Qualification Guideline for Microsoft Office 365 · PDF file...

Click here to load reader

  • date post

  • Category


  • view

  • download


Embed Size (px)

Transcript of Qualification Guideline for Microsoft Office 365 · PDF file...

  • Qualification Guideline Qualification Guideline for Microsoft Office 365

    June 2013

  • Qualification Guideline for Microsoft Office 365

    © 2013 Montrium Inc. Page 2 of 74

    Document MTM-O365-GDE-01 Revision 01


    This document is meant as a reference to Life Science companies in regards to the Microsoft O365 platform. Montrium does

    not warrant that the use of the recommendations contained herein will result in a qualified system or that a system validated

    within Office 365 in accordance with this document will be acceptable to regulatory authorities.

    This document is provided “as-is.” Information and views expressed in this document, including URL and other Internet Web

    site references, may change without notice.

    Limitation of Liability:

    In no event shall Montrium or any of its affiliates or the officers, directors, employees, members, or agents of each of them, be

    liable for any damages of any kind, including without limitation any special, incidental, indirect, or consequential damages,

    whether or not advised of the possibility of such damages, and on any theory of liability whatsoever, arising out of or in

    connection with the use of this information.

  • Qualification Guideline for Microsoft Office 365

    © 2013 Montrium Inc. Page 3 of 74

    Document MTM-O365-GDE-01 Revision 01


    Michael Zwetkow VP Operations, Montrium Inc.

    Stephanie Tanguay Quality Assurance Manager, Montrium Inc.

    Paul Fenton CEO, Montrium Inc.

    Gabrielle Soucy Sr. Business Analyst, Montrium Inc.

  • Qualification Guideline for Microsoft Office 365

    © 2013 Montrium Inc. Page 4 of 74

    Document MTM-O365-GDE-01 Revision 01


    Over the last few years, Microsoft has paid an increasing amount of attention to a couple of key concepts that are represented in this whitepaper: compliance and the cloud. Together these concepts represent a fairly radical departure from normal business. By enabling cloud technologies, which provide an ease of use and ease of implementation, with compliance, which provides the ability to work with information in a regulatory compliant fashion, the implementing party may find the best of both worlds. This set of guideline whitepapers show how Microsoft is committed to cloud and compliance, spanning Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS), a relatively unique combination of technologies and commitment to compliance. At the end of the day these are qualification guidelines and do not represent any guarantees from Microsoft that your processes can be validated in any of the environments discussed or against any of the regulations or standards discussed. Yet when paired with the documentation referred to herein along with customer evidence, these guidelines offer customers a starting point for their own “compliance in the cloud” efforts, a starting point that may be furthered by the expertise Montrium has demonstrated in producing these guidelines. Mohamed Ayad, Cloud Solution Specialist Les Jordan, Chief Technology Strategist Health & Life Sciences Industry Unit Microsoft

  • Qualification Guideline for Microsoft Office 365

    © 2013 Montrium Inc. Page 5 of 74

    Document MTM-O365-GDE-01 Revision 01

    Executive Summary

    The purpose of this document is to assist Microsoft’s life science customers in establishing a

    qualification strategy for the Microsoft Office 365 (O365) software service. This guideline identifies the

    responsibilities shared by Microsoft and its customers for meeting the regulatory requirements of FDA

    21 CFR Part 11 Electronic Records; Electronic Signatures (21 CFR Part 11) and EudraLex Volume 4 - Annex

    11 Computerised Systems (Annex 11).

    The intended audience for this guideline is any regulated customer within the life sciences industry,

    aiming to use the O365 platform to run GxP regulated applications. It is assumed that these regulated

    applications will support GxP activities and produce and/or manage electronic records.

    Traditionally GxP computerized systems have been deployed on specific servers either directly or

    through the use of virtual machines. This underlying hardware was usually qualified, managed and

    specifically identified as being part of a specific instance of a GxP computerized system. With cloud

    computing this paradigm changes slightly. The O365 software solution is composed of many hardware

    and software components which all fall under the same controls that have been identified in this

    guideline. Each time a new customer instance of O365 is commissioned, it is done using the same

    controlled process and standards. When considering public cloud based systems, it is important to view

    the whole public cloud as one system upon which we are able to install and run GxP computerized

    systems and applications. This guideline will help companies achieve this by providing references to the

    21 CFR Part 11 controls that are present within the O365 environment and that should be identified in

    customer qualification documentation.

    Microsoft’s GFS and O365 platform services have undergone SSAE 16 Service Organization Control (SOC)

    audits and are also certified according to ISO/IEC 27001:2005 standards. Although these standards do

    not specifically focus on regulatory compliance, their objectives are very similar to those of 21 CFR Part

    11 and Annex 11. Montrium has therefore decided to leverage the reports produced by independent

    third party SSAE and ISO auditors to identify the procedural and technical controls established at

    Microsoft that could be used to satisfy the requirements of 21 CFR Part 11 and Annex 11. It was

    assumed that these audit reports were generated by qualified third party auditors and that all

    information contained within the reviewed audit reports was objective and accurate at the time of the

    audits. It is expected that customers will perform an independent analysis and verification of relevant

    regulatory requirements to determine if the GxP applications deployed on O365 are fit for their

    intended purpose. The customer must also ensure that GxP applications system will be sufficiently

    documented and validated to further demonstrate compliance.

    GFS delivers the core infrastructure and foundation technologies for Microsoft's Online Services

    environment. Microsoft Office O365 is subscription-based software service hosted by the Global

    Foundation Services (GFS) group within Microsoft managed data centers. The services included as part

    of O365 are Microsoft SharePoint Online, Microsoft Exchange Online, Microsoft Lync Online and

    Microsoft Forefront Online Protection for Exchange. This guideline focuses on the Microsoft SharePoint

    Online service, which is the only O365 service which when configured appropriately, provides the ability

  • Qualification Guideline for Microsoft Office 365

    © 2013 Montrium Inc. Page 6 of 74

    Document MTM-O365-GDE-01 Revision 01

    to manage electronic records in manner that could satisfy applicable regulatory requirements. The O365

    platform is classified as a public, off-premise, third-party managed solution which is offered via the SaaS

    cloud service model. From the perspective of a regulated user (customer), Microsoft Office is considered

    to be Category 4 – Configured Product as defined in GAMP5®. O365 is considered to be an “open

    system” per 21 CFR Part 11, therefore additional measures, such as encryption should be employed to

    further secure information stored within or transiting from the system. It should be noted that only

    certain versions of O365 is able to meet the 21 CFR Part 11 requirements for open systems.

    Audited controls implemented by Microsoft serve to ensure confidentiality, integrity and availability of

    data stored on O365 and correspond to the applicable regulatory requirements defined in 21 CFR Part

    11 and Annex 11 that have been identified as the responsibility of Microsoft. Microsoft is responsible for

    ensuring that O365 meets the terms defined within the governing Service Level Agreements (SLA).

    In addition to ensuring that computerized systems have the relevant technical controls outlined in the

    assessment contained within the guideline, the customer is also responsible for ensuring adequate

    procedural controls governing the use of the GxP computerized system are in place. These procedural

    controls should cover the technical aspects of system management, including but not limited to logical

    security, user management, data backup and disaster recovery. There should also be procedural

    controls relating to the operation of the GxP computerized system. The customer should determine the

    GxP requirements that apply to the computerized system based on its intended use and follow internal

    procedures governing qualification and/or validation processes to demonstrate that the GxP

    requirements are met.

    In conclusion, following the assessment performed by Montrium, it is felt that the audited procedural

    and technical controls that Microsoft has implemented could ser