BYTEGRIDR. in the GxP Context. Presentation to the FDA Cloud Working Group. Copyright 2014 ByteGrid. All Rights Reserved.

Transcription

1 . FedRAMP in the GxP Context Presentation to the FDA Cloud Working Group Copyright 2014 ByteGrid. All Rights Reserved.

2 WHAT IS FEDRAMP? The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a do once, use many times framework that saves cost, time and staff required to conduct redundant agency security assessments. Allows the Federal government to provide a comprehensive Cloud based framework without endorsing a single 3rd party or NGO framework.

3 CONTROL CATEGORIES Access Control Awareness and Training Audit and Accountability Security Assessment and Authorization Configuration Management Contingency Planning Identification and Authentication Planning Personnel Security Risk Assessment System and Services Acquisition System and Communications Protection System and Information Integrity Incident Response Maintenance Media Protection Physical and Environmental Protection BASED ON NIST SP R3

4 ACTIVE CONTROLS Approximately 180 Active controls across 17 categories 7 original controls withdrawn by NIST Controls can be process enforced, application enforced or a combination Today well look at 38 select controls against the following criteria Data integrity and security Service Level Agreement Compliance to P11, GxP s Validation for intended use?

5 ACCESS CONTROL

6 ACCESS CONTROL AC-4 INFO FLOW ENFORCEMENT Key control for ensuring that security policy is maintained through interconnected systems. Closest trace(s): 11.10(c), (b), , (b)(2) QMS, EDC/RDC SLA should ensure a Cloud based platform that passes regulated data to, or receives information from another system maintains a consistent security protocol. Ensure chain of custody is maintained for regulated data. Likely would require full workflow testing, risk defined system boundaries.

7 ACCESS CONTROL AC-5 LEAST PRIVILEGE Least Privilege contributes to data integrity by advocating that only users executing any particular function in an application or infrastructure component are trained and of an appropriate organizational level. Cloud Administrator has limited/ no access to applications. SLA defines security boundaries for provider and any engaged 3rd parties. Closest trace(s): 11.10(d), (b), (b)(2), ICH E6/E9 Associated system(s)/product(s): Any application/system with regulatory data. EDC/RDC Defined user levels in Config Spec Access grant/modify/revoke defined Positive & Negative Testing An attempt to show least user cannot exceed brief.

8 ACCESS CONTROL AC-17 REMOTE ACCESS Monitor for unauthorized remote access Authorized remote connections Enforces application security Documents allowed methods of remote access to the information system. Establishes usage restrictions and implementation guidance for remote access methods. Closest trace(s): 11.10(g), (b), , (b)(2) QMS, EDC/RDC, Medical Devices. Verify remote devices can connect. Negative testing, attempt connection without credentials.

9 ACCESS CONTROL AC-18 WIRELESS ACCESS Authentication & encryption employed. Active monitoring employed. Established usage restrictions for wireless access to the infrastructure. Closest trace(s): 11.10(g), (b), , (b)(2) QMS, EDC/RDC, Medical Devices During Data Center Qualification verify that if Wi-Fi network is secure an policy is place for usage restriction.

10 ACCESS CONTROL AC-19 ACCESS CTRL MOBDEV Access control via mobile devices such as smart phones and tablets must have the same constraints with regards to application access as workstation on internet connect users. Typically limited by the application, however SLA should outline what level (if any) the cloud solution supports access to mobile devices. Closest trace(s): 11.10(g), (b), , (b)(2) QMS, EDC/RDC, Medical Devices If mobile devices have been deployed by a regulated entity, one would expect it to be treated as an additional interface device. Necessary to test to ensure that configuration, security and any data validation checks are enforced.

11 AWARENESS & TRAINING

12 AWARENESS & TRAINING AT-1 SECURITY AWARENESS Security awareness has broad implications for Data Integrity. While time money and resources might be spent on logical security within applications, physical security and the awareness of the infrastructure team of the type and risk of the data they are responsible for are equally important. Closest trace(s): 11.10(b), (b),820.75(b)(2), ICH E6/9 QMS, EDC/RDC, Medical Devices Ensure that Cloud Provider has an active security management plan in place and is aware of the nature of the data (drug, device, patient) that they are hosting/ storing. Data Center Qualification should include an inventory of site SOP s. Training Records for Staff. Regulated Entity to should audit to ensure active enforcement of Data Center s security policy.

