Qualification Guideline - Microsoft Azure

QUALIFICATION GUIDELINE

Qualification Guideline for Microsoft Azure

June 2014


Montrium Inc.

Page 2 of 79

Document No. MTM-MST-GDE-01 Revision 03

Disclaimer:

This document is meant as a reference to Life Science companies in regards to the Microsoft Azure platform. Montrium does

not warrant that the use of the recommendations contained herein will result in a qualified system or that a system validated

on Azure in accordance with this document will be acceptable to regulatory authorities.

This document is provided as-is. Information and views expressed in this document, including URL and other Internet Web

site references, may change without notice.

Limitation of Liability:

In no event shall Montrium or any of its affiliates or the officers, directors, employees, members, or agents of each of them, be

liable for any damages of any kind, including without limitation any special, incidental, indirect, or consequential damages,

whether or not advised of the possibility of such damages, and on any theory of liability whatsoever, arising out of or in

connection with the use of this information.


Montrium Inc.

Page 3 of 79


Authors

Michael Zwetkow VP Operations, Montrium Inc.

Stephanie Tanguay Quality Assurance Manager, Montrium Inc.

Paul Fenton CEO, Montrium Inc.

Gabrielle Soucy Sr. Business Analyst, Montrium Inc.


Montrium Inc.

Page 4 of 79


Foreword

Over the last few years, Microsoft has undertaken a major transformational effort to adopt a cloud-first agile approach to delivering its software and services. There is increasing demand from our customers to adopt our technologies and our Azure platform to take their businesses to the cloud. However, to refer to a popular movie, with great power comes great responsibility. Cloud technologies will not be able to fulfill their promise if they are not based on the premise of trust. In order to run a trustworthy service, our cloud platform must meet the most stringent internationally recognized compliance standards, and our own internal safety and security standards. This guideline is part of a set of white papers designed to demonstrate Microsofts strong commitment to cloud and compliance, spanning the entire cloud continuum of Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). At the end of the day, these are qualification guidelines and do not represent any guarantees from Microsoft that your processes can be validated in any of the environments discussed or against any of the regulations or standards discussed. Just like with on premise systems, the burden of validation remains with the customer. That has not changed, as the spirit of the regulatory guidelines must be preserved. However, when paired with the documentation referred to herein along with customer evidence, these guidelines offer customers a starting point for their own compliance in the cloud efforts, a starting point that may be furthered by the expertise Montrium has demonstrated in producing these guidelines. Gabor Fari, Director, Business Development and Strategy Mohamed Ayad, Cloud Solution Specialist Health & Life Sciences Industry Unit Microsoft Corporation June 2014


Montrium Inc.

Page 5 of 79


Executive Summary

The purpose of this document is to assist Microsofts life science customers in establishing a

qualification strategy for Microsoft Azure. This guideline identifies the responsibilities shared by

Microsoft and its customers for meeting the regulatory requirements of FDA 21 CFR Part 11 Electronic

Records; Electronic Signatures (21 CFR Part 11) and EudraLex Volume 4 - Annex 11 Computerised

Systems (Annex 11).

The intended audience for this guideline is any regulated customer within the life sciences industry,

aiming to use the Azure platform to host GxP regulated computerized systems. It is assumed that these

regulated systems will support GxP activities and produce and/or manage electronic records.

Microsoft Azure is a cloud services operating system that serves as the development, service hosting

and service management environment for the Azure platform. The Azure platform is classified as a

public, off-premise, third-party managed solution which encompasses both Infrastructure as a Service

(IaaS) and Platform as a Service (PaaS) cloud service models. From the perspective of a regulated user

(customer), the Azure platform is considered to be Category 1 Infrastructure Software as defined by

GAMP5.

Traditionally GxP computerized systems have been deployed on specific servers either directly or

through the use of virtual machines. This underlying hardware was usually qualified, managed and

specifically identified as being part of a specific instance of a GxP computerized system. With cloud

computing this paradigm changes slightly. The Azure platform is composed of many hardware and

software components which all fall under the same controls that have been identified in this guideline.

Each time a new server or virtual machine is commissioned within the Azure platform it is done using

the same process and standards. When considering public cloud based systems it is important to view

the whole public cloud as one system upon which we are able to install and run GxP computerized

systems. Azures high availability features could be leveraged as part of the customers risk based

qualification strategy as means of mitigating risks surrounding management of underlying infrastructure

hardware. When the system is configured for high availability, the Azure Fabric Controller effectively

renders the hardware into a commodity and minimizes the risk associated with physical machine failure

whether it is caused by faulty hardware, improper installation or as result of a change to infrastructure.

This guideline will help companies develop a qualification strategy by providing references to the 21 CFR

Part 11 controls that are present within the Azure platform and that should be identified in customer

qualification documentation.

