qualify cloud and network infrastructures · · 2016-08-17qualify cloud and network...
TRANSCRIPT
Qualify Cloud and Network
Infrastructures
IVT Data Integrity Validation
Conference
August 17, 2016
www.QACVConsulting.com 1
Objectives
www.QACVConsulting.com 2
• Review Network Infrastructure
Qualification Requirements
• Assess Data Integrity Requirements
related to Network Infrastructure
• Review Auditing Processes for Outsourced
IT Providers
• Managing Outsourced IT Providers
Workshop Agenda
www.QACVConsulting.com 3
• Introductions
• Elements of Network Infrastructure
• Infrastructure Qualification Requirements
• Breakout – develop Network Infrastructure Requirements
• Overview of Cloud IT Providers
• Management of Cloud Vendors
• Breakout – develop checklist to evaluate Cloud Suppliers
Network Infrastructure Qualification
www.QACVConsulting.com 4
• Why is network qualification important?
• What are network infrastructure
components?
• How do you qualify network infrastructure?
• How does network infrastructure impact
data integrity?
Why is Network Qualification
Important?
www.QACVConsulting.com 5
Why is Network Qualification
Important?
www.QACVConsulting.com 6
Why is Network Qualification
Important?
www.QACVConsulting.com 7
Why is Network Qualification
Important?
www.QACVConsulting.com 8
What network infrastructure
components to consider?
www.QACVConsulting.com 9
Annex 11 – Infrastructure
• The hardware and software such as networking software and operation systems, which makes it possible for the application to function.
• The application should be validated; IT infrastructure should be qualified.
What network infrastructure
components to consider?
www.QACVConsulting.com 10
Work Station #1
Computerized System
Application Software
Operating System (Windows 7)
SoftwareHardware
Processor SpeedRAM
Disk Space
Workstation
Laptop computer
Network
IBM Compatible
Software
Hardware
Specifications
Test Documents
Reports
User/Technical
Manuals
SOPs
Instrumentation and
Equipment
Network Infrastructure - Data Integrity
Considerations
www.QACVConsulting.com 11
GxP Data Integrity Controls
Qualified Infrastructure
Standard Operating Procedures
Trained Personnel (including IT)
Validated Applications
Data Integrity
Data Availability
Data Retention
GxP Processes Impacted by
Network Infrastructure
www.QACVConsulting.com 12
Security
Access Controls
System Availability
Backup Processes
Disaster Recovery
Archival
Network
Infrastructure
www.QACVConsulting.com 13
“Standard Build”
• Date/time stamp controls
• Network backup
• Access controls
How can network controls impact
GxP Processes?
Non-Standard
Build
X
• Audit logs not backed up
• User access not controlled
Network Infrastructure Components
www.QACVConsulting.com 14
• Servers
• Routers
• Switches
• Storage Devices
• Active Directory
• Directory/Folder Structures
• Facilities
• Fire/Water Prevention
• Environmental – temperature, humidity
• UPS Devices
• Generators
• Fail-Over Location
Network Infrastructure Components
www.QACVConsulting.com 15
Servers, Routers, Switches System Availability
Security
Storage Devices Record Retention
Backup Processes
Active Directory Security
Directory/Folder Structures Security
Facilities System/Record Availability
Security
Fire/Water Prevention System/Record Availability
Environmental – temperature,
humidity
System/Record Availability
UPS Devices System/Record Availability
Generators System/Record Availability
Fail-Over Location System/Record Availability
Network Impact on Data Integrity
www.QACVConsulting.com 16
ELISA Data Process Flow
Data
Flow
LIMSELISA SOftware Company Network
Protocol(.xyz file)
Sample Analysis
Setup Run
Data File(.db file)
Export .txt Data File
Secure Network Location
Secure Network Location
Save .db Data File
.db File backed up
.txt File backed up
LIMS Database
Import .txt file to LIMS
.db File archived
Secure Network Location
Backup Location
www.QACVConsulting.com 17
Data Lifecycle
Generate ModifyReview / Approve
UseRetain / Retrieve
Destroy
Specify
Design
Configure
Verify
Validation
Considerations for Data Integrity
www.QACVConsulting.com 18
Calibration
Calibration
IT Controls
Record Management
IT Controls
- User access
Record Retention
& Archival
IT Controls
Validation
FDA Warning Letter
www.QACVConsulting.com 19
• The Wide Area Network is used to connect
network applications to local area
networks.
• The network documentation was not
included in the validation efforts and
therefore lacked adequate documentation
controls.
