Want to deploy a new technology solution but not sure where to begin? These slides cover key considerations for choosing a vendor with cloud compliance and validation in mind. With the Office 365 subscription-based service gaining considerable momentum in the life sciences, it's important to stay ahead of the technological and regulatory curve and consider how an EDMS system will bring improvements to managing your GxP content.
Here we cover the following topics:
-Vendor assessment of Microsoft
-Subscription basics of Office 365
-Review of ISO/SOC audit reports
-Ensuring that no critical observations are made
-Security and quality controls in place
You can follow along with this presentation via webinar format:
https://info.montrium.com/strategies-for-conducting-gxp-vendor-assessment-of-cloud-service-providers
3. 3
Today’s Agenda
LIVE WEBINAR
1. About Montrium
2. Key considerations for choosing and assessing a vendor from a cloud
compliance standpoint
3. Vendor assessmentof Microsoft
a) Review of ISO/SOC audit reports
b) Ensuring security and quality controls are in place
c) Confirming whether critical observations were reported
4. Subscription basics of Office 365
5. 5
House
Keeping
L I V E W E B I N A R
• This webinar is being recorded and will be made
available after this session
• Feel free to use the chatbox to submit your
questions at anytime
• Q&A will take place at the end of the webinar
• We will send these slides to your email at the
end of the webinar
7. • Founded in 2005
• Working Exclusively in the Life Sciences
• Headquartered in Montreal, Canada
• EU headquarters in Luxembourg
• Clients in North America, Europe & Asia
• Leading Content ManagementPlatform
• Over 8000 Users in 20+ Countries
• Experienced Professional Services Group
7
About
Montrium
Connecting People,
Processes & Technology
A B O U T T H E C O M P A N Y
9. 9A B O U T T H E C O M P A N Y
GxP regulated companies should formally assess
and approve each supplier/ vendor of
computerized systems and services.
Why?
• Assess the competence of the vendorprior to
selecting his product/ service
• Provide confidence that the vendorhas built
qualityand integrity into the product or
service
• Provide an opportunityto nurture a
relationshipwith the vendor
• Comply with regulatory expectations
Vendor
Assessment
10. « [3.2] The competenceand reliability of a supplier are key factors
when selecting a product or service provider. The need for an audit
should be based on a risk assessment.»
« [4.5] The regulated user should take all reasonable steps, to ensure
that the system has been developed in accordance with an
appropriate quality management system. The supplier should be
assessed appropriately. »
- Eudralex Volume 4, Annex 11
10
11. • Vendor assessment is performed according to the regulated company’s SOPs governing
vendor management.
• The purpose of a vendor assessment is to evaluate the vendor’s processes and
practices to ensure the vendor employs quality standards that are in line with the
regulated company’s own practices.
• The extent of the vendor assessment is tied to the level of risk associated to vendor’s
product or service.
• For example: A contract manufacturer of a drug product would be scrutinized carefully due to the potential
impact on patient safety and product quality.
Overview of Vendor
Assessment Process
11
12. 12
Overview of
Vendor
Assessment
Process
A B O U T T H E C O M P A N Y
Goal
Gather information to assess whether process controls are in place and determine if these
controls are systematically followed.
Methodsfor assessing vendors (according to GAMP®5):
• Basic Assessment: A review of available information to evaluate the vendor’s product and
practices
• Postal Audit: A questionnaire submitted to the vendor in which detailed information about
the vendor’s quality systemand business activities is requested
• On-site Audit: A review of the vendor’s procedural controls and process documentation
performed by an auditor
Approach taken should be based on an evaluationof risk.
13. 13
Key
Considerations
V E N D O R A S S E S S M E N T
Consider the type of cloud service (IaaS,
PaaS, SaaS)
Examine the intendeduse of the system,
includingactivities to be performed by the
system
• For example: Cloudsystem used in
the dispensing of drug products vs.
Hosted solutionused as document
repository
Evaluaterisk on
• Patient Safety
• Product Quality
• Data Integrity
14. Vendor Assessment of a Cloud Service Provider
All cloud service providers host data.
The vendor assessment of a cloud service provider would include examining the measures put in place to
protect data.
Areas of interest:
• Processes that control security of the facility
• Environmental controls that protect hardware and devices
• Controls in place to restrict access to authorized individuals
• Processes for backing up data and retrieving/ restoring it, if necessary
These concerns are not unique to life science organizations.
15. Vendor Assessment of a Cloud Service Provider
All cloud service providers host data.
Cloud service providers do not generally allow for on-site vendor assessment audits
due to security concerns involving the databases and infrastructure.
