7/25/2019 3.Qualification Guideline for Microsoft Office 365 http://slidepdf.com/reader/full/3qualification-guideline-for-microsoft-office-365 1/76 Qualification Guideline Qualification Guideline for Microsoft Global Foundation Services and Windows Azure October 2013
76
Embed
3.Qualification Guideline for Microsoft Office 365
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
7/25/2019 3.Qualification Guideline for Microsoft Office 365
Over the last few years, Microsoft has paid an increasing amount of attention to a couple of key
concepts that are represented in this whitepaper: compliance and the cloud. Together these concepts
represent a fairly radical departure from normal business. By enabling cloud technologies, which
provide an ease of use and ease of implementation, with compliance, which provides the ability to work
with information in a regulatory compliant fashion, the implementing party may find the best of both
worlds.
This set of guideline whitepapers show how Microsoft is committed to cloud and compliance, spanning
Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS), a
relatively unique combination of technologies and commitment to compliance.
At the end of the day these are qualification guidelines and do not represent any guarantees from
Microsoft that your processes can be validated in any of the environments discussed or against any ofthe regulations or standards discussed. Yet when paired with the documentation referred to herein
along with customer evidence, these guidelines offer customers a starting point for their own
“compliance in the cloud” efforts, a starting point that may be furthered by the expertise Montrium has
demonstrated in producing these guidelines.
Mohamed Ayad, Cloud Solution Specialist
Les Jordan, Chief Technology Strategist
Health & Life Sciences Industry Unit
Microsoft
7/25/2019 3.Qualification Guideline for Microsoft Office 365
The purpose of this document is to assist Microsoft’s life science customers in establishing aqualification strategy for the Azure platform (Global Foundation Services (GFS) and Windows Azure
services). This guideline identifies the responsibilities shared by Microsoft and its customers for meeting
the regulatory requirements of FDA 21 CFR Part 11 Electronic Records; Electronic Signatures (21 CFR
Part 11) and EudraLex Volume 4 - Annex 11 Computerised Systems (Annex 11).
The intended audience for this guideline is any regulated customer within the life sciences industry,
aiming to use the Azure platform to host GxP regulated computerized systems. It is assumed that these
regulated systems will support GxP activities and produce and/or manage electronic records.
Traditionally GxP computerized systems have been deployed on specific servers either directly or
through the use of virtual machines. This underlying hardware was usually qualified, managed and
specifically identified as being part of a specific instance of a GxP computerized system. With cloud
computing this paradigm changes slightly. The Azure platform is composed of many hardware and
software components which all fall under the same controls that have been identified in this guideline.
Each time a new server or virtual machine is commissioned within the Azure platform, it is done using
the same process and standards. When considering public cloud based systems, it is important to view
the whole public cloud as one system upon which we are able to install and run GxP computerized
systems. This guideline will help companies achieve this by providing references to the 21 CFR Part 11
controls that are present within the Azure platform and that should be identified in customer
qualification documentation.
Microsoft’s Azure platform services have undergone SSAE 16 (SOC 1 and SOC 2) audits and are certified
according to ISO/IEC 27001:2005 standards. Although these standards do not specifically focus on
regulatory compliance, their objectives are very similar to those of 21 CFR Part 11 and Annex 11.
Montrium has therefore decided to leverage the reports produced by independent third party SSAE and
ISO auditors to identify the procedural and technical controls established at Microsoft that could be
used to satisfy the requirements of 21 CFR Part 11 and Annex 11. It was assumed that these audit
reports were generated by qualified third party auditors and that all information contained within the
reviewed audit reports was objective and accurate at the time of the audits. It is expected that
customers will perform an independent analysis and verification of relevant regulatory requirements to
determine if the computerized system supporting GxP activities installed within the Azure platform is fit
for its intended purpose. The customer must also ensure that the GxP computerized system will be
sufficiently documented and validated to further demonstrate compliance.
GFS delivers the core infrastructure and foundation technologies for Microsoft's Online Services
environment. Windows Azure is a cloud services operating system that serves as the development,
service hosting and service management environment for the Azure platform. The Azure platform is
classified as a public, off-premise, third-party managed solution which encompasses both Infrastructure
as a Service (IaaS) and Platform as a Service (PaaS) cloud service models. From the perspective of a
regulated user (customer), the Azure platform is considered to be Category 1 – Infrastructure Software
7/25/2019 3.Qualification Guideline for Microsoft Office 365
as defined by GAMP5®. The Azure platform is considered to be an “open system” per 21 CFR Part 11,
therefore additional measures, such as encryption should be employed to further secure information
stored within or transiting from the system.
