This may require additional controls All services delivered from the Service Provider must be evaluated against both business and GxP requirements. Where it is evaluated that the level of control is insufficient, the customer must either request extra controls from the Service Provider or establish own control mechanisms.

CloudControl Identify relevant controls for chosen service using a Cloud Control Matrix The matrix lists company requirements for e.g. Change Control. These are compared to the service provided and control objectives and gaps are identified. Gaps are filled with revised SLAs, internal procedures and controls

InfrastructureControls

Control Objectives Changes Regular reviews of Change Log Monitor changes in production environment Follow-up on release plan from supplier Test documentation Training records User Access Periodic User Access Review Security Yearly Penetration testing Yearly review of SSAE16 SOC1 Type 2 Audit Report Periodic review of Certifications and Accreditations from Service Provider Review of Configuration Item List

AnnualControl Wheel Yearly Customer Periodic Review of Technical Accounts Service Provider Disaster Recovery Test Penetration Testing SSAE16 SOC 1 Type 2 Audit Report Quarterly Monthly Quarterly Monthly Customer Revocation of User Accounts and Shared Accounts Service Provider Back-up Report Monthly Update (summary of updates and patches, incidents) Quarterly Customer Periodic Review of Administrator Accounts Periodic review of User Accounts Periodic review of Shared Accounts Service Provider Evaluate the security of one site against recognized standards Audit one site for adherence to best practice for high performance + performance assessment report Monthly Quarterly Monthly Daily/ weekly Monthly Monthly Quarterly Yearly Daily/weekly Customer XX Service Provider YY

First Steps 1. Create a Cloud Governancepolicy to establish a standardized and effective approach to the selection, integration, ongoing management and subsequent decommissioning of cloud based IT services (System Life Cycle) 2. Establish a Cloud Navigation Tool is cloud a suitable solution? Which type of cloud? Do the service provider and the service fit? 3. Establish a Cloud Control Matrix with all requirements for controls. Evaluate the services delivered against internal control requirements. Fill in the blanks by updating the SLA, creating internal controls etc.

Extra Material

CloudControls Ensure that all processes are controlled either by the Service Provider, the company or both.

Implementation Develop a Qualification Plan: Identified gaps from the Service assessment are documented in internal procedures and listed in a Qualification Plan Summary of Service Provider assessment Conclusion on risk assessment

Verification A Qualification must be executed, including: Testing of technical specifications Test and verification of requirements Checklist for verification of additional controls that is not provided by Service Provider Test and verification of internal company controls

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information