Microsoft Azure platform services have undergone SSAE 16 (SOC 1 and SOC 2) audits and are certified

according to ISO/IEC 27001:2005 standards. Although these standards do not specifically focus on

regulatory compliance, their objectives are very similar to those of 21 CFR Part 11 and Annex 11.

Montrium has therefore decided to leverage the reports produced by independent third party SSAE and

ISO auditors to identify the procedural and technical controls established at Microsoft that could be

used to satisfy the requirements of 21 CFR Part 11 and Annex 11. It was assumed that these audit

reports were generated by qualified third party auditors and that all information contained within the


Montrium Inc.

Page 6 of 79


reviewed audit reports was objective and accurate at the time of the audits. It is expected that

customers will perform an independent analysis and verification of relevant regulatory requirements to

determine if the computerized system supporting GxP activities installed within the Azure platform is fit

for its intended purpose. The customer must also ensure that the GxP computerized system will be

sufficiently documented and validated to further demonstrate compliance.

Audited controls implemented by Microsoft serve to ensure confidentiality, integrity and availability of

data stored on the Azure platform and correspond to the applicable regulatory requirements defined in

21 CFR Part 11 and Annex 11 that have been identified as the responsibility of Microsoft. Microsoft is

responsible for ensuring that the Azure platform meets the terms defined within the governing Service

Level Agreements (SLA). When new virtual machines (VM) are deployed within the Azure Platform, they

are created using the default configuration established by Microsoft. Microsoft is responsible for

ensuring the deployed VMs are capable of meeting the specifications and the terms of the SLA(s).

In addition to ensuring that computerized systems have the relevant technical controls outlined in the

assessment contained within the guideline, the customer is also responsible for ensuring adequate

procedural controls governing the use of the GxP computerized system are in place. These procedural

controls should cover the technical aspects of system management, including but not limited to logical

security, user management, data backup and recovery and disaster recovery. There should also be

procedural controls relating to the operation of the GxP computerized system. The customer should

determine the GxP requirements that apply to the computerized system based on its intended use and

follow internal procedures governing qualification and/or validation processes to demonstrate that the

GxP requirements are met.

In conclusion, following the assessment performed by Montrium, it is felt that the audited procedural

and technical controls that Microsoft has implemented could serve to demonstrate that the Azure

platform is being maintained in a state of control that is in accordance with the applicable regulatory

requirements. Moreover, the customer may leverage the audited controls described in this document

and related audit reports as part of the risk analysis and qualification effort of their GxP computerized

system installed on the Azure platform.


Montrium Inc.

Page 7 of 79


Table of Contents

Authors .......................................................................................................................................................... 3

Foreword ....................................................................................................................................................... 4

Executive Summary ....................................................................................................................................... 5

Table of Contents .......................................................................................................................................... 7

1 Introduction .......................................................................................................................................... 8

1.1 Purpose ......................................................................................................................................... 8

1.2 Key Definitions .............................................................................................................................. 8

1.3 Audience and Scope ...................................................................................................................... 9

1.4 Methodology ............................................................................................................................... 10

1.5 Assumptions ................................................................................................................................ 10

1.6 Glossary ....................................................................................................................................... 11

2 System Description ............................................................................................................................. 14

2.1 Microsoft Azure Overview ....................................................................................................... 14

2.2 Microsoft Azure High Availability Features ................................................................................. 15

2.3 Global Foundation Services......................................................................................................... 16

2.4 GAMP5 Category ....................................................................................................................... 16

2.5 FDA Classification Open System vs Closed System ........................................................... 16

2.6 Microsoft Audits and Certifications ............................................................................................ 17

2.7 Microsoft Controls ...................................................................................................................... 19

3 Qualification Approach ....................................................................................................................... 25

3.1 GAMP Qualification Phases......................................................................................................... 27

3.2 Qualification Activities and Responsibilities ............................................................................... 28

3.3 US FDA 21 CFR Part 11 Electronic Records; Electronic Signatures Compliance Assessment ..... 30

3.4 EudraLex Volume 4 Annex 11 Computerised Systems Compliance Assessment ....................... 44

4 Conclusion ........................................................................................................................................... 74

5 References .......................................................................................................................................... 75

6 Appendices .......................................................................................................................................... 76

Appendix A - Recommended Procedures / Policies ................................................................................ 77

Appendix B - Supplementary Information .............................................................................................. 79


Montrium Inc.

Page 8 of 79


1 Introduction

1.1 Purpose

The purpose of this document is to assist Microsofts life science customers in establishing a

qualification strategy for Microsoft Azure. The guidance provided within this document is based

on the assumption that Microsofts customers will utilize these services to host GxP computerized

systems.

This guideline identifies the responsibilities shared by Microsoft and its customers for meeting the

regulations specified within Section 1.2. A summary is provided of the procedural and technical

controls which govern the Azure platform services and that can be leveraged by the regulated

user (customer) to demonstrate compliance with applicable regulatory requirements. Also

summarized within this guideline, are recommended activities and controls that should be

established by customers in order qualify and maintain control over the GxP computerized

systems installed on the Azure platform.