Audited controls implemented by Microsoft serve to ensure confidentiality, integrity and availability of
data stored on the Azure platform and correspond to the applicable regulatory requirements defined in
21 CFR Part 11 and Annex 11 that have been identified as the responsibility of Microsoft. Microsoft is
responsible for ensuring that the Azure platform meets the terms defined within the governing Service
Level Agreements (SLA). When new virtual machines (VM) are deployed within the Azure Platform, they
are created using the default configuration established by Microsoft. Microsoft is responsible for
ensuring the deployed VM’s are capable of meeting the specifications and the terms of the SLA(s).
In addition to ensuring that computerized systems have the relevant technical controls outlined in the
assessment contained within the guideline, the customer is also responsible for ensuring adequate
procedural controls governing the use of the GxP computerized system are in place. These procedural
controls should cover the technical aspects of system management, including but not limited to logical
security, user management, data backup and recovery and disaster recovery. There should also be
procedural controls relating to the operation of the GxP computerized system. The customer should
determine the GxP requirements that apply to the computerized system based on its intended use and
follow internal procedures governing qualification and/or validation processes to demonstrate that the
GxP requirements are met.
In conclusion, following the assessment performed by Montrium, it is felt that the audited procedural
and technical controls that Microsoft has implemented could serve to demonstrate that the Azure
platform is being maintained in a state of control that is in accordance with the applicable regulatoryrequirements. Moreover, the customer may leverage the audited controls described in this document
and related audit reports as part of the risk analysis and qualification effort of their GxP computerized
system installed on the Azure platform.
7/25/2019 3.Qualification Guideline for Microsoft Office 365
Table of Contents .......................................................................................................................................... 7
than the right to host Customer Data on Microsoft systems, including the right to use and
reproduce Customer Data within Microsoft systems solely for such hosting purposes.” Data
security beyond the access controls mechanisms, including but not limited to fine-grain accesscontrols or encryption, is the responsibility of the customer.
1.3
Audience and Scope
The intended audience for this guideline is any regulated customer within the life sciences
industry, aiming to use the Azure platform services to host GxP regulated computerized systems.
It is assumed that these regulated systems will support GxP activities and produce and/or manage
electronic records. The specific GxP activities performed within the customer’s GxP computerized
systems are not addressed in this guidance document, as the customer is responsible for defining
the requirements and evaluating the risk associated with each GxP computerized system installed
within the Azure platform.
The regulations within the scope of this qualification guidance document are limited to the
following:
FDA 21 CFR Part 11 Electronic Records; Electronic Signatures - Subpart A and B (Sec 11.10
and Sec 11.30) (Ref. [5])1
EudraLex Volume 4 - Annex 11 Computerised Systems (Ref. [8])2
The Azure platform components which are within scope of this guideline are:
Cloud Services (comprised of stateless Web, Worker and VM roles)
Storage (includes Blobs, Queues, and Tables)
Networking (includes Traffic Manager, Windows Azure Connect) Virtual Network
Virtual Machines
This guideline also covers the underlying infrastructure components provided by the Global
Foundation Services group upon which the Azure platform is delivered to Microsoft customers.
1.4
Methodology
Microsoft’s Azure platform services have undergone SSAE 16 Service Organization Control (SOC)
audits and are also certified according to ISO/IEC 27001:2005 standards (see Section 2.4).
Montrium has leveraged the reports produced by independent third party auditors to identify
1 21 CFR Part 11 subparts related to electronic signatures are out of scope for this guide, as Microsoft does not
provide electronic signature functionality as part of the above services.
2 Although Eudralex Volume 4 Annex 11 specifically discusses GMP systems, it is generally accepted in industry that
the same principals in the most part are applicable to GCP and GLP systems.
7/25/2019 3.Qualification Guideline for Microsoft Office 365
procedural and technical controls established at Microsoft which could be used to satisfy
regulatory requirements within US FDA 21 CFR Part 11 (Ref. [5]) and EudraLex Volume 4 - Annex
11 (Ref. [8]). These controls are described in detail in Section 2.5. Montrium based the analysis onthe ISO and SSAE 16 standards as they have similar objectives to 21 CFR Part 11 and EudraLex
Volume 4 - Annex 11 in relation to controls for computerized systems.
The qualification approach summarizes the activities and responsibilities shared between the
regulated user (customer) and the cloud service provider (Microsoft) to qualify the system against
the relevant regulatory requirements. A detailed assessment (see Section 3.2 and 3.3) was
performed on each regulatory requirement to interpret how compliance could be achieved within
the context of a hosted GxP computerized system installed on the Azure platform. The
assessment described the responsibilities of the customer and Microsoft, as well as the activities,
documentation and controls (technical/procedural) that are required to meet the regulatory
requirement.
The contents of this document are based on these assumptions:
Audit reports listed in Section 2.4 were generated by qualified third party auditors.
All information contained within the reviewed audit reports was objective and accurate at
the time of the audits.
Customers will perform an independent analysis and verification of related regulatory
requirements to determine if the computerized system(s) supporting GxP activities installed
within the Azure platform is fit for its intended purpose.
