qualify cloud and network infrastructures · · 2016-08-17qualify cloud and network...

Qualify Cloud and Network

Infrastructures

IVT Data Integrity Validation

Conference

August 17, 2016

www.QACVConsulting.com 1

Objectives


• Review Network Infrastructure

Qualification Requirements

• Assess Data Integrity Requirements

related to Network Infrastructure

• Review Auditing Processes for Outsourced

IT Providers

• Managing Outsourced IT Providers

Workshop Agenda


• Introductions

• Elements of Network Infrastructure

• Infrastructure Qualification Requirements

• Breakout – develop Network Infrastructure Requirements

• Overview of Cloud IT Providers

• Management of Cloud Vendors

• Breakout – develop checklist to evaluate Cloud Suppliers

Network Infrastructure Qualification


• Why is network qualification important?

• What are network infrastructure

components?

• How do you qualify network infrastructure?

• How does network infrastructure impact

data integrity?

Why is Network Qualification

Important?



Important?


What network infrastructure

components to consider?


Annex 11 – Infrastructure

• The hardware and software such as networking software and operation systems, which makes it possible for the application to function.

• The application should be validated; IT infrastructure should be qualified.

What network infrastructure

components to consider?


Work Station #1

Computerized System

Application Software

Operating System (Windows 7)

SoftwareHardware

Processor SpeedRAM

Disk Space

Workstation

Laptop computer

Network

IBM Compatible

Software

Hardware

Specifications

Test Documents

Reports

User/Technical

Manuals

SOPs

Instrumentation and

Equipment

Network Infrastructure - Data Integrity

Considerations


GxP Data Integrity Controls

Qualified Infrastructure

Standard Operating Procedures

Trained Personnel (including IT)

Validated Applications

Data Integrity

Data Availability

Data Retention

GxP Processes Impacted by

Network Infrastructure


Security

Access Controls

System Availability

Backup Processes

Disaster Recovery

Archival

Network

Infrastructure


“Standard Build”

• Date/time stamp controls

• Network backup

• Access controls

How can network controls impact

GxP Processes?

Non-Standard

Build

X

• Audit logs not backed up

• User access not controlled

Network Infrastructure Components


• Servers

• Routers

• Switches

• Storage Devices

• Active Directory

• Directory/Folder Structures

• Facilities

• Fire/Water Prevention

• Environmental – temperature, humidity

• UPS Devices

• Generators

• Fail-Over Location

Network Infrastructure Components


Servers, Routers, Switches System Availability

Security

Storage Devices Record Retention

Backup Processes

Active Directory Security

Directory/Folder Structures Security

Facilities System/Record Availability

Security

Fire/Water Prevention System/Record Availability

Environmental – temperature,

humidity

System/Record Availability

UPS Devices System/Record Availability

Generators System/Record Availability

Fail-Over Location System/Record Availability

Network Impact on Data Integrity


ELISA Data Process Flow

Data

Flow

LIMSELISA SOftware Company Network

Protocol(.xyz file)

Sample Analysis

Setup Run

Data File(.db file)

Export .txt Data File

Secure Network Location


Save .db Data File

.db File backed up

.txt File backed up

LIMS Database

Import .txt file to LIMS

.db File archived


Backup Location


Data Lifecycle

Generate ModifyReview / Approve

UseRetain / Retrieve

Destroy

Specify

Design

Configure

Verify

Validation

Considerations for Data Integrity


Calibration

Calibration

IT Controls

Record Management

IT Controls

- User access

Record Retention

& Archival

IT Controls

Validation

FDA Warning Letter


• The Wide Area Network is used to connect

network applications to local area

networks.

• The network documentation was not

included in the validation efforts and

therefore lacked adequate documentation

controls.

How do you qualify a network

infrastructure?


Network Infrastructure Requirements

Network Qualification Plan

Establishment of SOPs and Supporting Processes

• Help Desk

• Monitoring

• Security

Installation/Operational Qualification / Verification

Network Qualification Protocol(s)

Trace Matrix

Network Qualification Summary Report

Network Infrastructure Qualification

Requirements


Requirement ID

#

Requirement Description

Personnel Controls

PC-1 Network administrators will have the ability to administer user access and privileges to the domain and

network via login and passwords.

PC-2 Only authorized personnel will be given access to the network.

PC-3Authorized personnel will be assigned specific privileges and rights within the network.

PC-4 Access to the network will be modified and documented, when necessary, upon change in authorized

personnel job function or responsibility.

PC-5 Access to the network will be revoked upon personnel termination or determination that network access is no

longer required.

PC-6 Training will be required for personnel, including external parties such as consultants and other non-

employees, using, implementing, and maintaining the network.

Network Security

NS-1 Network password standards such be maintained.

NS-2Anti-virus and other malicious software monitoring and prevention tools will be implemented and maintained in

an updated condition on the network and associated workstations.

NS-3 The network will include controls to assure date and time stamps on network components and workstations

are secured.

Network Control, Monitoring and Maintenance

Other Network Infrastructure

Requirements?