The qualification approach outlined within this guideline is based on industry best practices with

an emphasis on the concepts presented and described within ISPEs GAMP series of Good

Practice Guides (Ref. [8] & Ref. [9]) and PIC/S PI 011-3 Good Practices for Computerised Systems

in Regulated GxP Environments (Ref. [14]).

1.2 Key Definitions

1.2.1 GxP computerized system

A GxP computerized system is defined as a software application that will support activities and

records governed by regulations pertaining to GLP, GCP and GMP environments.

1.2.2 Customer

Within the context of this guideline, the customer is defined as any person or persons using a

GxP computerized system hosted on the Azure platform, who are responsible for the content of

the electronic records produced and/or managed within the GxP computerized system.

1.2.3 Customer Data on Storage

As per the Microsoft Azure Privacy Statement (Ref. [15]), Customer Data is all the data,

including all text, sound, software or image files that you provide, or are provided on your

behalf, to us through your use of the Services. For example, Customer Data on Storage includes

data that customers upload for storage or processing in the Azure platform services, and

applications that customer or customers end users upload for hosting in the Services. Customer

Data on Storage does not include configuration or technical settings and information. Microsoft

does not monitor or approve the applications that customers deploy to the Azure platform.

Microsoft does not claim ownership of the Data on Storage. Microsoft Azure Agreement (Ref.

[16]) states Except for Software we license to you, as between the parties, you retain all right,

title and interest in and to Customer Data. We acquire no rights in Customer Data, other than


Montrium Inc.

Page 9 of 79


the right to host Customer Data on Microsoft systems, including the right to use and reproduce

Customer Data within Microsoft systems solely for such hosting purposes. Data security

beyond the access controls mechanisms, including but not limited to fine-grain access controls

or encryption, is the responsibility of the customer.

1.2.4 Windows Azure and Microsoft Azure

On March 25, 2014, Microsoft announced that Windows Azure was renamed Microsoft Azure

starting on April 3, 2014 (Ref. [17]). Several references used to create this document were

created before the name change occurred and refer to Windows Azure. Throughout this

document, the terms Windows Azure, Microsoft Azure, Azure platform, and Azure are

used interchangeably.

1.3 Audience and Scope

The intended audience for this guideline is any regulated customer within the life sciences

industry, aiming to use the Azure platform to host GxP regulated computerized systems. It is

assumed that these regulated systems will support GxP activities and produce and/or manage

electronic records. The specific GxP activities performed within the customers GxP computerized

systems are not addressed in this guidance document, as the customer is responsible for defining

the requirements and evaluating the risk associated with each GxP computerized system installed

within the Azure platform.

The regulations within the scope of this qualification guidance document are limited to the

following:

FDA 21 CFR Part 11 Electronic Records; Electronic Signatures - Subpart A and B (Sec 11.10

and Sec 11.30) (Ref. [7])1

EudraLex Volume 4 - Annex 11 Computerised Systems (Ref. [10])2

The Azure platform components which are within scope of this guideline are:

Cloud Services (comprised of stateless Web, Worker and VM roles)

Storage (includes Blobs, Queues, and Tables)

Networking (includes Traffic Manager, Microsoft Azure Virtual Network)

Virtual Network

Virtual Machines

1 21 CFR Part 11 subparts related to electronic signatures are out of scope for this guide, as Microsoft does not

provide electronic signature functionality as part of the above services. 2 Although EudraLex Volume 4 Annex 11 specifically discusses GMP systems, it is generally accepted in industry

that the same principals in the most part are applicable to GCP and GLP systems.


Montrium Inc.

Page 10 of 79


This guideline also covers the underlying infrastructure components provided by the Global

Foundation Services group upon which the Azure platform is delivered to Microsoft customers.

1.4 Methodology

Microsoft Azure services have undergone SSAE 16 Service Organization Control (SOC) audits and

are also certified according to ISO/IEC 27001:2005 standards (see Section 2.6). Montrium has

leveraged the reports produced by independent third party auditors, to identify procedural and

technical controls established at Microsoft, which could be used to satisfy regulatory

requirements within US FDA 21 CFR Part 11 (Ref. [7]) and EudraLex Volume 4 - Annex 11 (Ref.

[10]). These controls are described in detail in Section 2.7. Montrium based the analysis on the

ISO and SSAE 16 standards, as they have similar objectives to 21 CFR Part 11 and EudraLex Volume

4 Annex 11 in relation to controls for computerized systems.

The qualification approach described in Section 3 summarizes the activities and responsibilities

shared between the regulated user (customer) and the cloud service provider (Microsoft) to

qualify the system against the relevant regulatory requirements. A detailed assessment (see

Sections 3.2.2 and 3.4) was performed on each regulatory requirement to interpret how

compliance could be achieved within the context of a hosted GxP computerized system installed

on the Azure platform. The assessment described the responsibilities of the customer and

Microsoft, as well as the activities, documentation and controls (technical/procedural) that are

required to meet the regulatory requirement.

