1. The Control Freak Cometh!
Applying Best Practice for Infrastructure
Compliance
2. Agenda
Why Do We Need A Compliant Infrastructure?
How High Is That Hill?
Where Do I Start?
What Do I Need?
How Do I Get There?
Best Practice Or Controls?
D. K. Stephenson Regulatory Compliance SME
4. Compliance with What??
ISO 27001
ITIL
CoBIT
ISO 20000
Sarbanes Oxley
Basel II
FDA & MHRA Regulations
21 CFR 11 etc
Personal Identifiable Data (Caldicott Rule)
ISO 9001-2008
PCI DSS
D. K. Stephenson Regulatory Compliance SME
5. Why Do We Need Compliance?
Is it because:
Everyone in my industry is doing it
Fear of an upcoming regulatory inspection
We want to get control over our Infrastructure
There is probably a little of all these in our
reasoning, but we must also consider the question:
“How can we consider a system to be validated if
we are not confident that we have control of the
infrastructure on which it runs?”
GAMP GPG IT Infrastructure Control & Compliance
D. K. Stephenson Regulatory Compliance SME
6. What does “Under Compliance” mean?
It means that the:
Planning
Organisation
Installation
Use
Maintenance
of the I.T. infrastructure is Controlled and Documented
D. K. Stephenson Regulatory Compliance SME
7. Compliance, Regulatory Viewpoint
In the regulated industries (Life Sciences etc),
Infrastructure Compliance is achieved by the
process of “Qualification”
Where Qualification is defined as:
“The process of demonstrating whether an entity is
capable of fulfilling specified requirements. It implies
adherence to strict documentation requirements,
reviews and approvals”
GAMP GPG IT Infrastructure Control & Compliance
D. K. Stephenson Regulatory Compliance SME
8. Qualification the I.T. Viewpoint!
A methodology designed to stop me from doing my
work!
An unnecessary overhead on already overworked
resource!
Something that we write to keep QA quiet (but do
not follow!)
A waste of ******* time!
A pain in the *****!
The best thing since sliced bread ????
D. K. Stephenson Regulatory Compliance SME
9. In Short!
D. K. Stephenson Regulatory Compliance SME
10. The Business Viewpoint!
Difficult to get support from the top!
I.T. seen as draconian and inhibitive
Stops the business from doing it’s business
“I.T. do not understand what we need!”
“This is MY computer, I should be able to do what I
want with it!”
D. K. Stephenson Regulatory Compliance SME
11. 10 Requirements of Compliance
Compliance Exercise Planning & Execution
Procedures
Compliance Documentation
Security (Logical & Physical)
Acceptance Testing
Training of Support Personnel
Network Recovery
Support Documentation
Change Control
Periodic Review
D. K. Stephenson Regulatory Compliance SME
12. Benefits of a Compliant Infrastructure
Demonstrable Control over processes
Increased Integrity of data
Confidence in being Audit Ready
Transparent view of the infrastructure and how it
functions
Easier in-life management and upgrade planning
Procedures available to all IT staff
I.T. and business working together
Adherence to best practice
Reduction in duplication of duties
D. K. Stephenson Regulatory Compliance SME
13. Business Expectations
Cost Effective Solution
Pragmatic Qualification (how much is enough?)
Control Over Processes
Control Over Procedures
Control Over people
Increased Control Of Data
Confidentiality
Integrity
Availability
Confidence In Being Audit Ready
Adherence To Best Practice
D. K. Stephenson Regulatory Compliance SME
15. How High?
D. K. Stephenson Regulatory Compliance SME
16. “Top Ten” Deficiencies (Audited)
Security (Logical & Physical)
Testing (Compliance Exercise)
Change Management/Configuration Management
Operating Procedures
Hardware, Equipment Records, and Maintenance
Training Education, and Experience
Development Methodology
Compliance Methodology and Planning
Quality Assurance and Auditing
Electronic Records, Electronic Signatures
D. K. Stephenson Regulatory Compliance SME
17. Why So Many?
In general, the majority of IT departments are
doing what is right, they are following all or many
of the necessary processes, but with ONE MAJOR
EXCEPTION!
THEY DO NOT WRITE IT
DOWN!!!!!!!!
D. K. Stephenson Regulatory Compliance SME
18. The Auditors Viewpoint!
IF IT IS NOT WRITTEN DOWN IT
DID NOT HAPPEN!
IF IT IS NOT SIGNED IT’S
GRAFFITI!
ANYTHING THAT ISN’T
DOCUMENTED IS JUST
RUMOUR!
D. K. Stephenson Regulatory Compliance SME
20. At The Beginning!
Step 1, DO NOT throw the baby out with the bath
water!!!
D. K. Stephenson Regulatory Compliance SME
21. 1st Steps
Draw up a plan:
What do you want to achieve?
By when?
What resource is available?
What budget is available?
Do not cut corners!
Stick to it!!!!!!