The GxP computerized system will be sufficiently documented and validated by the
customer to demonstrate compliance with all applicable regulations.
7/25/2019 3.Qualification Guideline for Microsoft Office 365
The following table lists the formal audit reports prepared by third parties which were reviewed
by Montrium in order to identify relevant controls which have a potential impact on compliance
with the 21 CFR Part 11 (Ref. [5]) and Annex 11 (Ref. [8]) regulations. Existing Microsoft customers
may request access to these reports subject to NDA terms and conditions, through their
respective Microsoft account representatives.
Audited Service Audit Type Date Reference No.
GFS & Windows Azure
SOC 1 Type II
May 03, 2012 Ref. [1]
GFS
SOC 2 Type II
April 18, 2012 Ref. [2]
Windows Azure
ISO/IEC 27001:2005
November 14, 2011 Ref. [3]
2.4.1
ISO/IEC 27001:2005 Certification
ISO/IEC 27001:2005 specifies the requirements for establishing, implementing, operating,
monitoring, reviewing, maintaining and improving a documented Information Security
Management System within the context of the organization's overall business risks. It specifies
requirements for the implementation of security controls customized to the needs of individual
organizations or parts thereof.
Windows Azure core services (Compute, Storage, Virtual Network and Virtual Machines) are
ISO/IEC 27001:2005 certified.
Included in the above are Windows Azure service management features and the Windows AzureManagement Portal, as well as the information management systems used to monitor, operate,
and update these services.
ISO/IEC 27001:2005 certifications for Windows Azure and Global Foundation Services can be
found by clicking on the following links:
Azure ISO/IEC 27001:2005 certificate
GFS ISO/IEC 27001:2005 certificate
2.4.2
SOC Service Audit Reports
Service Organization Controls (SOC) reports are designed by the American Institute of Certified
Public Accountants (AICPA) to help service organizations that operate information systems andprovide information system services to other entities, build trust and confidence in their service
delivery processes and controls through a report by an independent Certified Public Accountant.
SOC 1 Service Auditor’s Reports are conducted in accordance with the professional standard
known as Statement on Standards for Attestation Engagements (SSAE) No. 16. SOC 1 reports are
geared towards reporting on controls at service organizations that are relevant to internal
control over financial reporting (ICFR), and replace the SAS 70 auditing standard.
The process to make changes and updates to user profiles;e.
Distribution of output restricted to authorized users;
f.
Restriction of access to offline storage, backup data, systems and media;
g.
Restriction of access to system configurations, super-user functionality, master
passwords, power utilities and security devices (for example, firewalls).
The ISO/IEC 27001:2005 audit reported that procedural controls are in place for tracking and
monitoring logical assets, as well as determining the associated asset security level following a
documented methodology.
2.5.4
System Monitoring and Maintenance
The SOC 1 audit reported that proper controls are established to provide reasonable assurancethat the Azure platform is monitored for known security vulnerabilities and potential
unauthorized activity. An automated logging and alerting system is used for detecting
unauthorized activity and security events.
The following activities/controls were audited in relation to system monitoring and
maintenance:
Logging and Monitoring;
Patching.
The GFS SOC 2 audit reported that proper controls are established to monitor the GFS
infrastructure components and proper actions are taken to maintain compliance within itsdefined system security policies. Automated tools are used to monitor the security controls on a
regular basis. The GFS group monitors, logs, reports and takes appropriate action to resolve
events involving critical/suspicious activities.
The ISO/IEC 27001:2005 audit reported that procedural controls are in place for logging and
monitoring of individual components of Windows Azure, patch management, and related
change management. Procedural controls are in place for security incident management. These
controls define roles and responsibilities, resolution methodology, and communication
requirements based on criticality. Performance related to the resolution of security incidents is
tracked, monitored and reported.
2.5.5
Data Backup, Recovery and Retention
The SOC 1 audit reported that Microsoft has implemented processes which manage the backup
of critical Windows Azure components and data, including customer subscriptions, hosted
services, certificates and deployments.
The GFS SOC 2 audit reported that the GFS Data Protection Services group which manages the
secure backup system infrastructure provides secure backup retention and restoration of data in
7/25/2019 3.Qualification Guideline for Microsoft Office 365
framework to assess risks to the Azure environment, develop mitigation strategies and
implement security controls.
The ISO/IEC 27001:2005 audit reported that Microsoft effectively follows a risk based
methodology for the management of the Azure platform. Impacts of the risks to assets are
qualitatively assessed based on vulnerability, likelihood, current and planned controls.
Recommended controls are applied based on risk classification and mitigation plans are
established to reduce the risk level to an acceptable limit. Management reviews and approves
residual risks.