1.5 Assumptions

The contents of this document are based on these assumptions:

Audit reports listed in Section 2.6 were generated by qualified third party auditors.

All information contained within the reviewed audit reports was objective and accurate at

the time of the audits.

Customers will perform an independent analysis and verification of related regulatory

requirements to determine if the computerized system(s) supporting GxP activities installed

within the Azure platform is fit for its intended purpose.

The GxP computerized system will be sufficiently documented and validated by the

customer to demonstrate compliance with all applicable regulations.


Montrium Inc.

Page 11 of 79


1.6 Glossary

Term Definition

AICPA American Institute of Certified Public Accountants

CFR Code of Federal Regulations

Closed System An environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system. (Ref. [6])

Cloud

Infrastructure as a

Service (IaaS).

The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls). (Ref. [11])

Cloud Platform as

a Service (PaaS)

The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations. (Ref. [11])

Computerized

System

Includes hardware, software, peripheral devices, personnel, and documentation; e.g., manuals and Standard Operating Procedures. (Ref. [21])

Customer Microsoft Azure user using the platform for GxP regulated activities.

CV Curriculum Vitae

Electronic Record Any combination of text, graphics, data, audio, pictorial, or other information representation in digital form that is created, modified, maintained, archived, retrieved, or distributed by a computer system. (Ref. [11])

FDA United States Food and Drug Administration

GAMP Good Automated Manufacturing Practice

GCP Good Clinical Practice

GFS Global Foundation Services

GLP Good Laboratory Practice

GMP Good Manufacturing Practice

GxP Compliance requirements for all good practice disciplines in the regulated pharmaceutical sector supply chain from discovery to post marketing. (Ref. [14])


Montrium Inc.

Page 12 of 79


Term Definition

IaaS Infrastructure as a Service

ICFR Internal Control over Financial Reporting

IEC International Electrotechnical Commission

IQ Installation Qualification

ISO International Organization for Standardization

ISPE International Society of Pharmaceutical Engineers

IT Information Technology

NDA Non-Disclosure Agreement

NIST National Institute of Standards and Technology

O/S Operating System

Open System An environment in which system access is not controlled by persons who are responsible for the content of electronic records that are on the system. (Ref. [6])

OQ Operational Qualification

PaaS Platform as a Service

PIC/S Pharmaceutical Inspection Convention and Pharmaceutical Inspection Co- operation Scheme

Procedure The term procedure within the context of this document refers to any approved and effective controlled document governing specific processes (i.e. Policy, SOP, Standard, Guide, Work Instruction).

SAS Statement on Auditing Standards

SDLC Software Development Lifecycle

SLA Service Level Agreement

SMAPI System Management Application Program Interface

SOC Service Organization Controls

SOP Standard Operating Procedure

SSAE Statement on Standards for Attestation Engagements

SSL Secure Sockets Layer

STB Microsoft Server and Tools Business

TSP Trust Services Principles


Montrium Inc.

Page 13 of 79


Term Definition

VM Virtual Machine

VPN Virtual Private Network


Montrium Inc.

Page 14 of 79


2 System Description

2.1 Microsoft Azure Overview

Microsoft Azure is a cloud services operating system that serves as the development, service

hosting and service management environment for the Azure platform. Microsoft Azure provides

developers with on-demand compute and storage to host, scale, and manage web applications on

the Internet through Microsoft data centers.

The Azure platform is classified as a public, off-premise, third-party managed solution which

encompasses both IaaS and PaaS cloud service models (see NIST definition in Section 1.6). The

IaaS service model includes the infrastructure resources from the facilities to the hardware

platforms and virtual machines that reside in them. The PaaS service model adds an additional

layer of integration with application development frameworks, middleware capabilities and

functions such as database, messaging and queuing. The PaaS services allow developers to build

and deploy applications on the platform with programming languages and tools that are

supported by the resource stack.

Figure 1 depicts which party (Microsoft or Customer) is responsible for managing the various

components of the platforms based on both cloud service models.

Figure 1 Cloud Service Models (based on Ref. [18])

The Azure team is part of the Microsoft Server and Tools Business (STB) group, which maintains

the Azure platform. The Microsoft Global Foundation Services group administers the physical

infrastructure on which the Azure platform runs and data is stored. Customers provide and

manage the GxP computerized systems and data that are deployed on the Azure platform.


Montrium Inc.

Page 15 of 79


2.2 Microsoft Azure High Availability Features

High availability is an important feature of the Azure platform, which contributes to its overall

benefit and may have an impact on the qualification strategy for the GxP computerized systems

hosted on the Azure platform.