D. K. Stephenson Regulatory Compliance SME
22. Top Tips!
Get buy in from the top, need a Sponsor
Assess the situation (Business & I.T)
Apply a “RISK BASED METHODOLOGY”
What do we actually need?
Is what we want and what we need different?
Base testing on criticality & use
Base risk on
– The affect on quality and data
– The likelihood of failure
– The likelihood of detection
Use this to focus on the most critical areas
D. K. Stephenson Regulatory Compliance SME
24. What Do I Need?
A fully tested Infrastructure
A fully documented Infrastructure
A full set of “workable” processes and procedures
An ongoing compliance maintenance framework
Buy in from senior management
D. K. Stephenson Regulatory Compliance SME
26. Documentation: A Warning!
As with everything else in the Compliance world,
documentation is key
Attaining a compliant Infrastructure can simply be
considered as documented Good IT Practice
ITIL
CoBIT
MOF
Most organisations know the right things to do
Most organisations are doing them (to some
extent)
Not all organisations have documented them
D. K. Stephenson Regulatory Compliance SME
27. ITSM Areas for Process and Procedure
General Management
Data Centre Management
Platform Management
Server Management
Network Management
Client Management
Security Management
Data Management
Quality Management
Continuity Management
D. K. Stephenson Regulatory Compliance SME
29. What Do Control Frameworks Have In
Common?
They possess Business Focus
Aligning IT with the business needs
They have Process Orientation
Thus ensuring ownership and organisation of processes
There is General Acceptability
Backed up by proven best practices (through
frameworks)
They possess a Common Language
An accepted terminology used by business & suppliers
They help meet Regulatory Requirements
By meeting compliance with an accepted framework
D. K. Stephenson Regulatory Compliance SME
30. Why Do We Use Control Frameworks?
They already exist, thus no need to reinvent the
wheel
They are structured and easy to apply
They are derived from best practice
They are the result of knowledge sharing
They are ultimately auditable
D. K. Stephenson Regulatory Compliance SME
31. CoBIT
CoBIT supports IT Compliance by providing a
framework, which can ensure that:
The IT strategy is aligned with the business
IT acts as an enabler for the business and maximises its
benefits
IT resources are utilised both responsibly and
effectively
IT risks are managed and mitigated appropriately
D. K. Stephenson Regulatory Compliance SME
32. IT Infrastructure Library (Ver 3)
ITIL is a Best Practice Framework
ITIL Philosophy – Scalable Process driven approach
ITIL provides “best practice” guidelines and
architectures to ensure that IT processes are closely
aligned to business processes and that IT delivers the
correct and appropriate business solution
Infrastructure and Service are not separate entities
D. K. Stephenson Regulatory Compliance SME
33. Which Do I Use??
D. K. Stephenson Regulatory Compliance SME
34. How Does CoBIT & ITIL Fit In?
CoBIT focuses on getting the “what is needed”
right, without touching on the “how will we do it”
CoBIT helps to introduce a management
perspective of Controls, as it operates at a level
above the IT technology and possesses business
focus
ITIL is the next level down, determining “how will
we do it”
ITIL is the operational perspective of controls,
operating at the Technology level, and possesses
service focus
D. K. Stephenson Regulatory Compliance SME
35. How It All Fits Together
CONFORMANCE
Drivers PERFORMANCE: FDA Reg’s, MHRA,
Business Goals SOX etc.
IT Governance COBIT
ISO ISO ISO
Best Practice Standards 9001:2000 27001 20000
Processes and Procedures QA Security ITIL
Procedures Principles
D. K. Stephenson Regulatory Compliance SME
36. How do I Keep it Compliant??
D. K. Stephenson Regulatory Compliance SME
37. Periodic Review And Critical Processes
All critical activities should be included in a Periodic
Review Strategy
Initial Qualification Activities
On-going maintenance and support activities
Periodic Reviews can be conducted internally, but
inspection observations have set an expectation that
the independent quality group should play an
appropriate oversight role
D. K. Stephenson Regulatory Compliance SME
38. Periodic Review And Critical Processes cont
Policies should define appropriate roles for IT and
Quality
Processes and Procedures should be interlinked,
with defined roles
i.e. Disaster Recovery relies on Configuration
Management, which is related to Change Management
There should be a consistent set of processes
There Must be Evidence of
Control & Adherence to
These Processes!!
D. K. Stephenson Regulatory Compliance SME
40. Conclusions
We can achieve and maintain a pragmatic
qualification of IT Infrastructure, which meets both
Regulatory and Business requirements by:
Adopting a Risk Based Approach to Compliance
Adopting and implementing a best practice framework
– CoBIT
– ITIL
Introducing a systematic approach to the initial testing
of components, based on their use and criticality
Introducing an ongoing approach to the testing of
components, based on the previous testing of their type
Introducing an ongoing compliance program
D. K. Stephenson Regulatory Compliance SME