However, when obtaining certifications and attestations, cloud service providers willingly
grant access to independent third-party auditors. These audit reports can be made
available to customers using the cloud service.
16. Have you adapted your Vendor Management
processes to incorporate special measures for
evaluating cloud service providers?
a) Yes
b) Not yet
16
POLL
A B O U T T H E C O M P A N Y
17. 17
Relevant
certifications
and
attestations
A B O U T T H E C O M P A N Y
• ISO/IEC 27001, ISO 27018, ISO 9001
• SOC 1 Type II & SOC 2 Type II
• NIST FIPS 200 / SP 800-53
• HITRUST
• FedRAMP
• HIPAA
• EU-US Data Shield
• GDPR
18. 18
ISO
International Organization for Standardization
(ISO)
ISO/IEC 27001:2013
Information technology
-- Security techniques -
- Information security
management systems –
Requirements
Requirements for establishing,
implementing, maintaining and
continually improving an
information security management
system within the context of the
organization.
Requirements for the assessment
and treatment of information
security risks tailored to the needs
of the organization.
ISO/IEC 27018:2014
Information technology --
Security techniques -- Code
of practice for protection of
personally identifiable
information (PII) in public
clouds acting as PII
processors
Control objectives, controls and
guidelines for implementing
measures to protect Personally
Identifiable Information (PII) in
accordance with the privacy
principles in ISO/IEC 29100 for the
public cloud computing
environment.
ISO 9001:2015 Quality
management systems –
Requirements
19. 19
SOC
System and Organization Controls (SOC)
for Service Organizations
SOC 1
Internal Control over Financial
Reporting (ICFR)
SOC 2
Trust Service Criteria
• Security
• Availability
• Processing integrity
• Confidentiality
• Privacy of personal information
Type I
Report on the fairness of the
presentation of management’s
description of the service
organization’s system and the
suitability of the design of the
controls to achieve the related
control objectives included in the
description as of a specified date.
(Restricted use)
Type II
Report on the fairness of the
presentation of
management’s description of
the service organization’s
system and the suitability of
the design and operating
effectiveness of the
controls to achieve the
related control objectives
included in the description
throughout a specified
period. (Restricted use)
20. 20
Independent Service Auditor’s Report
Extract from a sample SOC 2 Type II report
Trust Service Criteria Control Ref # Control Description Test Procedure Test Result
CC1.3 – Personnel responsible for
designing, developing,
implementing, and monitoring of
the systemaffecting security
have the qualifications and
resources to fulfill their
responsibilities.
CC1.3.1 Job requirements are documented
in the job descriptions and
candidates’ abilities to meet these
requirements are evaluated as
part of the hiring or transfer
evaluation process.
Inquired of management to obtain an understanding of job
requirements and the evaluation of candidate’s ability to
meet the requirements.
Inspected the policies and procedures related to the hiring
process.
Inspected documentation for the selection of new hires
from the audit period under review to determine that each
candidate was evaluated for the specified job
requirements,
No exceptions noted.
22. Do you anticipate assessing Microsoft as vendor
within the next year?
a) Yes
b) No
c) I haven't decided
22
POLL
A B O U T T H E C O M P A N Y
23. Determine the scope of the assessment
Intended Use
• Implementation of Office
365 (SharePoint Online) as a
repository for GxP regulated
content
• Content of controlled
documentation is governed
by business processes and
associated procedural
controls
Risk Assessment
• Low risk associated to
patient safety
• Low risk associated to
product quality
• Moderate risk associated to
data integrity
RegulatoryImpact
Assessment
• 21 CFR Part 11 – Electronic
Records
23
24. How to
conduct the
assessment
Identify regulatory risks and
requirements
Determine the shared
responsibilitiesof the regulateduser
and of the cloudservice provider
Evaluatethe distributionof shared
responsibilitieswith respect to the
regulatory requirements
Map relevantcontrolsfrom available
certifications and attestations
24
1.
2.
3.
4.
25. Compliance Assessment
AN EXAMPLE
21 CFR Part 11
Requirement
Expectation of
Responsibilities
Certification / Attestation Report
11.10 (b)
The ability to generate accurate and
complete copies of records in both
human readable and electronic form
suitable forinspection, review, and
copying by the agency. Persons
should contact the agency if there
are any questions regarding the
ability of the agency to perform such
review and copying of the electronic
records.
User Responsibilities and Controls
• Manage their storeddata forcompleteness
and accuracy.
• Manage their inputs and data uploads to
Office 365 forcompleteness, accuracy,and
timeliness.