Microsoft defines a highly available application as one which absorbs fluctuations in availability,

load, and temporary failures in the dependent services and hardware. The application continues

to operate at an acceptable user and systemic response level as defined by business requirements

or application service level agreements. Depending on the service model being used, IaaS vs PaaS,

Azure offers several features via the Azure Fabric Controller to provide high availability of its

services. The concepts around the Azure Fabric Controller and the High Availability features are

summarized within Disaster Recovery and High Availability for Azure Applications (Ref. [19]) and

Azure Business Continuity Technical Guidance (Ref. [20]).

When using one of the Azure PaaS cloud services, the Fabric Controller verifies the status of the

hardware and software of the host and guest machine instances. When it detects a failure, it

enforces SLAs by automatically relocating the compute instances. When multiple role instances

are deployed, Azure deploys these instances to different fault domains, which are essentially

different hardware racks in the same data center. Fault domains reduce the probability that a

localized hardware failure will interrupt the service of an application.

In order to achieve high availability with virtual machines (VMs) which are provisioned as part of

the Azure IaaS service model, the VMs must be configured to use Availability Sets. Within an

Availability Set, Azure positions the virtual machines in a way that prevents localized hardware

faults and maintenance activities from bringing down all of the machines in that group. Putting

two or more VMs in Availability Sets guarantees that the VMs are spread across multiple racks in

the Azure Data Centers, which means they will have redundant power supplies, switches and

servers. Grouping VMs in Availability Sets also provides the Azure Fabric Controller with the

information it needs to intelligently update the host operating system that the guest VMs are

running on, so that they are not updated at the same time.

The above features are mentioned in this guideline as they could be leveraged as part of the

customers risk based qualification strategy as means of mitigating risks surrounding management

of underlying infrastructure hardware. When the system is configured for high availability, the

Azure Fabric Controller effectively renders the hardware into a commodity and minimizes the risk

associated with physical machine failure whether it is caused by faulty hardware, improper

installation or as result of a change to infrastructure. By continuously monitoring key

infrastructure components parameters, the Fabric Controller is able to detect faults that occur

and automatically redistribute the load to other resources. The customer is responsible for

ensuring the Availability Sets are configured properly in order to mitigate the risk surrounding

hardware installation, upgrade and fault management.


Montrium Inc.

Page 16 of 79


2.3 Global Foundation Services

Global Foundation Services delivers the core infrastructure and foundation technologies for

Microsoft's Online Services environment. As described within the SOC 2 report (Ref. [2]), the GFS

operational infrastructure services include the following:

Engineering and operations for core infrastructure (networking, directory services, access

services, data retention and backup, hardware and software procurement, physical and

environmental controls);

Deployment, hosting and data center services;

Service support, monitoring and escalation;

Information security management and compliance monitoring.

2.4 GAMP5 Category

From the perspective of a regulated user (customer), the Azure platform may be considered

Software Category 1 Infrastructure Software, as defined in GAMP5 (Ref. [8]). Infrastructure

Software refers to components linked together within a unified environment allowing the

installation and management of applications and services. This category contains two types of

software; Established or commercially available layered software (e.g. operating systems,

database managers, programming languages, etc.) and Infrastructure software tools (e.g.

network monitoring software, batch job scheduling tools, security software, anti-virus and

configuration management tools).

The virtual servers on which customers would install the GxP computerized system in the

context of the IaaS service model, could be considered Hardware Category 1 Standard

Hardware Components, as defined in GAMP5 (Ref. [8]).

2.5 FDA Classification Open System vs Closed System

While Microsoft is not directly responsible for the electronic records contained within the Azure

platform, it is responsible for maintaining the Azure platform. In addition, Microsoft configures

the Azure platform infrastructure and establishes access control requirements for logical and

physical security. The Azure platform is therefore considered to be open (refer to definition in

Section 1.6). The FDA requires open systems to meet additional requirements, such as

encryption, as defined in 21 CFR Part 11.30 (Ref. [7]). The customer should evaluate any GxP

computerized system deployed on the Azure platform should to determine whether it should be

considered an open or closed system per 21 CFR Part 11 and whether additional controls /

procedures need to be implemented as a result of the evaluation.


Montrium Inc.

Page 17 of 79


2.6 Microsoft Audits and Certifications

The following table lists the formal audit reports prepared by third parties which were reviewed

by Montrium in order to identify relevant controls which have a potential impact on compliance

with the 21 CFR Part 11 (Ref. [7]) and Annex 11 (Ref. [10]) regulations. Existing Microsoft

customers may request access to these reports subject to NDA terms and conditions, through

their respective Microsoft account representatives.

Audit Type Date Reference No.

SOC 1 Type II July 1, 2013 Ref. [1]

SOC 2 Type II July 1, 2013 Ref. [2]

ISO/IEC 27001:2005 * November 14, 2011 Ref. [3]

ISO/IEC 27001:2005 * November 2013 Ref. [4] and Ref. [5]

* Both ISO/IEC 27001:2005 reports from 2011 and 2013 were included in this guideline because

their scopes cover different ISO controls that are relevant to this effort.