2.5.11
Documentation / Asset Management
The procedure governing software development was audited against a control objective which
stipulates that the development of new features or major changes must be documented. In
addition, Microsoft has confirmed to Montrium that a Document and Records Managementprocedure governing protection and retention of documentation is in force. Microsoft has also
indicated to Montrium that the baseline configuration of Windows Azure components is
documented, managed, maintained and controlled for access via access control mechanisms.
Additionally, this configuration is performed according to the Asset management guidelines.
The ISO/IEC 27001:2005 audit reported that an Asset Management procedure is in place, which
provides guidelines for ensuring assets are properly managed. Microsoft defines an asset as
something that supports the delivery of the Windows Azure Service including, source code,
design documents, contracts and agreements, system documentation, standard operating
procedures, business continuity plans, configuration files, etc.
2.5.12
Training Management
The SOC 1 audit reported that employee, contractor and third party’s roles and responsibilities
with regards to information security are defined in a related policy and that training and
awareness is provided on an ongoing basis. The definitions of roles and responsibilities for the
different functions with regards to information security have been established and are
documented. Information security training is provided through different channels on a periodic
basis. Training material was found to cover security policy requirements and training records
were maintained and up-to-date.
The GFS SOC 2 audit reported security policies concerning information security and business
conduct were implemented. Training is mandatory for all employees on these policies.Procedures and standards cover policy training and training requirements. Training is
documented and compliance with training requirements is monitored.
The ISO/IEC 27001:2005 audit reported that training pertaining to security, compliance, and
Microsoft Security Development Lifecycle was mandatory. This audit reported evidence of the
involvement and commitment of management towards achieving full compliance with this
requirement.
7/25/2019 3.Qualification Guideline for Microsoft Office 365
Qualification is defined as “a process of demonstrating the ability of an entity to fulfill specified
requirements. In the context of an IT Infrastructure, this means demonstrating the ability of components
such as servers, clients, and peripherals to fulfill the specified requirements for the various platforms
regardless of whether they are specific or of a generic nature.”7
Validation consists of demonstrating, with objective evidence, that a system meets the requirements of
the users and their processes. As such, validation is performed by the regulated users (customer) of the
GxP computerized systems that reside on the Azure platform, whereas the platform must be qualified in
order to maintain a documented account of the specification and adequacy of the infrastructure.
Additional information for GxP computerized system validation can be found within the following
guidance documents:
PIC / S - Good Practices for Computerised Systems in Regulated “GxP” Environments (Ref. [20]); GAMP 5 - A Risk-Based Approach to Compliant GxP computerized systems (Ref. [6]).
In the context of a public IaaS and PaaS cloud service model, the customer does not typically have
control over the underlying infrastructure hardware and software components. The cloud service
provider is responsible for managing and maintaining these components and ensuring that they meet
the terms defined within the governing Service Level Agreement(s).
Figure 2 – Qualification of Infrastructure vs. Validation of Applications
7 ISPE, GAMP Good Practice Guide: IT Infrastructure Control and Compliance (Ref. [7])
Applications
InfrastructureSoftware & Tools
Network Components
Infrastructure Hardware
Data Center Facilities
Validation
Qualification
7/25/2019 3.Qualification Guideline for Microsoft Office 365
expected deliverables would include but are not limited to:
a.
Qualification / Validation plan describing the activities, responsibilities and
deliverables to be produced for each GxP computerized system installed withinthe Azure platform;
b.
Specification documentation describing the GxP computerized system’s
requirements, functionality and intended use;
c.
Risk Assessments covering both the decision to install the GxP computerized
system within the Azure platform, and a functional risk assessment of the GxP
computerized system. The assessments should include mitigation actions
required to address identified risks;
d.
Adaptation and verification of VM configuration to meet the specific resource
requirements of the GxP computerized system which will be installed on theVM;
e.
Verification documentation providing evidence that the GxP computerized
system meets its intended use as defined within relevant specification
documents;
4)
Maintain and operate the GxP computerized system in a secure and controlled manner
according to internally developed procedures as defined in point 1) above.
3.2
US FDA 21 CFR Part 11 Electronic Records; Electronic Signatures Compliance Assessment
The following table outlines the assessment that was performed on each regulatory requirement
of US FDA 21 CFR Part 11 which were identified as in scope in Section 1.2 of this document. Theprimary objective of the assessment is to identify the procedural and technical controls that are
required to satisfy the different regulatory requirements.
In conjunction with the responsibilities identified in Section 3.1, we further identify which controls
fall within the responsibility of Microsoft versus the controls that are considered the responsibility
of the customer when using the Azure platform for regulated GxP computerized systems.
7/25/2019 3.Qualification Guideline for Microsoft Office 365
The ability to generate accurate and complete copies of records in both human readable and electronic
form suitable for inspection, review, and copying by the agency. Persons should contact the agency ifthere are any questions regarding the ability of the agency to perform such review and copying of the
electronic records.