How do you qualify a network
infrastructure?
www.QACVConsulting.com 20
Network Infrastructure Requirements
Network Qualification Plan
Establishment of SOPs and Supporting Processes
• Help Desk
• Monitoring
• Security
Installation/Operational Qualification / Verification
Network Qualification Protocol(s)
Trace Matrix
Network Qualification Summary Report
Network Infrastructure Qualification
Requirements
www.QACVConsulting.com 21
Requirement ID
#
Requirement Description
Personnel Controls
PC-1 Network administrators will have the ability to administer user access and privileges to the domain and
network via login and passwords.
PC-2 Only authorized personnel will be given access to the network.
PC-3Authorized personnel will be assigned specific privileges and rights within the network.
PC-4 Access to the network will be modified and documented, when necessary, upon change in authorized
personnel job function or responsibility.
PC-5 Access to the network will be revoked upon personnel termination or determination that network access is no
longer required.
PC-6 Training will be required for personnel, including external parties such as consultants and other non-
employees, using, implementing, and maintaining the network.
Network Security
NS-1 Network password standards such be maintained.
NS-2Anti-virus and other malicious software monitoring and prevention tools will be implemented and maintained in
an updated condition on the network and associated workstations.
NS-3 The network will include controls to assure date and time stamps on network components and workstations
are secured.
Network Control, Monitoring and Maintenance
Other Network Infrastructure
Requirements?
www.QACVConsulting.com 22
Network Control, Monitoring, and Maintenance
Record Management
Access Controls
Computer Room Requirements
Required SOPs
Recommended SOPs
www.QACVConsulting.com 23
• Network security and administration
• Physical security
• Malware and Virus Protection
• File storage and transfer
• Workstation Management
• Problem Management and Help Desk Reporting
• Backup and restore
• Training
• Validation/Qualification
• Change control
• Disaster Recovery
Planning
• Network Monitoring and
Maintenance
• Record Retention and
Archival
• Periodic Review
• Supplier Management
Network Infrastructure
Qualification Plan
www.QACVConsulting.com 24
Network Infrastructure
Qualification Plan Activities
www.QACVConsulting.com 25
• Network Infrastructure Qualification Plan
• Network Infrastructure Requirements
• Specifications – Servers, Routers, Switches
• Required SOPs
• Network Infrastructure Diagrams
• Network Component Inventory
• Installation/Operational Qualification– Servers
– Computer Room
• Network Infrastructure Test Protocol
• Training
• Traceability Matrix
• Network Infrastructure Qualification Summary Report
Server Specifications
www.QACVConsulting.com 26
Breakout – Develop Network
Requirements Specification
www.QACVConsulting.com 27
Auditing Strategies for Outsourced
IT Suppliers
www.QACVConsulting.com 28
• Historical Perspective
• Requirements for Cloud Vendors
• Incorporating Cloud Requirements into the
Quality System
• Quality Agreements
• Evaluating Cloud Vendors
• Managing Changes to Cloud
Infrastructures
Auditing Strategies for Outsourced
IT Suppliers
www.QACVConsulting.com 29
• History
• Quality Agreement
• Help Desk
• Training
• Data integrity requirements should be incorporated into the company’s contractor/vendor qualification/assurance program and associated procedures.
• In addition to having their own data governance systems, companies outsourcing activities should verify the adequacy of comparable systems at the contract acceptor. The contract acceptor should apply equivalent levels of control to those applied by the contract giver.
• Formal assessment of the contract acceptors competency and compliance in this regard should be conducted in the first instance prior to the approval of a contractor, and thereafter verified on a periodic basis at an appropriate frequency based on risk.
• SOC 2 Reports
• 29, 41
• Governance
Historical Perspective
www.QACVConsulting.com 30
Historical Perspective
www.QACVConsulting.com 31
Private Cloud
Determining Cloud Vendor Requirements –
Controls for Computing Environments
GxP Data Integrity Controls
Qualified Infrastructure
Standard Operating Procedures
Trained Personnel (including IT)
Validated Applications
Data Integrity
Data Availability
Data Retention
www.QACVConsulting.com 32
Historical Perspective
www.QACVConsulting.com 33
Pharma A
GxPData Integrity Controls
Qualified Infrastructure
Standard Operating Procedures
Trained Personnel (including IT)
Validated ApplicationsSTILL NEED
Data Center Inc
Private Cloud
Software as a Service
www.QACVConsulting.com 34
Fail Over Site
Software Applications
QMS
LIMS
SaaS Provider
Data Center
Software
Vendor
• Quality System
• SLC Processes
• Customer Support
Typically not directly regulated or inspected by regulatory agencies.