2.6.1 ISO/IEC 27001:2005 Certification

ISO/IEC 27001:2005 specifies the requirements for establishing, implementing, operating,

monitoring, reviewing, maintaining and improving a documented Information Security

Management System within the context of the organization's overall business risks. It specifies

requirements for the implementation of security controls customized to the needs of individual

organizations or parts thereof.

Microsoft Azure core services (Compute, Storage, Virtual Network and Virtual Machines) are

ISO/IEC 27001:2005 certified.

Included in the above are Microsoft Azure service management features and the Microsoft

Azure Management Portal, as well as the information management systems used to monitor,

operate, and update these services.

ISO/IEC 27001:2005 certifications for Microsoft Azure and Global Foundation Services can be

found by clicking on the following links:

Azure ISO/IEC 27001:2005 certificate

GFS ISO/IEC 27001:2005 certificate

2.6.2 SOC Service Audit Reports

Service Organization Controls (SOC) reports are designed by the American Institute of Certified

Public Accountants (AICPA) to help service organizations that operate information systems and

provide information system services to other entities build trust and confidence in their service

delivery processes and controls through a report by an independent Certified Public Accountant.


Montrium Inc.

Page 18 of 79


SOC 1 Service Auditors Reports are conducted in accordance with the professional standard

known as Statement on Standards for Attestation Engagements (SSAE) No. 16. SOC 1 reports are

geared towards reporting on controls at service organizations that are relevant to internal

control over financial reporting (ICFR), and replace the SAS 70 auditing standard.

The Azure platform has been audited by independent third party auditors to generate a SOC 1

Service Auditors Report which examined the following Azure features:

Cloud Services (formerly Compute; comprised of stateless Web, Worker and VM roles)

Storage (includes Blobs, Queues, and Tables)

Networking (include Traffic Manager, Connect and Virtual Network)

SOC 2 Service Auditors Reports are also conducted in accordance with the professional

standard of SSAE 16. SOC2 reports are intended to meet the needs of a broad range of users

that need to understand internal control at a service organization as it relates to security,

availability, processing integrity, confidentiality and privacy and are intended for use by

stakeholders (e.g., customers, regulators, business partners, suppliers, directors) of the service

organization that have a thorough understanding of the service organization and its internal

controls.

The SOC 2 framework is a comprehensive set of criteria known as the Trust Services Principles

(TSP) which are composed of the following five (5) sections:

The security of a service organization' system;

The availability of a service organization's system;

The processing integrity of a service organization's system;

The confidentiality of the information that the service organization's system processes

or maintains for user entities;

The privacy of personal information that the service organization collects, uses, retains,

discloses, and disposes of for user entities.

The GFS services group has also undergone a SOC 2 audit to examine the suitability of the design

and operating effectiveness of controls to meet the criteria for the security principle set forth in

TSP section 100, Trust Services Principles and Criteria for Security, Availability, Processing

Integrity, Confidentiality, and Privacy (Ref. [12]).


Montrium Inc.

Page 19 of 79


2.7 Microsoft Controls

This section describes the audited controls implemented by Microsoft which serve to ensure

confidentiality, integrity and availability of data stored on the Azure platform. These controls are

also referenced within the compliance assessment sections (see Sections 3.2.2 and 3.4), where

they respond to applicable regulatory requirements.

2.7.1 Security Policies and Procedures

The SOC 1 audit reported that Microsoft implemented an Information Security Policy which

addresses security, availability and confidentiality for Azure. Procedural controls are in place to

support the policy. The Information Security Policy is implemented and communicated to the

applicable employees.

The SOC 1 and SOC 2 audit reported that the security policies are established, periodically

reviewed and approved by a designated individual or group.

2.7.2 Physical and Environmental Security

Microsoft has been audited to verify that proper physical security controls are established to

protect the physical assets forming the foundation of the Azure platform. The SOC 1 audit

reported that policies and procedures provide reasonable assurance that systems and data are

protected against unauthorized physical access and environmental threats.

The following activities/controls were audited in relation to physical security:

Data Center Services;

Physical Security (Access);

Access Controls (Technological/Biometric);

Data Center Security Personnel;

Security Surveillance;

Emergency Power, Facility and Environmental Protection.

The SOC 2 audit reported that the GFS services group has implemented procedures to restrict

physical access to the infrastructure elements including, but not limited to:

Facilities;

Backup media;

Firewalls;

Routers;

Servers.

The 2011 ISO/IEC 27001:2005 audit reported that procedural controls are in place for tracking

and monitoring physical infrastructures and services, as well as a documented methodology for

determining the asset security level.


Montrium Inc.

Page 20 of 79


2.7.3 Logical Security

The SOC 1 audit reported that Microsoft has implemented several logical security controls to

provide reasonable assurance that logical access to the Azure production infrastructure and

systems is restricted to authorized personnel.

The following activities/controls were audited in relation to logical security:

User Account Management;

Server / Device Remote Access.

