The Control Freak Cometh!
Applying Best Practice for Infrastructure Compliance
Agenda
Why Do We Need A Compliant Infrastructure?
How High Is That Hill?
Where Do I Start?
What Do I Need?
How Do I Get There?
Best Practice Or Controls?
D. K. Stephenson Regulatory Compliance SME
3
Why Do We Need A
Compliant Infrastructure?
Compliance with What??
ISO 27001
ITIL
CoBIT
ISO 20000
Sarbanes Oxley
Basel II
FDA & MHRA Regulations 21 CFR 11 etc
Personal Identifiable Data (Caldicott Rule)
ISO 9001-2008
PCI DSS
D. K. Stephenson Regulatory Compliance SME
Why Do We Need Compliance?
Is it because: Everyone in my industry is doing it Fear of an upcoming regulatory inspection We want to get control over our Infrastructure
There is probably a little of all these in our reasoning, but we must also consider the question:
“How can we consider a system to be validated if we are not confident that we have control of the infrastructure on which it runs?”
GAMP GPG IT Infrastructure Control & Compliance
D. K. Stephenson Regulatory Compliance SME
What does “Under Compliance” mean?
It means that the: Planning Organisation Installation Use Maintenance
of the I.T. infrastructure is Controlled and Documented
D. K. Stephenson Regulatory Compliance SME
Compliance, Regulatory Viewpoint
In the regulated industries (Life Sciences etc), Infrastructure Compliance is achieved by the process of “Qualification”
Where Qualification is defined as:
“The process of demonstrating whether an entity is capable of fulfilling specified requirements. It implies adherence to strict documentation requirements, reviews and approvals”
GAMP GPG IT Infrastructure Control & Compliance
D. K. Stephenson Regulatory Compliance SME
Qualification the I.T. Viewpoint!
A methodology designed to stop me from doing my work!
An unnecessary overhead on already overworked resource!
Something that we write to keep QA quiet (but do not follow!)
A waste of ******* time!
A pain in the *****!
The best thing since sliced bread ????
D. K. Stephenson Regulatory Compliance SME
In Short!
D. K. Stephenson Regulatory Compliance SME
The Business Viewpoint!
Difficult to get support from the top! I.T. seen as draconian and inhibitive Stops the business from doing it’s business “I.T. do not understand what we need!” “This is MY computer, I should be able to do what I
want with it!”
D. K. Stephenson Regulatory Compliance SME
10 Requirements of Compliance
Compliance Exercise Planning & Execution
Procedures
Compliance Documentation
Security (Logical & Physical)
Acceptance Testing
Training of Support Personnel
Network Recovery
Support Documentation
Change Control
Periodic Review
D. K. Stephenson Regulatory Compliance SME
Benefits of a Compliant Infrastructure
Demonstrable Control over processes
Increased Integrity of data
Confidence in being Audit Ready
Transparent view of the infrastructure and how it functions
Easier in-life management and upgrade planning
Procedures available to all IT staff
I.T. and business working together
Adherence to best practice
Reduction in duplication of duties
D. K. Stephenson Regulatory Compliance SME
Business Expectations
Cost Effective Solution Pragmatic Qualification (how much is enough?) Control Over Processes Control Over Procedures Control Over people
Increased Control Of Data Confidentiality Integrity Availability
Confidence In Being Audit Ready
Adherence To Best Practice
D. K. Stephenson Regulatory Compliance SME
14
How High Is That Hill?
How High?
D. K. Stephenson Regulatory Compliance SME
“Top Ten” Deficiencies (Audited)
Security (Logical & Physical)
Testing (Compliance Exercise)
Change Management/Configuration Management
Operating Procedures
Hardware, Equipment Records, and Maintenance
Training Education, and Experience
Development Methodology
Compliance Methodology and Planning
Quality Assurance and Auditing
Electronic Records, Electronic Signatures
D. K. Stephenson Regulatory Compliance SME
Why So Many?
In general, the majority of IT departments are doing what is right, they are following all or many of the necessary processes, but with ONE MAJOR EXCEPTION!
THEY DO NOT WRITE IT DOWN!!!!!!!!
D. K. Stephenson Regulatory Compliance SME
The Auditors Viewpoint!
IF IT IS NOT WRITTEN DOWN IT DID NOT HAPPEN!
IF IT IS NOT SIGNED IT’S GRAFFITI!
ANYTHING THAT ISN’T DOCUMENTED IS JUST
RUMOUR!D. K. Stephenson Regulatory Compliance SME
19
Where Do I Start?
At The Beginning!
Step 1, DO NOT throw the baby out with the bath water!!!
D. K. Stephenson Regulatory Compliance SME
1st Steps
Draw up a plan: What do you want to achieve? By when? What resource is available? What budget is available? Do not cut corners! Stick to it!!!!!!
D. K. Stephenson Regulatory Compliance SME
Top Tips!