Microsoft – Cloud service provider
Microsoft is responsible for implementing adequate controls to secure the Azure platform and provide
appropriate system monitoring. By protecting and monitoring the Azure platform, these controls help to
satisfy the above regulatory requirement, such that the GxP computerized systems are protected and are
continually available.
Microsoft meets these requirements through the following controls:
Security Policies and Procedures (see Section 2.5.1)
Physical Security (see Section 2.5.2)
Logical Security (see Section 2.5.3)
System Monitoring and Maintenance (see Section 2.5.4)
7/25/2019 3.Qualification Guideline for Microsoft Office 365
Protection of records to enable their accurate and ready retrieval throughout the records retention
period.
Customer – Regulated User
The customer is responsible for ensuring that appropriate controls are established to protect records
pertaining to GxP activities performed within GxP computerized systems which are deployed on the Azure
platform and to ensure the records are readily available throughout their retention period.
Description of activities, documentation and controls:
Establish procedure(s) that govern the following topics:
o
Logical security - describing the security controls which are required in order to prevent
unauthorized access to the application;
o
Records Retention and Archiving – to ensure adequate record retention policies and
archive management processes are in place;
o
Backup and Restoration – to ensure proper protection of records through backup
mechanisms with regular restoration tests;
o
System Monitoring – to ensure consistent availability and performance of GxP
computerized system;
Data repatriation plans are established and tested in the case of contract termination with
Microsoft for Azure services.
Microsoft – Cloud service provider
Microsoft is responsible for implementing adequate controls to secure the Azure platform, provideappropriate system backup and data retention policies. Data backup and retention policies/procedures are
defined and maintained in accordance to regulatory, statutory, contractual or business requirements.
These controls help to satisfy the above regulatory requirement, such that Microsoft backs up Windows
Azure infrastructure data regularly and validates restoration of data periodically for disaster recovery
purposes.
Microsoft meets these requirements through the following controls:
Security Policies and Procedures (see Section 2.5.1)
Physical Security (see Section 2.5.2)
Logical Security (see Section 2.5.3)
System Monitoring and Maintenance (see Section 2.5.4)
Data Backup, Recovery and Retention (see Section 2.5.5)
7/25/2019 3.Qualification Guideline for Microsoft Office 365
The customer is responsible for ensuring that an individual must have a valid user account in order to
access both the Azure platform and any relevant GxP computerized system. Within the Azure platform and
GxP computerized system, user permissions must be managed by the System Administrator to specify
what areas of the computerized system are accessible to authorized users.
Description of activities, documentation and controls:
Windows Azure customers register for the service by creating a subscription through the Windows
Azure Portal web site. Customers manage applications and storage through their subscription
using the Windows Azure management portal;
Ensure proper procedures are established to govern logical and physical security over the terminaldevices (e.g. workstations, laptops, etc.) used to access the Azure platform. The procedure should
clearly describe how access to the system is managed, as well as how user system access is
documented;
Appropriate System Administration practices are followed for GxP computerized systems installed
on the Azure platform based on predefined system administration procedures.
Microsoft – Cloud service provider
Microsoft is responsible for ensuring adequate controls are established to ensure access to the Azure
platform is restricted to authorized individuals.
Microsoft meets these requirements through the following controls: Security Policies and Procedures (see Section 2.5.1)
Physical Security (see Section 2.5.2)
Logical Security (see Section 2.5.3)
7/25/2019 3.Qualification Guideline for Microsoft Office 365
The establishment of, and adherence to, written policies that hold individuals accountable andresponsible for actions initiated under their electronic signatures, in order to deter record and signature
falsification.
Customer – Regulated User
This requirement would be applicable if the customer has implemented a GxP computerized system which
provides users with the ability to apply electronic signatures to sign electronic records (see definition in
Section ). The customer would in this case be responsible for implementing controls governing the use of
electronic signatures ensuring that individuals are aware that they are accountable and responsible for
actions initiated under their electronic signatures.
Description of activities, documentation and controls:
A written policy should be established that holds individuals accountable and responsible for
actions initiated under or authorized by their electronic signatures;
Ensure that appropriate Training policies are established and that training and personnel
qualification are documented (i.e. training records, CV).
Microsoft – Cloud service provider
Microsoft does not participate in the generation of electronic records or application of electronic
signatures, therefore does not have any responsibilities with regards to this regulatory requirement.
7/25/2019 3.Qualification Guideline for Microsoft Office 365
3.3 EudraLex Volume 4 Annex 11 Computerised Systems Compliance Assessment
The following table outlines the assessment that was performed on each regulatory requirement of
EudraLex Volume 4 Annex 11 which were identified as in scope in Section 1.2 of this document. The
primary objective of the assessment is to identify the procedural and technical controls that are
required to satisfy the different regulatory requirements.