The SOC2 audit reported that the GFS services group has implemented procedures to restrict

logical access to the system including, but not limited to, the following measures:

Logical access security measures to restrict access to information resources not deemed

to be public;

Identification and authentication of users;

Registration and authorization of new users;

The process to make changes and updates to user profiles;

Distribution of output restricted to authorized users;

Restriction of access to offline storage, backup data, systems and media;

Restriction of access to system configurations, super-user functionality, master

passwords, power utilities and security devices (for example, firewalls).

The 2011 ISO/IEC 27001:2005 audit reported that procedural controls are in place for tracking

and monitoring logical assets, as well as determining the associated asset security level

following a documented methodology.

2.7.4 System Monitoring and Maintenance

The SOC 1 audit reported that proper controls are established to provide reasonable assurance

that the Azure platform is monitored for known security vulnerabilities and potential

unauthorized activity. An automated logging and alerting system is used for detecting

unauthorized activity and security events.

The following activities/controls were audited in relation to system monitoring and

maintenance:

Logging and Monitoring;

Patching.

The SOC 2 audit reported that proper controls are established to monitor the GFS infrastructure

components and proper actions are taken to maintain compliance within its defined system

security policies. Security controls are monitored on a regular basis. The GFS group monitors,

logs, reports and takes appropriate action to resolve events involving critical/suspicious

activities.


Montrium Inc.

Page 21 of 79


The 2011 ISO/IEC 27001:2005 audit reported that procedural controls are in place for logging

and monitoring of individual components of Azure, patch management, and related change

management. Procedural controls are in place for security incident management. These controls

define roles and responsibilities, resolution methodology, and communication requirements

based on criticality. Performance related to the resolution of security incidents is tracked,

monitored and reported.

2.7.5 Data Backup, Recovery and Retention

The SOC 1 audit reported that Microsoft has implemented processes which manage the backup

of critical Azure components and data, including customer subscriptions, hosted services,

certificates and deployments.

The SOC 2 audit reported that the GFS Data Protection Services group which manages the

secure backup system infrastructure provides secure backup retention and restoration of data in

the Microsoft Online Services environment.

The 2013 ISO/IEC 27001:2005 audit reported that backup of key platform components are

performed on a regular basis and stored in fault tolerant (isolated) facilities. The report also

verified that controls are in place to test backup and recovery and ensure backup related

incidents are documented following procedural documents. The audit also reported that the

recovery and backup process is tested on an annual basis and that procedural controls are in

place. A business continuity program is in place.

Data retention policies and procedures are defined and maintained in accordance to regulatory,

statutory, contractual or business requirements. The Azure backup and redundancy program

undergoes an annual review and validation. Azure backs up infrastructure data regularly and

validates restoration of data periodically for disaster recovery purposes (Ref. [13]).

2.7.6 Confidentiality

The SOC 1 audit reported that Microsoft provides reasonable assurance that customer secrets

(such as storage account keys) are protected while in transit and at rest within the Azure

platform using cryptographic controls. The audit also verified that customer secrets are

managed in accordance with customer agreements.

The SOC 1 and SOC 2 audit reported that encryption or other equivalent security techniques are

used to protect user authentication information and the corresponding session transmitted over

the internet or other public networks.

The 2011 ISO/IEC 27001:2005 audit reported that procedures and mechanisms are established

for effective key management to support encryption of data in storage and in transmission for

the key components of the Azure service.


Montrium Inc.

Page 22 of 79


2.7.7 Software Development / Change Management

The SOC 1 audit reported that a formal SDLC process exists, which governs the development of

new features or major changes to the Azure platform. The SOC 1 audit also reported that the

changes performed to the Azure platform are documented, authorized and tested. The Azure

services group uses four physically and logically isolated environments for software

development, integration testing, pre-production and production.

The SOC 2 audit of the GFS services verified adequate IT change management controls are

established surrounding the following topics:

Separation of Environments

Segregation of Duties

Software Configuration and Changes

Hardware Changes

Network Changes

The 2013 ISO/IEC 27001:2005 audit reported that procedural documents covering change

management are in place, in which the methodology for change and release management is

defined. Changes are appropriately tested and approved.

2.7.8 Incident Management

The SOC 1 audit reported that adequate procedures are established governing how incidents

within the production environment are documented and resolved in a timely manner. The

procedures are part of an incident management framework that includes defined process roles,

responsibilities, and communications for managing the detection, escalation and response to

incidents.

The SOC 2 audit reported that procedures exist to identify, classify, escalate, and act upon

system security breaches and other incidents this per assigned criticality and severity. The Azure

Live Site Support team with assistance from the Azure team documents, tracks, and coordinates

responses to incidents.

The 2013 ISO/IEC 27001:2005 audit reported that procedural controls are in place for Azure

security incident management that cover both the core components and active directory. The

procedures define roles and responsibility, resolution methodology, and communication

requirements based on severity. Performance related to security incidents is tracked, monitored

and reported.

