Thursday, 31 October 2013

Auditing the Cloud

I would like to begin by saying  thank-you to those who attended EmpowermentQE's recent seminar in Cork, Ireland, especially those who came from Switzerland and the USA (thank-you). Delegates at the seminar were given the option to choose which topics they wanted to discuss. Cloud computing received a significant amount of interest from delegates. Cloud Validation was the main topic area, and the need for the cloud supplier audit featured heavily.

We focused on how cloud computing can help augment the challenges facing the pharmaceutical and medical device community, by providing cost effective and flexible technology solutions. Despite these benefits, Cloud computing is not without risk, for example, security, data integrity, legality and compliance. Furthermore, the fact that this is relatively new territory for the regulated user only increases uncertainty.

With this in mind, pharmaceutical and medical device companies should ensure that they treat Cloud suppliers as they would any other computerised system third party supplier: ensure comprehensive risk based strategies are in place before entering into a relationship with the supplier; robust contracts/SLA's are defined; and (to ensure compliance to Annex  11, clause 3). Audits were discussed as a key tool in the management of the supplier approach; the due diligence audit discussion examined the objective of ensuring the suitability of the supplier (e.g. business viability, legalities, data risks, validation needs). The regular audits checked for GxP requirements and project specific needs, and specific audits focused on key risk areas or areas of concern arising form the regular audit, such as fault tolerance or security. 

Due to the inherent risks associated with the Cloud, these suppliers must be audited regularly in order to confirm the quality of services is maintained in terms of SLA's and GxP needs. One of the tools for the audit is the checklist. We discussed in our audits series that a useful tool for the audit was the checklist. We discussed some sources of this in the seminar (GxP requirements, SLA, technical expertise, security requirements, risk, supplier project plans, business continuity, supplier audits, previous deviations and so forth).

The following is a small excerpt from EmpowermentQE's information security checklist. We hope it provides some areas to consider when planning on auditing a Cloud supplier. It is by no means intended to be exhaustive and it is advised that those conducting or, preparing for audits should be conscious of the scope and objective of the audit, as detailed in the respective audit plan, SLA and GxP requirements. 


Comments/ Evidence
1. Security

1.1 Is there evidence of dynamic security planning, execution and feedback? Is there an information security policy? Y/N
1.2 Are Risks around security identified, managed and documented using a risk based approach? Y/N
1.3 Personnel audits are conducted at hiring and randomly subsequent to hire to ensure integrity of the system Y/N
1.4 Is there technology to keep up with the hacking community? Has security testing been planned? Is there evidence of penetration testing or even ethical hacking testing? Where the deviations acted upon? Y/N
1.5 is there multi-site back up and disaster recovery procedures in place? Y/N
1.6 ……etc., Y/N
2. Physical security Y/N
2.1 Is video surveillance in place to monitor entrances, staging area and the data centre? Y/N
2.2 Are doors locked at all times and require key card access for point of entry? Y/N
2.3Are the data centre rooms equipped with fire suppression systems, for example, FM-200? Is the entire facility equipped with dry-sprinkler system? Y/N
2.4 Is the facility fault tolerant? E.g. equipped with two independent UPS’s and two independent generators? Y/N
2.5 Is there evidence of server hardening?

2.6 ……etc. Y/N
3. Logical security Y/N
3.1 Has client network security been tested to ensure, that proper segmentation is in place? Y/N
3.2Does access to the validated cloud equipment requires unique password protected login accounts? Y/N
3.3 Do IT administrators provide logins to authorised personnel? Y/N
3.4 Do passwords comprise of at least 8 characters; include alpha and numeric characters and should not include any phrases that could potentially be guessed with ease? Y/N
3.5 Are passwords changed every 90 days? Y/N
3.6 Is there evidence of engineering security into the application? E.g. the principle of “failing securely”, the principle of “assuming the network is compromised”.

3.7 ….. etc.

4 Site Y/N
4.1 Is there 24/7/365 support available? Y/N
4.2 Is there 24/7 close circuit TV, with biometric and physical access IDs and man traps? Y/N
4.3 How accessible is the data centre and is the location secure (e.g. car park)? Y/N
4.4 Is the data centre equipped with meeting rooms, desk space, locker space, machine build room and a lab room? Y/N
4.5Does site audits take place with both physical and digital access review? Y/N
4.6… etc.

5 Data

5.1 What is the performance of data links? Y/N
5.2 What is the communication bandwidth? Y/N
5.3Is there different levels of security available for Private V’s public cloud? Y/N
5.4 Will there be data migration issues when changing provider? Y/N
5.5 How is data backed up?


6. Control objective Y/N
6.1 Is there a policy on information security, and is this documented? Y/N
6.2… etc.

7. Supplier organisation

7.1 Are roles and responsibilities clearly defined? Y/N
7.2Are confidentiality, agreements in place? Y/N
7.3 Does an independent review of information security take place? Y/N
7.4 Is the business well capitalised? Y/N
7.5 Are their SLA’s truly achievable? Y/N
7.6 ……etc.,

Other categories to consider….

8. Risks with external parties (customer security, 3rd party supplier security).

9. Responsibilities for assets (Inventory, use, etc.)

10. Information classification

11. Employment guidelines (roles, screening, training, disciplinary, termination, removal of access, etc.)

12. Secure areas

13. Equipment security

14. Operational procedures and responsibilities (capacity planning, media handling, monitoring, etc.)

15. User responsibilities

16. Network access

17. Operating system control

18.Application access control

19. Compliance and legal requirements

20. Compliance with security policies

21. Standards and technical compliance

22. Information system audit considerations


Should you require any further information on how to audit the Cloud, or any of the services provided by EmpowermentQE, you are welcome to email Ciara, to request a call back. 

No comments:

Post a Comment