We further identify which controls fall within the responsibility of Microsoft versus the controls that are
considered the responsibility of the customer when using the Azure platform for regulated GxP
computerized systems.
PRINCIPLE
This annex applies to all forms of computerised systems used as part of a GMP regulated activities. A
computerised system is a set of software and hardware components which together fulfill certain functionalities.
The application should be validated; IT infrastructure should be qualified.
Where a computerised system replaces a manual operation, there should be no resultant decrease in
product quality, process control or quality assurance. There should be no increase in the overall risk of
the process.
Customer – Regulated User
The customer must interpret this regulation as applying to all GxP Computerized Systems supporting GxP
related activities that will be installed on the Azure platform (IaaS & PaaS).
The customer is responsible for validating the GxP computerized systems installed within the Azureplatform along with ensuring that the Microsoft Azure VM that has been deployed for their use has been
appropriately qualified.
Microsoft – Cloud service provider
Microsoft’s responsibility towards their customers is to ensure that the components supporting the Azure
platform have been developed, verified and deployed in a controlled fashion and managed according to
approved procedures.
7/25/2019 3.Qualification Guideline for Microsoft Office 365
There should be close cooperation between all relevant personnel such as Process Owner, System Owner,
Qualified Persons and IT. All personnel should have appropriate qualifications, level of access and
defined responsibilities to carry out their assigned duties.
Customer – Regulated User
The customer is responsible for ensuring that controls are established to govern the training and the
activities assigned to their personnel. They should also document the method used to confirm or verify an
individual’s qualifications and experience against formal job descriptions to ensure they are qualified to
perform assigned tasks.
The customer is also responsible for ensuring that an individual has a valid user account in order access the
Azure platform and any relevant GxP computerized system. Within both the Azure platform and the GxPcomputerized system, user permissions must be managed by the customer’s assigned System
Administrator to specify what areas of the system are accessible to authorized users.
Description of activities, documentation and controls:
Ensure that appropriate training policies are established and that training and personnel
qualifications are documented (i.e. training records, CV);
Ensure that personnel are aware of their roles and responsibilities through approved and signed
documentation such as Job Descriptions;
User Account Management procedures should be established to govern the assessment, enabling
and disabling of IT system user accounts;
Different levels of system access should be formally defined for each GxP Computerized System
deployed on Azure and users should be assigned to the different levels through the User Account
Management procedure.
Microsoft – Cloud service provider
Microsoft is responsible for maintaining the Azure platform infrastructure and services which store
customer electronic records, and therefore must ensure appropriate training policies are established and
that training and personnel qualifications are documented (i.e. training records, CV).
Microsoft is responsible for ensuring adequate controls are established to ensure access to the Azure
platform is restricted to authorized individuals.
Microsoft meets these requirements through the following controls:
Security Policies and Procedures (see Section 2.5.1)
Physical Security (see Section 2.5.2)
Logical Security (see Section 2.5.3)
Training Management (see Section 2.5.12)
7/25/2019 3.Qualification Guideline for Microsoft Office 365
3.1 When third parties (e.g. suppliers, service providers) are used e.g. to provide, install, configure,
integrate, validate, maintain (e.g. via remote access), modify or retain a computerised system or related
service or for data processing, formal agreements must exist between the manufacturer and any third
parties, and these agreements should include clear statements of the responsibilities of the third party.
IT-departments should be considered analogous.
Customer – Regulated User
The customer is responsible for assessing third party suppliers that have an impact on relevant GxP
computerized systems. They are responsible for ensuring that controls addressing the identification,
assessment, selection and management of third party suppliers are established.
Description of activities, documentation and controls:
Ensure that a vendor selection process has been defined and is covered within an effective
procedure;
Ensure that when needed appropriate contracts are established (i.e. NDA, SLAs);
Ensure that contracts establish clear statements of responsibility;
Ensure that vendor selection evidence and documentation is maintained following governing
Record Retention policies.
Microsoft – Cloud service provider
Microsoft would be considered a third party service provider to the client within the context of thisrequirement and formal agreements will be in place between the customer and Microsoft which include a
service level agreement which clearly defines responsibility of each party. In addition, Microsoft is
responsible for ensuring that they appropriately document and control the services provided by third party
suppliers within the context of their Azure platform offering.
Microsoft meets these requirements through the following controls:
Documentation / Asset Management (see Section 2.5.11)
Vendor Management (see Section 2.5.14)
7/25/2019 3.Qualification Guideline for Microsoft Office 365
7.1 Data should be secured by both physical and electronic means against damage. Stored data shouldbe checked for accessibility, readability and accuracy. Access to data should be ensured throughout the
retention period.
Microsoft – Cloud service provider
Microsoft manages the security component which authenticates users of the Azure platform, therefore is
responsible for ensuring proper controls are established to securely manage the user access control
system.