13 AUDITABLE EVENTS

14 AUDITABLE EVENTS AU-2 AUDITABLE EVENTS Ensures data integrity is verifiable via non editable audit trails & logs. Important to define audit events vs. auditable records. Cloud provider should detail auditable events: 1. What is auditable by regulated entity/ regulatory agency 2. What is actively audited/monitored by provider Closest trace(s): 11.10(e), (b), ICH E6/E9 QMS, EDC/RDC, Medical Devices Test audit trail functionality an implementation across both regulated applications and when applicable infrastructure components.

15 AUDITABLE EVENTS AU-3 AUDIT RECORD CONTENT Direct correlation with P11. Consider that as designed, legacy cloud (network) components may not share all P11 audit trail expectations. Consider a Part 11 specific statement in the SLA that outlines the audit capability of the application(s)/product(s) in scope. Closest trace(s): 11.10(e), (b), ICH E6/E9 QMS, EDC/RDC, Medical Devices Expect to see standard audit trail testing, the records related to the system in scope should have been clearly defined in the system configuration documentation.

16 AUDITABLE EVENTS AU-9 PROTECTION OF AUDIT INFO Most SaaS applications will have a classically built audit trail, making editing impossible. However of particular note should be cloud based Medical Device systems, non-repudiation should be applied the component logs of the device, since the cloud itself is now an integrated component. Special consideration should be given to the archiving of audit trails in SLA, should be tied to record retention period for the product in scope. Closest trace(s): 11.10(e), (b), ICH E6/E9 QMS, EDC/RDC, Medical Devices Verify static nature of audit trail. Ensure policy in place is adequate for retention period of the records in scope.

17 AUDITABLE EVENTS AU-10 NON-REPUDIATION Arguably the highest risk control with regards to data integrity. The concept of non-repudiation, when enforced, ensures that data creation, edit, deletion is directly attributable to the individual(s) actioning the data. Ensure NDA goes beyond typical nondisclosure to address access to company data. However, most effective enforcement will be within the system. Closest trace(s): 11.10(e), (b), ICH E6/E9 QMS, EDC/RDC, CTMS, Medical Devices Extensive security testing to ensure that predicate rule records are fully accountable to the users who have interacted with them.

18 SECURITY ASSESSMENT & AUTHORIZATION

19 SECURITY ASSESSEMENT & AUTHORIZATION CA-2 SECURITY ASSESSMENTS In the Cloud context security assessments are a critical component of both the risk and configuration management process. It is vital to understand all of the constituents interaction with the system in scope, both at the personnel and component level. SLA should required some level of regular security assessment at specific intervals in addition to standard intrusion detection/ prevention and monitoring functionality. Closest trace(s): 11.10(g), (b), ICH E6/E9 QMS, EDC/RDC, CTMS, Medical Devices Ensure documented remediation of identified security vulnerabilities from the executed assessments.

20 CONFIGURATION MANAGEMENT

21 CONFIGURATION MANAGEMENT CM-2 BASELINE CONFIGURATION Standard Configuration Specification should expanded to capture the static configuration of the cloud components comprising the system. Dynamic components should be analyzed through the prism of risk in order to benefit from the elasticity that the cloud provides. SLA should codify the change and configuration management process in order to ensure that the validated state is maintianed through the system life cycle. Closest trace(s): 11.10(k), (b), (i), ICH E6/E9 QMS, EDC/RDC, CTMS, Medical Devices Configuration verification typically occurs at the end of the Installation Qualification phases and prior to the execution of Operational Qualification/functional testing.

22 CONFIGURATION MANAGEMENT CM-7 LEAST FUNCTIONALITY Often network appliances and software will have additional ports, protocols, and services that are not necessarily required for the system in scope. To minimize possible security impacts or data integrity issues the concept of least functionality should be applied. Ensure statements as to the enforcement of least functionality are included in the SLA. Would likely require audit enforcement from regulated entity. Closest trace(s): 11.10(d), 11.10(k), (b), (i), ICH E6/E9 QMS, EDC/RDC, CTMS, Medical Devices Verify that disused port s services and protocols are turned off or are otherwise inaccessible.

23 CONFIGURATION MANAGEMENT CM-9 CONFIG. MGT. PLAN In order to ensure a continued compliant state of a cloud based product one would expect a configuration management plan or policy to be in place. a good framework for this the concept of standard changes (ITIL) should be encouraged to ensure low risk actions are not overburdensome, but are preapproved. Ensure a commitment exist to manage configuration and change in an order fashion. Determine communication/ approval path between cloud provider and the regulated entity. Closest trace(s): 11.10(k), (b), (i), ICH E6/E9 QMS, EDC/RDC, CTMS, Medical Devices Require examples of recently executed change/configuration controls. Ensure mechanism exists for periodic re-evaluation of validated state.

