Cloud Computing and Outsourcing in a GxP Environment

Programme

Regulatory Background – important issues to consider from the point of view of an inspector
Requirements for CSP (cloud service providers) resulting from Annex 11
To do’s for regulated users with respect to chapter 7 of the EU GMP Guide
German drug law – does the German drug law or European Law effect the business of CSP; enforcement of corrective actions

Definition and types of Cloud Computing
Service models: Private Cloud, Public Cloud,
Community Cloud, Hybrid Cloud
Infrastructure as a Service (IaaS)
Platform as a Service (PaaS)
Software as a Service (SaaS)
Cloud computing scenarios, reference architectures, examples

Cloud Computing: IT Security
Examples of incidents
Strategic planning and preparation for going to cloud services
Security management and security architecture
Security certifications (e.g. ISO 27001) and what they really mean
Physical and logical security, encryption
Incident prevention and response
Professional security patch management
Identity management, authentication, authorization
Integration of cloud services with internal IT landscape

The cloud service provider business
Service provided and their delivery processes
Technology and resource pools
Business model(s) and achieving sound economics
Risk and challenges

Operating as a Cloud service Provider
Chain of command: How do SaaS cloud providers manage their PaaS or IaaS providers or the other way around
Inspections by customers (or authorities)
Cooperations between cloud providers (e.g. for common standards)
How to become the ideal customer for a CSP?

Contracts with cloud service providers
Business & Technology Risks
Intellectual Property
Service Access / Service Quality KPIs
Data Storage requirements
Inspection & audit support
Example Contract/SLA
Lessons learnt

Cloud Computing: Use cases in a GxP environment
Risk-based approach
Specific responsibilities of the cloud service provider
Specific responsibilities of the cloud customer
Separation of GxP vs. non GxP
Examples

Compliance requirements for the cloud infrastructure
Regulatory requirements
Qualification of the cloud
Validation of the cloud

Inspections and Findings
European Framework to conduct inspections
Availability, data integrity and confidentiality of data
Possibility to perform inspections of CSP
State of the art defined by BSI, ENISA and NIST
Inspections: experiences and findings

Inspections and audit experiences: The pharmaceutical industry perspective
Inspection Trends EMA – Annex 11
Inspection Trends FDA
Inspection Trends other countries
Hot Buttons

Cloud Computing: Data protection
Data protection and privacy – legal requirements
Responsibilities of the cloud service provider
Responsibilities of the cloud customer

Data classification
Responsibility and integration in the IT project management framework
Handling, processing, commissioned processing
of data
Forced disclosure
Applicable regulations
Examples and lessons learnt

Business continuity management
Necessity for Sales/Patients/Annex 11?
Assessing the Business Continuity Risk
Buss. Cont. Plan – BCP
Disaster Recovery - MTPD - RTO - RPO

Government agencies and cloud computing
Objectives and capabilities of government agencies
How and where do they hook in
Internet surveillance and specific attacks
Industry espionage
Countermeasures and their limitations

Experiences with outsourcing and cloud computing
QA involvement
Pain points

Cloud computing: Pros and cons – includes closing discussion
Opportunities and risks of cloud computing
Rationale for using cloud services
Rationale for not using cloud services
Conclusions and recommendations