Get buy in from the top, need a Sponsor
Assess the situation (Business & I.T)
Apply a “RISK BASED METHODOLOGY” What do we actually need? Is what we want and what we need different? Base testing on criticality & use Base risk on
– The affect on quality and data– The likelihood of failure– The likelihood of detection
Use this to focus on the most critical areas
D. K. Stephenson Regulatory Compliance SME
23
What Do I Need?
What Do I Need?
A fully tested Infrastructure
A fully documented Infrastructure
A full set of “workable” processes and procedures
An ongoing compliance maintenance framework
Buy in from senior management
D. K. Stephenson Regulatory Compliance SME
25
How Do I Get There?
Documentation: A Warning!
As with everything else in the Compliance world, documentation is key
Attaining a compliant Infrastructure can simply be considered as documented Good IT Practice ITIL CoBIT MOF
Most organisations know the right things to do
Most organisations are doing them (to some extent)
Not all organisations have documented them
D. K. Stephenson Regulatory Compliance SME
ITSM Areas for Process and Procedure
General Management Data Centre Management Platform Management Server Management Network Management Client Management Security Management Data Management Quality Management Continuity Management
D. K. Stephenson Regulatory Compliance SME
28
Best Practice Or Controls?
What Do Control Frameworks Have In
Common?
They possess Business Focus Aligning IT with the business needs
They have Process Orientation Thus ensuring ownership and organisation of processes
There is General Acceptability Backed up by proven best practices (through
frameworks)
They possess a Common Language An accepted terminology used by business & suppliers
They help meet Regulatory Requirements By meeting compliance with an accepted framework
D. K. Stephenson Regulatory Compliance SME
Why Do We Use Control Frameworks?
They already exist, thus no need to reinvent the wheel
They are structured and easy to apply
They are derived from best practice
They are the result of knowledge sharing
They are ultimately auditable
D. K. Stephenson Regulatory Compliance SME
D. K. Stephenson Regulatory Compliance SME
CoBIT
CoBIT supports IT Compliance by providing a framework, which can ensure that: The IT strategy is aligned with the business IT acts as an enabler for the business and maximises its
benefits IT resources are utilised both responsibly and
effectively IT risks are managed and mitigated appropriately
D. K. Stephenson Regulatory Compliance SME
IT Infrastructure Library (Ver 3)
ITIL is a Best Practice Framework ITIL Philosophy – Scalable Process driven approach ITIL provides “best practice” guidelines and
architectures to ensure that IT processes are closely aligned to business processes and that IT delivers the correct and appropriate business solution
Infrastructure and Service are not separate entities
Which Do I Use??
D. K. Stephenson Regulatory Compliance SME
D. K. Stephenson Regulatory Compliance SME
How Does CoBIT & ITIL Fit In?
CoBIT focuses on getting the “what is needed” right, without touching on the “how will we do it”
CoBIT helps to introduce a management perspective of Controls, as it operates at a level above the IT technology and possesses business focus
ITIL is the next level down, determining “how will we do it”
ITIL is the operational perspective of controls, operating at the Technology level, and possesses service focus
D. K. Stephenson Regulatory Compliance SME
How It All Fits Together
PERFORMANCE:
Business Goals
CONFORMANCE
FDA Reg’s, MHRA,
SOX etc.
IT Governance
ISO
9001:2000
ISO
27001
ISO
20000Best Practice Standards
QA
ProceduresProcesses and Procedures
Drivers
COBIT
Security
PrinciplesITIL
How do I Keep it Compliant??
D. K. Stephenson Regulatory Compliance SME
D. K. Stephenson Regulatory Compliance SME
Periodic Review And Critical Processes
All critical activities should be included in a Periodic Review Strategy Initial Qualification Activities On-going maintenance and support activities
Periodic Reviews can be conducted internally, but inspection observations have set an expectation that the independent quality group should play an appropriate oversight role
D. K. Stephenson Regulatory Compliance SME
Policies should define appropriate roles for IT and Quality
Processes and Procedures should be interlinked, with defined roles i.e. Disaster Recovery relies on Configuration
Management, which is related to Change Management There should be a consistent set of processes
There Must be Evidence of Control & Adherence to These Processes!!
Periodic Review And Critical Processes cont
39
Conclusions
D. K. Stephenson Regulatory Compliance SME
Conclusions
We can achieve and maintain a pragmatic qualification of IT Infrastructure, which meets both Regulatory and Business requirements by: Adopting a Risk Based Approach to Compliance Adopting and implementing a best practice framework
– CoBIT– ITIL
Introducing a systematic approach to the initial testing of components, based on their use and criticality
Introducing an ongoing approach to the testing of components, based on the previous testing of their type
Introducing an ongoing compliance program
Thank You!
Questions/Comments
+44(0)7891 343814
+44(0)118 931 0249
D. K. Stephenson Regulatory Compliance SME