24 CONTINGENCY PLANNING

25 CONTINGENCY PLANNING CP-10 INFO SYS RECOVERY Data Integrity beyond the real-time write is critical both from a business and regulatory data integrity perspective. Critical component of SLA, a very clear recovery and reconstruction component should be clearly defined. Closest trace(s): (b), (i), ICH E6/E9 QMS, EDC/RDC, CTMS, Medical Devices Require Cloud provider to perform regular disaster testing in conjunction with regulated entity.

26 IDENTIFICATION & AUTHENTICATION

27 IDENTIFICATION & AUTHENTICATION IA-2 ID & AUTH. (INTERNAL) The system should provide a unique ID and authentication method for organization users. Challenges for single sign on. Connectivity and authentication should be defied. VPN, Lease Line, straight web connection (https). Closest trace(s): 11.10(d), (b), (i), ICH E6/E9 QMS, EDC/RDC, CTMS, Medical Devices Standard security testing against establish configuration and company policy. Consider policy flexibility, not all SaaS applications will necessarily support the same authentication mechanisms.

28 IDENTIFICATION & AUTHENTICATION IA-3 DEVICE ID & AUTH. Device ID and authentication is critical when a device component is introduced. Consider and authentication a device sending diagnostic information into the cloud. SLA should consider logging of device authentication and connection sessions and associated logs. Closest trace(s): 11.10(d), (b), (i), ICH E6/E9 QMS, EDC/RDC, CTMS, Medical Devices Ensure only devices with proper authentication can connect. Understand impact of lost connection, partial data transfer etc.

29 INCIDENT RESPONSE

30 INCIDENT RESPONSE IR-4 INCIDENT HANDLING Key concept to maintain data integrity. The process for handling incidents is critical in the event of a data challenge such as a recall. SLA should outline plan for incident handling, detection, analysis, containment eradication and recovery. Closest trace(s): (a)(b), ICH E6/E9 QMS, EDC/RDC, CTMS, Medical Devices Incident handling process should be qualified as part of infrastructure/data center qualification.

31 INCIDENT RESPONSE IR-5 INCIDENT MONITORING Key concept to maintain data integrity. The process for monitoring incidents is critical for ensuring that the compliant state of the system in maintained. SLA should outline plan for incident handling, detection, analysis, containment eradication and recovery. Closest trace(s): (a)(b), ICH E6/E9 QMS, EDC/RDC, CTMS, Medical Devices Incident monitoring application(s) should be qualified as part of infrastructure/data center qualification.

32 INCIDENT RESPONSE IR-6 INCIDENT REPORTING Active monitoring with passive reporting should both by considered to maintain data integrity. SLA needs to define clear communication channel for regulated entity to receive incident reports from the cloud provider. Closest trace(s): (a)(b), ICH E6/E9 Verify reporting functionality of incident monitoring applications. QMS, EDC/RDC, CTMS, Medical Devices

33 MAINTENANCE

34 MAINTENANCE MA-1 SYS MAINT. POLICY Proper maintenance of the Cloud components are critical to keep system availability levels high. Closest trace(s): 11.10(k)(1), (a), (g)(2), ICH E6/E9 QMS, EDC/RDC, CTMS, Medical Devices Most Cloud providers will advertise three, four or five 9 s. In other word % availability. The SLA should provide a level of availability commensurate with the systems risk. The number of 9 s a data center ran be correlated to the aggressiveness of the maintenance schedule. Awareness and Training. Ensure system maintenece policy is reviewed as part of the qualification. For established systems example maintenance logs could be attached to the validation.

35 MEDIA PROTECTION

36 MEDIA PROTECTION MP-1 MEDIA PROTECTION POL Cloud provider must have policy in place to protect backup and archive media for regulated entity. Media storage, labeling and access are key considerations. SLA should fully disclose the location, media type(s) and distribution of regulated entities archived data. Closest trace(s): 11.10(c), (b), , ICH E6/E9 QMS, EDC/RDC, CTMS, Medical Devices Regulated entity should conduct an audit of Cloud providers media protection processes.

37 PHYSICAL & ENVIRONMENTAL PROTECTION

38 PHYSICAL & EVIROMENTAL PROTECTION PE-2 PHYS. ACCESS AUTH. Data Integrity could be compromised if storage location is not physically secured. Expect to see a mixture of active and passive controls. Card swipes, camera systems. etc. Access to the datacenter and associated servers and networks comprising the cloud should be outlined in the SLA. Closest trace(s): 11.10(d), (c), ICH E6/E9 Data Center qualification should include testing of physical security controls. QMS, EDC/RDC, CTMS, Medical Devices

39 PHYSICAL & EVIROMENTAL PROTECTION PE-14 TEMP & HUMIDITY CTRL Storage media/production systems could be negatively impacted by failing or inadequate temperature controls. Details of service contracts and makes/ models of HVAC and sensor equipment should be considered for a robust SLA. Closest trace(s): 11.10(d), (c), ICH E6/E9 QMS, EDC/RDC, CTMS, Medical Devices Temperature and Humidity control systems should be qualified during validation. As well as tripping sensors and simulating out of range conditions, preventative maintenance schedules should be shown to e active and up to date.