• Ensure through verification/validation that
the transfer of data from applications to the
O365 services does not impact data
integrity.
• Ensure that the Office 365 services are
validated to respond to this requirement.
Microsoft Responsibilities and Controls
• Respect SLA terms for system availability
and maintenance.
ISO/IEC 27001:2013, ISO/IEC 27017:2015, ISO IEC
27018 Assessment Report
Physical and environmental security
Asset Management
SOC 2 Type II Report
Monitoring of Subservice Organizations
Controls C1.4, C1.5, C1.6, CC2.2, CC2.3, CC2.4,CC3.1,
CC3.2, CC7.2
26. Leveraging the Compliance Assessment
Analyze
• Review
reports to
identify gaps
and critical
findings
• Ensure
security and
quality controls
are in place
Evaluate
• Ensure no
critical
observations
were made
• Evaluatethe
suitabilityof
the vendor
Manage
• Determine the
need for further
assessment
• Use the
compliance
assessment as
an input to the
vendor
management
process
26
27. Qualifying the
Vendor
Have the vendor qualification requirements detailed
in your Vendor Management SOP been met?
Keep in mind: ISO and SOC reports are issued for a
fixed period of examination.
• Ensure the report dates are relevant.
• Ensure a bridge letter is available.
New Vendor
Determine if
assessment findings
show that vendor
selection criteria are
met.
Chosen Vendor
Ensure that the vendor
is periodicallyre-
evaluatedto ensure
that vendor continues
to meet organizational
expectations.
29. Microsoft has obtained numerous certifications and
attestations for Office 365.
In the interestof transparency, Microsoftprovides
subscribers with documentationpertaining to:
• Microsoft internal processes
• Results of objective evaluations of these
processes by third-party auditors
Microsoft also provides compliance guides and
tools to subscribers.
29
Office
365
30. 30
Trust
Center
SERVICE
TRUST
PORTAL
Access to
information
• Subscribers may access the
following types of reports for
Office 365:
• ISO reports
• SOC reports
• FedRAMP reports
• Governance, Risk and
Compliance (GRC) reports
• Review information on Microsoft
controls pertaining to data
protection and privacy
Access to Compliance
Manager tool
• Monitor the status of compliance
assessments of Microsoft
products by 3rd party
independent auditors
• Track, assign and verify
organizational compliance
activities
31. For Office 365, assessments for
the following standards are
currently available in the
Compliance Manager:
• CSA CCM301
• FFIEC
• FedRAMP Moderate
• GDPR
• HIPAA
• ISO 27001:2013
• ISO 27018: 2014
• NIST 800-171
• NIST 800-53
• NIST CSF
31
Compliance
Manager
32. Compliance challenges the
Compliance Manager
addresses:
• Keeping abreast of updates to
standards by regulatory bodies
• Reducing time and effort spent
on compliancereporting
• Identifying who is responsible
for controls (Microsoft or
Customer)
• Assigning and prioritizing
complianceactivities
• Linking technologicaltools to
regulations/ standards
32
Compliance
Manager
33. • A dashboard view of progress in
implementingcontrols (by both
Microsoft and your organization)
• Provides an overview of status of
complianceactivities
• Controls are assigned a risk-based
compliancescore
• Outlines suggested activitiesfor
customers to demonstrate
compliancelinked to technical/
proceduralcontrols
• Allows for filtering of information
• Abilityto generate reports
33
Compliance
Manager
MAIN FEATURES
36. The relationship with your vendor
heavily relies on trust.
Vendor Assessments provide objective
evidence related to the vendor’s
quality standards and practices.
Questions to ask:
• Do the assessment findings support
trusting this vendor?
• Does the organization trust the
vendor to deliver quality products/
services?
36
Conclusion
38. Technology Strategy &
Digital Transformation
Cloud Compliance &
Strategy
Computer System
Validation
Quality Assurance
A
Our Areas of Expertise
“To be the leading change enablers for
technology in the life sciences.”Our Vision
39. In the context of Office 365 Vendor Assessment,
we produce the following action:
• We provideCompliance AssessmentReportthat customers you can useto support your vendor
qualification process such as a vendor assessmentSOPyou may need to follow.
• If gaps areidentified we help customers review the gaps, evaluatethe impact, and help identify
risk mitigation strategies if applicable.
• Establish a strategy for monitoring updates to third-party reports and certificates as they get
updated periodically and changes may resultin differentcompliance results
39
40. Are you interested in learning more about
Montrium’s professional services?
a) Yes
b) No, I’m ok for now
40
POLL
A B O U T T H E C O M P A N Y