Audited by clients for adherence to standards.
Quality of SDLC Documentation, Testing, etc. varies considerably for
each vendor.
Sponsor responsible for installation, validation, and data integrity controls
at sponsor location.
Software as a Service Provider• Quality System
• SLC Processes
• Customer Support
• Validation
• Record Keeping Controls
Hosted Environment is used for a direct GxPfunction (record keeping)
and is more likely to be inspected by regulatory agencies.
Audited by clients for adherence to standards (GxP, Part 11).
Quality of SDLC Documentation, Testing, etc. varies considerably for
each vendor.
SaaS provider responsible for some aspects of installation, validation,
and data integrity controls.
www.QACVConsulting.com 35
Software Vendor
Hosted
Environment
Annex 11 – Suppliers and Service Providers
Suppliers and Service Providers
Formal Agreements required to include clear statements of responsibilities
IT departments should be considered analogous
Provide
Install
Configure
Integrate
Modify
Retain
Validate
Maintain
8/17/2016 www.QACVConsulting.com 36
Quality system and audit information relating to suppliers or developers of software and implemented systems should be made available to inspectors on request.
www.QACVConsulting.com 37
Data Integrity & Recordkeeping Controls
Data Integrity Compliance Program
SOPs
Validation
Infrastructure Qualification
Security Program
Training
Change Control
Data Integrity Data Availability Data Retention
SOPs
Change Control
Backup and Restore
Problem Reporting
Business Continuity
Disaster Recovery Plan
SOPs
Change Control
Backup and Restore
Business Continuity
Disaster Recovery Plan
Record Retention Policy
Archival
Data Integrity Controls
Data Integrity Compliance Program
SOPs
Validation
Change Control
Security Program
Training
Problem Reporting
Business Continuity Plan
Record Retention Policy
Pharma Company
Data Integrity Compliance Program
SOPs
Validation / SDLC
Change Control
Infrastructure Qualification
Security Program
Training
Backup and Restore
Problem Reporting
Business Continuity
Disaster Recovery Plan
SaaS Provider
www.QACVConsulting.com 38
Quality Agreements
8/17/2016 www.QACVConsulting.com 39
Services
Multi –Tenant Model– Single instance of the software runs on a server, serving multiple client-
organizations
Single Tenant– Dedicated hardware and software supporting a single client
The model chosen has implications on security, qualification, validation, change
control and other compliance considerations.
www.QACVConsulting.com 40
An iterative and incremental agile development framework for managing software projects.
A flexible, holistic product development strategy where a development team works as a unit to reach a common goal.
Enables teams to self-organize by encouraging physical co-location or close online collaboration of all team members and daily face to face communication among all team members and disciplines in the project.
Agile - Scrum
www.QACVConsulting.com 41
SDLC – Agile Methodology
www.QACVConsulting.com 42
SDLC/Vendor Tools
8/17/2016 www.QACVConsulting.com 43
Requirements Management
Source Code Management
Configuration Management
Code Review and Unit Testing
Testing – including automated testing
Issue Management
Customer Support
Document Management
SDLC/Vendor Tools - Examples
8/17/2016 www.QACVConsulting.com 44
Test Stuff
Test Track
CoSign
SharePoint
Wiki Pages
Salesforce.com
Team Foundation
Server (TFS)
HP Quality Center
HP Load Runner
Altassian (Jira)
Subversion
SDLC Tools
8/17/2016 www.QACVConsulting.com 45
Team Foundation Server (TFS) Requirements Management
Use Cases
User Stories
Design
Code Review
Unit Testing
Traceability
Testing
Approvals
Release Management
SDLC Tools
8/17/2016 www.QACVConsulting.com 46
What do the tools do?
Do the tools impact software quality?
Do the vendor’s procedures reflect the use
of these tools?
Are the tools controlled or qualified?
How are the records maintained by the
tools managed and controlled?
SDLC Tools – What can go wrong?
8/17/2016 www.QACVConsulting.com 47
Issue Management Vendor used a cloud “hosted” version of Jira,
which was used for issue management and change control.
The license was not renewed and all records were lost.
Electronic Approval Vendor used a local implementation of CoSign for
approval of records.
When license expired the electronic signatures applied previously could not be validated.
SDLC Tools – What can go wrong?