40 PLANNING

41 PLANNING PL-2 SYSTEM SECURITY PLAN Cloud provider may have multiple data centers, locations or cloud based products. System security planning should be holistic relative the providers business. SLA should support the concept of ongoing security assessments. Closest trace(s): 11.10(d), ICH E6/E9 QMS, EDC/RDC, CTMS, Medical Devices Regulated entity should seek assurance via audit that security assessment(s) are cyclical within the cloud providers quality system.

42 PERSONNEL SECURITY

43 PERSONNEL SECURITY PS-4 PERSONNEL TERMINATION The cloud provider must ensure that upon termination access privileges are revoked. They should also consider changing other security protocols depending on the terminated employees access level. Depending upon the risk of the engagement, the regulated entity may seek assurances, via the SLA, that terminate employee accounts have been disabled and privileges transferred. Closest trace(s): 11.10(d), , ICH E6/E9 QMS, EDC/RDC, CTMS, Medical Devices The regulated entity should verify via audit that adequate termination procedures exist at the cloud provider.

44 RISK ASSESSMENT

45 RISK ASSESSMENT RA-3 RISK ASSESSMENT Traditional application Risk assessment should be expanded to cover the cloud offering being engaged. Size of data center, number of locations, advertised availability are all important factors to consider. A well executed SLA is typically a remedial output of a Risk Assessment. Aligned with the Risk Based approach advocated by FDA. Validation should include a trace to the Risk Assessment to ensure that all remedial actions have been addressed prior to golive.

46 RISK ASSESSMENT RA-5 VULNERABILITY SCANNING Vulnerability scanners are used to by cloud providers to seek and identify weaknesses in their receptive networks. Most SLA s will outline at a high level the Cloud providers commitment to vulnerability scanning. Unlikely to specify too much detail as that in itself could create a vulnerability. No direct trace, however could easily slot into system specific validation requirements. Vulnerability scanning can be a 24/7 activity, for complex architecture penetration testing is also recommended. Copyright Copyright BYTEGRID. ByteGrid. All All Rights Rights Reserved. CLOUD COMPLIANCE FedRAMP FedRAMP in the in GxP the GxP Context Context

47 SYSTEM & SERVICES ACQUISITION

48 SYSTEM & SERVICES ACQUISTION SA-5 IS DOCUMENTATION IS documentation forms the basis of command, control and training for the information system thus having an indirect impact on data maintenance and integrity. Cloud provider should be required to maintain accurate system configuration documentation through the length of the engagement. Closest trace(s): 11.10(k), (b), , ICH E6/E9 QMS, EDC/RDC, CTMS, Medical Devices A combination of system configuration documentation, user and administrator manuals typically the basis for an infrastructure qualification.

49 SYSTEM & SERVICES ACQUISTION SA-9 EXTERNAL IS SERVICES Often xaas providers do not have their own data centers. In order to ensure data integrity the regulated entity must audit both the cloud provider and their data center partner(s). SLA should extend to the xaas provider data center and provide assurances in relation to the data center s quality system. Closest trace(s): 11.10(k), , , ICH E6/E9 QMS, EDC/RDC, CTMS, Medical Devices Regulated entity should ensure via audit that the cloud provider has a process in place for 3rd party vendor assessment.

50 SYSTEM & SERVICES ACQUISTION SA-10 DEVELOPER CFG. MGT. Particularly important for PaaS and SaaS deliveries. In the FedRamp context also expands into the developers system development lifecycle and development environment. Typical expectations exists as to the adequacy of the code however they are further expounded by the addition of a managed hardware layer. The Cloud provider must guarantee the adherence to good programming practice as well as the maintenance of their SDLC and associated environment. Closest trace(s): 11.10(k)(1), (b), , ICH E6/E9 QMS, EDC/RDC, CTMS, Medical Devices Regulated entity should confirm via audit that the provider has an established and effective SDLC program in place.