Microsoft is responsible for implementing adequate controls to secure the Azure platform and provide
appropriate system monitoring. By securing and monitoring the Azure platform, these controls help to
satisfy the above regulatory requirement, such that the GxP computerized systems are protected and are
continually available.
Microsoft meets these requirements through the following controls:
Security Policies and Procedures (see Section 2.5.1)
Physical Security (see Section 2.5.2)
Logical Security (see Section 2.5.3)
System Monitoring and Maintenance (see Section 2.5.4)
Data Backup, Recovery and Retention (see Section 2.5.5)
Service Level Agreements (see Section 2.5.9)
7/25/2019 3.Qualification Guideline for Microsoft Office 365
Consideration should be given, based on a risk assessment, to building into the system the creation of arecord of all GMP-relevant changes and deletions (a system generated "audit trail"). For change or
deletion of GMP-relevant data the reason should be documented. Audit trails need to be available and
convertible to a generally intelligible form and regularly reviewed.
Microsoft – Cloud service provider
Microsoft does not provide GxP computerized systems as the part Azure platform and therefore do not
need to implement audit trails. However, Microsoft is responsible for implementing adequate controls to
secure the Azure platform and provide appropriate system monitoring. By securing and monitoring the
Azure platform, these controls help to satisfy the above regulatory requirement, such that the GxP
computerized systems on the Azure platform are protected and are continually available.
Microsoft meets these requirements through the following controls:
Security Policies and Procedures (see Section 2.5.1)
Physical Security (see Section 2.5.2)
Logical Security (see Section 2.5.3)
System Monitoring and Maintenance (see Section 2.5.4)
Service Level Agreements (see Section 2.5.9)
10 – Change andConfigurationManagement
10 - Change and Configuration Management
Any changes to a computerised system including system configurations should only be made in a
controlled manner in accordance with a defined procedure.
Customer – Regulated User
The customer is responsible for establishing controls to govern the change and configuration management
processes related to GxP computerized systems deployed on the Azure platform.
Description of activities, documentation and controls:
Ensure that appropriate System Change Control, Configuration Management, Application Quality
and Security procedures along with documentation management controls are established.
Microsoft – Cloud service provider
Microsoft is responsible for ensuring that controls are in place to govern the management of GFS and
Azure components used for GxP computerized systems deployed on the Azure platform.
Microsoft meets these requirements through the following controls:
Software Development / Change Management (see Section 2.5.7)
7/25/2019 3.Qualification Guideline for Microsoft Office 365
The customer is responsible for ensuring that controls are established to govern the maintenance of the
GxP computerized systems’ validated state throughout its lifecycle. These controls should include related
topics as identified in Section 3.1.2.
Description of activities, documentation and controls:
Ensure computer system validation and change control policies are established for GxP
computerized systems deployed on the azure platform;
Ensure that systems maintenance procedures are in place to manage GxP computerized systems
deployed on the azure platform;
Ensure that deviation and incident management procedures are in place to manage deviations,
incidents and problems that arise with GxP computerized systems deployed on the azure platform.
Microsoft – Cloud service provider
Microsoft is not responsible for validation of systems to verify compliance with GMP regulations. However,
Microsoft is responsible for implementing adequate controls to secure the Azure platform and provide
appropriate system monitoring. By securing and monitoring the Azure platform, these controls help tosatisfy the above regulatory requirement, such that the GxP computerized systems on the Azure platform
are protected and are continually available.
Microsoft meets these requirements through the following controls:
Security Policies and Procedures (see Section 2.5.1)
Physical Security (see Section 2.5.2)
Logical Security (see Section 2.5.3)
System Monitoring and Maintenance (see Section 2.5.4)
Service Level Agreements (see Section 2.5.9)
7/25/2019 3.Qualification Guideline for Microsoft Office 365
Electronic records may be signed electronically. Electronic signatures are expected to:
a. have the same impact as hand-written signatures within the boundaries of the company,
b. be permanently linked to their respective record,
c. include the time and date that they were applied.
Customer – Regulated User
The customer is responsible for ensuring through verification that GxP computerized systems installed
within the Azure VMs applying electronic signatures meet this requirement.
Description of activities, documentation and controls:
Ensure that the use and elucidation of Electronic Signatures are defined within a proceduralcontrol;
Ensure procedure controls are established to govern the assignment of Electronic Signatures.
Microsoft – Cloud service provider
This regulatory requirement does not apply to Microsoft as this functionality is not provided as a part of
the Azure platform.
15- Batchrelease
15 - Batch release
When a computerised system is used for recording certification and batch release, the system shouldallow only Qualified Persons to certify the release of the batches and it should clearly identify and record
the person releasing or certifying the batches. This should be performed using an electronic signature.
Customer – Regulated User
The customer is responsible for ensuring that GxP computerized systems to be implemented within the
Azure platform have been assessed to this requirement.
