We focused on how cloud computing can help augment the challenges facing the pharmaceutical and medical device community, by providing cost effective and flexible technology solutions. Despite these benefits, Cloud computing is not without risk, for example, security, data integrity, legality and compliance. Furthermore, the fact that this is relatively new territory for the regulated user only increases uncertainty.
With this in mind, pharmaceutical and medical device companies should ensure that they treat Cloud suppliers as they would any other computerised system third party supplier: ensure comprehensive risk based strategies are in place before entering into a relationship with the supplier; robust contracts/SLA's are defined; and (to ensure compliance to Annex 11, clause 3). Audits were discussed as a key tool in the management of the supplier approach; the due diligence audit discussion examined the objective of ensuring the suitability of the supplier (e.g. business viability, legalities, data risks, validation needs). The regular audits checked for GxP requirements and project specific needs, and specific audits focused on key risk areas or areas of concern arising form the regular audit, such as fault tolerance or security.
Due to the inherent risks associated with the Cloud, these suppliers must be audited regularly in order to confirm the quality of services is maintained in terms of SLA's and GxP needs. One of the tools for the audit is the checklist. We discussed in our audits series that a useful tool for the audit was the checklist. We discussed some sources of this in the seminar (GxP requirements, SLA, technical expertise, security requirements, risk, supplier project plans, business continuity, supplier audits, previous deviations and so forth).
The following is a small excerpt from EmpowermentQE's information security checklist. We hope it provides some areas to consider when planning on auditing a Cloud supplier. It is by no means intended to be exhaustive and it is advised that those conducting or, preparing for audits should be conscious of the scope and objective of the audit, as detailed in the respective audit plan, SLA and GxP requirements.
Checklist
| Area |
Comments/ Evidence |
|
| 1. Security |
||
| 1.1 Is there evidence of dynamic security planning, execution and
feedback? Is there an information security policy? |
Y/N |
|
| 1.2 Are Risks around security identified, managed and documented using a
risk based approach? |
Y/N |
|
| 1.3 Personnel audits are conducted at hiring and randomly subsequent to
hire to ensure integrity of the system |
Y/N |
|
| 1.4 Is there technology to keep up with the hacking community? Has
security testing been planned? Is there evidence of penetration testing or
even ethical hacking testing? Where the deviations acted upon? |
Y/N |
|
| 1.5 is there multi-site back up and disaster recovery procedures in place? |
Y/N |
|
| 1.6 ……etc., |
Y/N |
|
| 2. Physical
security |
Y/N |
|
| 2.1 Is video surveillance in place to monitor entrances, staging area and
the data centre? |
Y/N |
|
| 2.2 Are doors locked at all times and require key card access for point of
entry? |
Y/N |
|
| 2.3Are the data centre rooms equipped with fire suppression systems, for
example, FM-200? Is the entire facility equipped with dry-sprinkler system? |
Y/N |
|
| 2.4 Is the facility fault tolerant? E.g. equipped with two independent
UPS’s and two independent generators? |
Y/N |
|
| 2.5 Is there evidence of server hardening? |
||
| 2.6 ……etc. |
Y/N |
|
| 3. Logical
security |
Y/N |
|
| 3.1 Has client network security been tested to ensure, that proper
segmentation is in place? |
Y/N |
|
| 3.2Does access to the validated cloud equipment requires unique password
protected login accounts? |
Y/N |
|
| 3.3 Do IT administrators provide logins to authorised personnel? |
Y/N |
|
| 3.4 Do passwords comprise of at least 8 characters; include alpha and
numeric characters and should not include any phrases that could potentially
be guessed with ease? |
Y/N |
|
| 3.5 Are passwords changed every 90 days? |
Y/N |
|
| 3.6 Is there evidence of engineering security into the application? E.g.
the principle of “failing securely”, the principle of “assuming the network
is compromised”. |
||
| 3.7 ….. etc. |
||
| 4 Site |
Y/N |
|
| 4.1 Is there 24/7/365 support available? |
Y/N |
|
| 4.2 Is there 24/7 close circuit TV, with biometric and physical access IDs
and man traps? |
Y/N |
|
| 4.3 How accessible is the data centre and is the location secure (e.g. car
park)? |
Y/N |
|
| 4.4 Is the data centre equipped with meeting rooms, desk space, locker
space, machine build room and a lab room? |
Y/N |
|
| 4.5Does site audits take place with both physical and digital access
review? |
Y/N |
|
| 4.6… etc. |
||
| 5 Data |
||
| 5.1 What is the performance of data links? |
Y/N |
|
| 5.2 What is the communication bandwidth? |
Y/N |
|
| 5.3Is there different levels of security available for Private V’s public
cloud? |
Y/N |
|
| 5.4 Will there be data migration issues when changing provider? |
Y/N |
|
| 5.5 How is data backed up? |
||
| 5.6….etc. |
||
| 6. Control
objective |
Y/N |
|
| 6.1 Is there a policy on information security, and is this documented? |
Y/N |
|
| 6.2… etc. |
||
| 7. Supplier
organisation |
||
| 7.1 Are roles and responsibilities clearly defined? |
Y/N |
|
| 7.2Are confidentiality, agreements in place? |
Y/N |
|
| 7.3 Does an independent review of information security take place? |
Y/N |
|
| 7.4 Is the business well capitalised? |
Y/N |
|
| 7.5 Are their SLA’s truly achievable? |
Y/N |
|
| 7.6 ……etc., |
||
| Other categories
to consider…. |
||
| 8. Risks with external parties (customer security, 3rd party
supplier security). |
||
| 9. Responsibilities for assets (Inventory, use, etc.) |
||
| 10. Information classification |
||
| 11. Employment guidelines (roles, screening, training, disciplinary,
termination, removal of access, etc.) |
||
| 12. Secure
areas |
||
| 13. Equipment
security |
||
| 14. Operational
procedures and responsibilities (capacity planning, media handling,
monitoring, etc.) |
||
| 15. User
responsibilities |
||
| 16. Network
access |
||
| 17. Operating
system control |
||
| 18.Application
access control |
||
| 19. Compliance
and legal requirements |
||
| 20. Compliance
with security policies |
||
| 21. Standards
and technical compliance |
||
| 22. Information
system audit considerations |
||
| ……etc., |
Should you require any further information on how to audit the Cloud, or any of the services provided by EmpowermentQE, you are welcome to email Ciara, to request a call back.
No comments:
Post a Comment