51 SYSTEM & COMMUNICATIONS PROTECTION

52 SYSTEM & COMMUNICATION PROTECTION SC-2 APPLICATION PARTITIONING Essential concept for virtualized applications performing regulated functions. The partitioning method must be clearly understood, defined and tested to ensure that data encroachment does not occur and that adequate resources exist for virtualized applications. SLA should provide assurance that application partition provides a sufficient border between constituents and that the hardware supporting the virtualized environment is sufficient for task. Closest trace(s): 11.10(k)(1), (b), , ICH E6/E9 Associated system(s)/product(s): ERP, QMS, EDC/RDC, CTMS, Medical Devices Relatively easy to verify for applications supporting Pharma. Caution should be taken for medical devices or critical clinical systems (IVRS/IWRS) with cloud component, would recommend private cloud only for this type of application.

53 SYSTEM & COMMUNICATION PROTECTION SC-7 BOUNDARY PROTECTION Concept similar to application partitioning but directly relates to network architecture. Important to define boundaries of the regulated application within the providers overall architecture. Network topologies providing an overall schema could serve as an attachment to SLA. May not be shared however due security concerns. Closest trace(s): 11.10(k)(1), (b), , ICH E6/E9 QMS, EDC/RDC, CTMS, Medical Devices During infrastructure qualification one would have expected the cloud provider to have identified they components of their network, sub networks etc. by their impact on the regulated application and have documented and tested them accordingly.

54 SYSTEM & COMMUNICATION PROTECTION SC-11 TRUSTED PATH Concept is critical to data integrity. Establishes a layered approach to authentication that is typically two way. In order other word s both the application in scope and the remote user are verified as trusted. SLA should account for trusted path concepts commensurate with the risk of the data being interacted. Closest trace(s): 11.10(k)(1), (b), , ICH E6/E9 QMS, EDC/RDC, CTMS, Medical Devices All trusted path combinations should be identified in the configuration documented subsequently verified.

55 SYSTEM & COMMUNICATION PROTECTION SC-30 VIRTUALIZATION TECH Many variants but three general types. Full, OS Level, Hypervisor. Full designates a system which is fully dedicated to virtualized applications, a Private Cloud being and example. OS level allows virtualization of individual OS environments whoever no virtualized OS and applications could also exist on the same platform. Hypervisor or bare metal implementations lack a foundational OS at all and is simply used for resource sharing and optimization. Closest trace(s): 11.10(a), (b), ICH E6/E9 QMS, EDC/RDC, CTMS, Medical Devices Regulated entities should seek clarification via the SLA as to the type of virtualization technique being employed by their provider. Needs to be clearly defined in configuration document. Key that Risk Assessment considers the virtualization technique within the context of the system in scope.

56 SYSTEM & INFORMATION INTEGRITY

57 SYSTEM & INFORMATION INTEGRITY SI-4 IS SYSTEM MONITORING Beyond IDS/IPS also consider response time, availability and uptime. Could be impactful for a system that requires timed processing steps, LIMS as an example. SLA should define the monitoring coverage, frequency, and remediation process employed by the cloud provider. Closest trace(s): 11.10(a)(f)(g)(h), (b), ICH E6/E9 QMS, EDC/RDC, CTMS, Medical Devices Monitoring tools should be active not passive. Consider qualifying the monitoring tools as part of the overall data center qualification.

58 SYSTEM & INFORMATION INTEGRITY SI-6 SEC FUNCT. VERIFICATION Beyond IDS/IPS also consider response time, availability and uptime. Could be impactful for a system that requires timed processing steps, LIMS as an example. SLA should define the monitoring coverage, frequency, and remediation process employed by the cloud provider. Closest trace(s): 11.10(a)(f)(g)(h), (b), ICH E6/E9 QMS, EDC/RDC, CTMS, Medical Devices Monitoring tools should be active not passive. Consider qualifying the monitoring tools as part of the overall data center qualification.

59 SYSTEM & INFORMATION INTEGRITY SI-11 ERROR HANDLING Error handling should be sufficient to provide both the cloud provider and the regulated entity with the ability to immediately identify and resolve system errors. Should be considered as a component of system monitoring. Closest trace(s): 11.10(a)(f)(g)(h), (b), (i), ICH E6/E9 QMS, EDC/RDC, CTMS, Medical Devices Error simulation should be conducted within reason and commensurate with the risk of the system. Error simulation should not have a long-term impact on the system.

60 SYSTEM & INFORMATION INTEGRITY POSITIVES: CHALLENGES: Provides a strong baseline for evaluation Incorporates many traditional GxP IT Controls Incorporates best of ISO27001, SAS70, GAMP etc. without endorsing High bar for compliance 3rd party certification required Would require risk based approach to best support GxP CONCLUSIONS

61 BYTEGRID R QUESTIONS??? marketing@bytegrid.com Phone: bytegrid.com Copyright ByteGrid All Rights Reserved.