Network Control, Monitoring, and Maintenance

Record Management

Access Controls

Computer Room Requirements

Required SOPs

Recommended SOPs


• Network security and administration

• Physical security

• Malware and Virus Protection

• File storage and transfer

• Workstation Management

• Problem Management and Help Desk Reporting

• Backup and restore

• Training

• Validation/Qualification

• Change control

• Disaster Recovery

Planning

• Network Monitoring and

Maintenance

• Record Retention and

Archival

• Periodic Review

• Supplier Management


Qualification Plan



Qualification Plan Activities


• Network Infrastructure Qualification Plan

• Network Infrastructure Requirements

• Specifications – Servers, Routers, Switches

• Required SOPs

• Network Infrastructure Diagrams

• Network Component Inventory

• Installation/Operational Qualification– Servers

– Computer Room

• Network Infrastructure Test Protocol

• Training

• Traceability Matrix

• Network Infrastructure Qualification Summary Report

Server Specifications


Breakout – Develop Network

Requirements Specification


Auditing Strategies for Outsourced

IT Suppliers


• Historical Perspective

• Requirements for Cloud Vendors

• Incorporating Cloud Requirements into the

Quality System

• Quality Agreements

• Evaluating Cloud Vendors

• Managing Changes to Cloud

Infrastructures

Auditing Strategies for Outsourced

IT Suppliers


• History

• Quality Agreement

• Help Desk

• Training

• Data integrity requirements should be incorporated into the company’s contractor/vendor qualification/assurance program and associated procedures.

• In addition to having their own data governance systems, companies outsourcing activities should verify the adequacy of comparable systems at the contract acceptor. The contract acceptor should apply equivalent levels of control to those applied by the contract giver.

• Formal assessment of the contract acceptors competency and compliance in this regard should be conducted in the first instance prior to the approval of a contractor, and thereafter verified on a periodic basis at an appropriate frequency based on risk.

• SOC 2 Reports

• 29, 41

• Governance

Historical Perspective




Private Cloud

Determining Cloud Vendor Requirements –

Controls for Computing Environments

GxP Data Integrity Controls




Validated Applications

Data Integrity

Data Availability

Data Retention




Pharma A

GxPData Integrity Controls




Validated ApplicationsSTILL NEED

Data Center Inc

Private Cloud

Software as a Service


Fail Over Site

Software Applications

QMS

LIMS

SaaS Provider

Data Center

Software

Vendor

• Quality System

• SLC Processes

• Customer Support

Typically not directly regulated or inspected by regulatory agencies.

Audited by clients for adherence to standards.

Quality of SDLC Documentation, Testing, etc. varies considerably for

each vendor.

Sponsor responsible for installation, validation, and data integrity controls

at sponsor location.

Software as a Service Provider• Quality System

• SLC Processes

• Customer Support

• Validation

• Record Keeping Controls

Hosted Environment is used for a direct GxPfunction (record keeping)

and is more likely to be inspected by regulatory agencies.

Audited by clients for adherence to standards (GxP, Part 11).

Quality of SDLC Documentation, Testing, etc. varies considerably for

each vendor.

SaaS provider responsible for some aspects of installation, validation,

and data integrity controls.


Software Vendor

Hosted

Environment

Annex 11 – Suppliers and Service Providers

Suppliers and Service Providers

Formal Agreements required to include clear statements of responsibilities

IT departments should be considered analogous

Provide

Install

Configure

Integrate

Modify

Retain

Validate

Maintain

8/17/2016 www.QACVConsulting.com 36

Quality system and audit information relating to suppliers or developers of software and implemented systems should be made available to inspectors on request.


Data Integrity & Recordkeeping Controls

Data Integrity Compliance Program

SOPs

Validation

Infrastructure Qualification

Security Program

Training

Change Control

Data Integrity Data Availability Data Retention

SOPs

Change Control

Backup and Restore

Problem Reporting

Business Continuity

Disaster Recovery Plan

SOPs

Change Control

Backup and Restore

Business Continuity


Record Retention Policy

Archival

Data Integrity Controls


SOPs

Validation

Change Control

Security Program

Training

Problem Reporting

Business Continuity Plan

Record Retention Policy

Pharma Company


SOPs

Validation / SDLC

Change Control

Infrastructure Qualification

Security Program

Training

Backup and Restore

Problem Reporting

Business Continuity


SaaS Provider


Quality Agreements


Services

Multi –Tenant Model– Single instance of the software runs on a server, serving multiple client-

organizations

Single Tenant– Dedicated hardware and software supporting a single client

The model chosen has implications on security, qualification, validation, change

control and other compliance considerations.


An iterative and incremental agile development framework for managing software projects.

A flexible, holistic product development strategy where a development team works as a unit to reach a common goal.

Enables teams to self-organize by encouraging physical co-location or close online collaboration of all team members and daily face to face communication among all team members and disciplines in the project.