8/17/2016 www.QACVConsulting.com 48
Document Management
Vendor used SharePoint workflow for approval of
quality documents. The SharePoint configuration
was setup to delete workflows after 90 days.
All workflows (and subsequent document
approvals) were deleted for all quality documents.
Testing
Test Stuff testing records could not be located for
SQA testing.
SaaS Vendor Responsibilities
• Validation (with sponsor)
• Change Control
• Incident Management
• Maintenance
• Security (Physical and Logical)
• Electronic recordkeeping
• Backup and Restore
• Disaster Recovery
8/17/2016 www.QACVConsulting.com 49
Validation
8/17/2016 www.QACVConsulting.com 50
SOPs
Validation Plan
User Requirements Specification
User Acceptance Testing (PQ)
Traceability
System Acceptance
Validation Report
SOPs
SDLC Methodology
Functional Specification
Configuration
Installation (IQ)
System Testing (Operational Qualification)
System Release to Customer
Traceability
Pharma Company SaaS Provider
51
Validation
• Comply with EU GMP Annex 11.
• Requires an understanding of the computerisedsystem's function within a process.
• The acceptance of vendor-supplied validation data in isolation of system configuration and intended use is not acceptable.
• In isolation from the intended process, vendor testing is likely to be limited to functional verification only, and may not fulfil the requirements for performance qualification.
MHRA GuidanceTerms and Definitions
www.QACVConsulting.com 51
FDA GuidanceWorkflows
www.QACVConsulting.com 52
Validation of “workflows”
• A workflow, such as creation of an electronic master production and control record, is an intended use of a computer system to be checked through validation.
• If you validate the computer system, but you do not validate it for its intended use, you cannot know if your workflow runs correctly.
53
Data Integrity Vendor Supplied Validation Documentation
www.QACVConsulting.com 53
Approval of Records
• Requested configuration specification – none available
• Internal assessment of Stability LIMS
• Vendor Supplied Documentation Provided
• User Requirements Specification
• User Acceptance Test
• URS – Included statement “the system has a ‘configurable option’
for ….. electronic signatures”.
• Reviewed configuration within system – esigs turned off
• Reviewed UAT documentation – esigs functionality passed
• Record integrity issue – lack of approved stability protocols
• First step of test – turn on esig functionality
• Last step of test – turn off esig functionality
• Requested system demonstration – approval by pressing approve button
Co-Location Facilities
www.QACVConsulting.com 54
Fail Over Site
Software Applications
QMS
LIMS
SaaS Provider
Data Center
SOC 2 Reports
www.QACVConsulting.com 55
SOC Reports - Overview
■ Focus on controls related to financial reporting
■ CPA’s need to understand risks related to use of service organizations● Risks of the service organization become risks for the user
• Security
• Privacy Breaches
• Fraud
■ Increasing regulatory requirements● Sarbanes-Oxley
● HIPAA
56 www.QACVConsulting.com 56
SOC Reports - Overview
■ Management needs to demonstrate to stakeholders that risks related to security, availability, and processing integrity are assessed.
■ Independent CPAs exam and assess service organization’s controls.
■ AICPA (American Institute of Certified Public Accountants) has established SOC 1, SOC 2, and SOC 3 reports to provide the framework to examine service organization controls.
■ SOC Reports replaced SAS 70 (Statement on Auditing Standards).
57 www.QACVConsulting.com 57
SOC 2 Reports
■ Reports on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and Privacy. ● For organizations that operate, collect, process,
transmit, store, organize, maintain and dispose of information.
● Uses predefined criteria in Trust Services Principles, Criteria and Illustrations.
● Type 2 reports include a description tests performed by service auditor and results of tests.
5858 www.QACVConsulting.com 58
What is included in a SOC 2 Report
59
SOC 2 Considerations
■ SOC 2 Reports may pertain to one data center, or they may summarize controls for all data centers owned by an organization.
■ One data center may have multiple SOC 2 reports which pertain to multiple organizations.
● Physical Data Center
● Managed Services Organization
● Software as a Service Provider
■ Exceptions noted should be addressed.
■ SaaS providers may use different primary and failover data center service providers, each with different SOC 2 reports and structures.
606060 www.QACVConsulting.com 60
Breakout – Develop Checklist for
Evaluating Vendors
www.QACVConsulting.com 61
Chris Wubbolt
QACV Consulting, LLC
www.QACVConsulting.com
Telephone: 610-442-2250
E-mail: [email protected]
62
Contact Information
www.QACVConsulting.com