Description of activities, documentation and controls:
The defined Computer System Validation process should ensure that this requirement is assessed
and appropriate supporting documentation must be produced;
Ensure that controls have been defined and implemented to govern the use of electronicsignatures.
Microsoft – Cloud service provider
This requirement does not apply to Microsoft. Microsoft does not have direct control over GxP activities,
as these would be implemented within GxP computerized systems that are installed and managed by the
customer on the Azure platform.
Microsoft does not provide electronic signature functionality as part of the Azure platform.
7/25/2019 3.Qualification Guideline for Microsoft Office 365
For the availability of computerised systems supporting critical processes, provisions should be made to
ensure continuity of support for those processes in the event of a system breakdown (e.g. a manual or
alternative system). The time required to bring the alternative arrangements into use should be based
on risk and appropriate for a particular system and the business process it supports. These arrangements
should be adequately documented and tested.
Customer – Regulated User
The customer is responsible for ensuring that mechanisms for Disaster Recovery and Business Continuity
are established and tested, should any issue arise with either the GxP computerized system or with the
Azure platform.
Description of activities, documentation and controls:
Establish a comprehensive disaster recovery and business continuity plan and test it regularly. This
plan should include provisions in the case that the Azure platform becomes unavailable. The plan
should also integrate risk and impact assessment mechanisms;
Ensure that backup infrastructure and policies are established and have been tested for GxP
computerized systems installed on the Azure platform;
Ensure the data repatriation plans are established and tested.
Microsoft – Cloud service provider
Microsoft is responsible for implementing adequate controls to ensure the Azure platform remains
available in the event of disaster. Backup and retention policies/procedures are defined and maintained inaccordance to regulatory, statutory, contractual or business requirements. These controls help to satisfy
the above regulatory requirement, such that Microsoft backs up Windows Azure infrastructure data
regularly and validates restoration of data periodically for disaster recovery purposes.
Microsoft meets these requirements through the following controls:
System Monitoring and Maintenance (see Section 2.5.4)
Data Backup, Recovery and Retention (see Section 2.5.5)
Service Level Agreements (see Section 2.5.9)
Disaster Recovery (see Section 2.5.13)
7/25/2019 3.Qualification Guideline for Microsoft Office 365
In summary, when considering the use of a public, off-premise, third party managed cloud service to
host GxP computerized systems it is important to assess the adequacy of the cloud service provider’s
controls which ensure confidentiality, integrity and availability of data stored on the hosted platform.
Defining roles and responsibilities shared between the regulated user and the cloud service provider is
essential.
As outlined within this guidance document, Microsoft has implemented procedural and technical
controls which are relevant to regulatory requirements stipulated within US FDA 21 CFR Part 11 and
EudraLex Volume 4 Annex 11. These controls have been independently audited and could serve to
demonstrate that the Azure platform is maintained in a state of control that is in accordance with the
applicable regulatory requirements. The assessment has shown that the audited controls are similar to
those required to satisfy the applicable regulatory requirements, therefore the customer may leveragethese audits as part of the risk analysis and qualification effort of their GxP computerized system
installed on the Azure platform.
Of equal importance are the activities and controls which must be implemented by the customer to
ensure that GxP computerized systems are maintained in a secured and qualified state. A summary of
these activities was provided in Section 3.1.2. The customer should identify the specific activities within
a qualification plan for each GxP computerized system installed on the Azure platform. In order to
qualify the system and maintain it in a qualified state, Montrium recommends implementing
procedures/policies which cover the topics as outlined in Appendix A.
7/25/2019 3.Qualification Guideline for Microsoft Office 365
Training Management Define an internal training program and to ensure that personnel havethe competencies required to access and work within the application
contained within the controlled cloud platform. Additional training needs
may need to be defined for each controlled application within the cloud
platform.
Documentation
Management
Establish the framework under which official records and documents are
created and managed. The intent is to ensure that the company’s
business areas have the appropriate governance and supporting
structure and resources established to enable them to manage their
records and documents in a manner that is planned, controlled,
monitored, recorded and audited, using authorized systems.
Incident and Problem
Management (Helpdesk)
Define a formal Helpdesk Process to ensure that issues are raised,
recorded and resolved in a formal and controlled manner
Change / Configuration
Management
Define a formal process for change management that will ensure that
system changes are implemented in a controlled fashion. This procedure
must also establish the framework for proposing, reviewing, and
approving changes to a system.
The purpose for addressing Configuration Management is to ensure that
all updates to baseline items are controlled and traceable.
Vendor Management Define a formal process to ensure that vendor’s are identified, assessed,
selected and managed in a formal and controlled manner.
Disaster Recovery and
Business Continuity
Assist in the recovery of the company’s information technology
infrastructure and to ensure the continued operation of identified
business critical systems in the event of a serious disruption.