Agile - Scrum


SDLC – Agile Methodology


SDLC/Vendor Tools


Requirements Management

Source Code Management

Configuration Management

Code Review and Unit Testing

Testing – including automated testing

Issue Management

Customer Support

Document Management

SDLC/Vendor Tools - Examples


Test Stuff

Test Track

CoSign

SharePoint

Wiki Pages

Salesforce.com

Team Foundation

Server (TFS)

HP Quality Center

HP Load Runner

Altassian (Jira)

Subversion

SDLC Tools


Team Foundation Server (TFS) Requirements Management

Use Cases

User Stories

Design

Code Review

Unit Testing

Traceability

Testing

Approvals

Release Management

SDLC Tools


What do the tools do?

Do the tools impact software quality?

Do the vendor’s procedures reflect the use

of these tools?

Are the tools controlled or qualified?

How are the records maintained by the

tools managed and controlled?

SDLC Tools – What can go wrong?


Issue Management Vendor used a cloud “hosted” version of Jira,

which was used for issue management and change control.

The license was not renewed and all records were lost.

Electronic Approval Vendor used a local implementation of CoSign for

approval of records.

When license expired the electronic signatures applied previously could not be validated.

SDLC Tools – What can go wrong?


Document Management

Vendor used SharePoint workflow for approval of

quality documents. The SharePoint configuration

was setup to delete workflows after 90 days.

All workflows (and subsequent document

approvals) were deleted for all quality documents.

Testing

Test Stuff testing records could not be located for

SQA testing.

SaaS Vendor Responsibilities

• Validation (with sponsor)

• Change Control

• Incident Management

• Maintenance

• Security (Physical and Logical)

• Electronic recordkeeping

• Backup and Restore

• Disaster Recovery


Validation


SOPs

Validation Plan

User Requirements Specification

User Acceptance Testing (PQ)

Traceability

System Acceptance

Validation Report

SOPs

SDLC Methodology

Functional Specification

Configuration

Installation (IQ)

System Testing (Operational Qualification)

System Release to Customer

Traceability

Pharma Company SaaS Provider

51

Validation

• Comply with EU GMP Annex 11.

• Requires an understanding of the computerisedsystem's function within a process.

• The acceptance of vendor-supplied validation data in isolation of system configuration and intended use is not acceptable.

• In isolation from the intended process, vendor testing is likely to be limited to functional verification only, and may not fulfil the requirements for performance qualification.

MHRA GuidanceTerms and Definitions


FDA GuidanceWorkflows


Validation of “workflows”

• A workflow, such as creation of an electronic master production and control record, is an intended use of a computer system to be checked through validation.

• If you validate the computer system, but you do not validate it for its intended use, you cannot know if your workflow runs correctly.

53

Data Integrity Vendor Supplied Validation Documentation


Approval of Records

• Requested configuration specification – none available

• Internal assessment of Stability LIMS

• Vendor Supplied Documentation Provided

• User Requirements Specification

• User Acceptance Test

• URS – Included statement “the system has a ‘configurable option’

for ….. electronic signatures”.

• Reviewed configuration within system – esigs turned off

• Reviewed UAT documentation – esigs functionality passed

• Record integrity issue – lack of approved stability protocols

• First step of test – turn on esig functionality

• Last step of test – turn off esig functionality

• Requested system demonstration – approval by pressing approve button

Co-Location Facilities


Fail Over Site

Software Applications

QMS

LIMS

SaaS Provider

Data Center

SOC 2 Reports


SOC Reports - Overview

■ Focus on controls related to financial reporting

■ CPA’s need to understand risks related to use of service organizations● Risks of the service organization become risks for the user

• Security

• Privacy Breaches

• Fraud

■ Increasing regulatory requirements● Sarbanes-Oxley

● HIPAA

56 www.QACVConsulting.com 56

SOC Reports - Overview

■ Management needs to demonstrate to stakeholders that risks related to security, availability, and processing integrity are assessed.

■ Independent CPAs exam and assess service organization’s controls.

■ AICPA (American Institute of Certified Public Accountants) has established SOC 1, SOC 2, and SOC 3 reports to provide the framework to examine service organization controls.

■ SOC Reports replaced SAS 70 (Statement on Auditing Standards).


SOC 2 Reports

■ Reports on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and Privacy. ● For organizations that operate, collect, process,

transmit, store, organize, maintain and dispose of information.

● Uses predefined criteria in Trust Services Principles, Criteria and Illustrations.

● Type 2 reports include a description tests performed by service auditor and results of tests.


What is included in a SOC 2 Report

59

SOC 2 Considerations

■ SOC 2 Reports may pertain to one data center, or they may summarize controls for all data centers owned by an organization.

■ One data center may have multiple SOC 2 reports which pertain to multiple organizations.

● Physical Data Center

● Managed Services Organization

● Software as a Service Provider

■ Exceptions noted should be addressed.

■ SaaS providers may use different primary and failover data center service providers, each with different SOC 2 reports and structures.


Breakout – Develop Checklist for

Evaluating Vendors


Chris Wubbolt

QACV Consulting, LLC

www.QACVConsulting.com

Telephone: 610-442-2250

E-mail: [email protected]

62

Contact Information

www.QACVConsulting.com