2.7.9 Service Level Agreements

Microsoft provides Service Level Agreements (SLA) related Azure platform services, which may

be downloaded from the Azure website. The following table is an excerpt the SLA for Cloud

Services, Virtual Machines (VM) and Virtual Network.


Montrium Inc.

Page 23 of 79


Cloud Services, Virtual Machines and Virtual Network SLA

For Cloud Services, we guarantee that when you deploy two or more role instances in

different fault and upgrade domains, your Internet facing roles will have external

connectivity at least 99.95% of the time.

For all Internet facing Virtual Machines that have two or more instances deployed in the

same Availability Set, we guarantee you will have external connectivity at least 99.95% of

the time.

For Virtual Network, we guarantee a 99.9% Virtual Network Gateway availability.

2.7.10 Risk Assessment

The SOC 1 audit reported that Microsoft is accountable for the management of short and long

term corporate risks. Microsofts internal audit specialization area leaders are responsible for

determining high-priority risks across the company. Through quarter and year-end reviews,

designated Microsoft executive and upper management individuals review the issues that may

have arisen.

The SOC 2 audit reported that Microsofts Azure security and compliance team develops,

maintains and monitors the Information Security program which includes the ongoing Risk

Assessment process.

The 2013 ISO/IEC 27001:2005 audit reported that Microsoft effectively follows a documented

risk management procedure dedicated to the Azure platform.

2.7.11 Documentation / Asset Management

The procedure governing software development was audited against a control objective which

stipulates that the development of new features or major changes must be documented. In

addition, Microsoft has confirmed to Montrium that a Document and Records Management

procedure governing protection and retention of documentation is in force. Microsoft has also

indicated to Montrium that the baseline configuration of Azure components is documented,

managed, maintained and controlled for access via access control mechanisms. Additionally, this

configuration is performed according to the Asset management guidelines.

The 2011 ISO/IEC 27001:2005 audit reported that an Asset Management procedure is in place,

which provides guidelines for ensuring assets are properly managed. Microsoft defines an asset

as something that supports the delivery of the Azure Service including, source code, design

documents, contracts and agreements, system documentation, standard operating procedures,

business continuity plans, configuration files, etc.


Montrium Inc.

Page 24 of 79


2.7.12 Training Management

The SOC 1 audit reported that employee, contractor and third partys roles and responsibilities

with regards to information security are defined in a related policy and that training and

awareness is provided on an ongoing basis. The definitions of roles and responsibilities for the

different functions with regards to information security have been established and are

documented. Information security training is provided through different channels on a periodic

basis. Training material was found to cover security policy requirements and training records

were maintained and up-to-date.

The SOC 2 audit reported security policies concerning information security and business conduct

were implemented. Training is mandatory for all employees on these policies. Procedures and

standards cover policy training and training requirements. Training is documented and

compliance with training requirements is monitored.

The 2011 ISO/IEC 27001:2005 audit reported that training pertaining to security, compliance,

and Microsoft Security Development Lifecycle was mandatory. This audit reported evidence of

the involvement and commitment of management towards achieving full compliance with this

requirement.

2.7.13 Disaster Recovery

The SOC 2 audit reported that GFS business units at least annually exercise, test and maintain

business continuity and disaster recovery plans. Microsoft management teams perform and

document a resiliency assessment specific to the data centers operations on an annual basis or

before significant changes.

The 2013 ISO/IEC 27001:2005 audit reported that business continuity is documented,

implemented, maintained, tested annually and any issues are tracked to closure. Testing

includes the simulation of a loss of one cluster and of a data center. The report also states that

to minimize isolated faults, customer data is automatically replicated within Azure to separate

nodes.

2.7.14 Vendor Management

The SOC 2 audit reported that third party vendors are assessed by the procurement team and if

appropriate they are added to the approved vendor list that has been established. This process

is initiated by the creation of a purchase order to employ a third party and requires that a

Microsoft Master Vendor Agreement be established.

The 2011 ISO/IEC 27001:2005 audit provides evidence that Microsoft operates in a way that

supports adequate vendor management. Statement of Work, Service Level Agreement, regular

Key Performance Indicators reporting, Non-Disclosure Agreement, and Privacy and Data center

security controls were found to be in place and effective in an applicable instance of a vendor.


Montrium Inc.

Page 25 of 79


3 Qualification Approach

The proposed qualification methodology for the Azure platform is aligned with standard methodology as

described within the GAMP good practice guidelines. According to industry best practices as proposed

within the GAMP Good Practice Guide: IT Infrastructure Control and Compliance (Ref. [9]), in order for

an IT infrastructure platform to be considered qualified and compliant, the following critical aspects

need to be considered:

Installation and operational qualification of infrastructure components;

Configuration management and change control of infrastructure components;

Management of risks to IT Infrastructure;

Involvement of service providers in critical infrastructure processes;

Security management in relation to access controls, availability of services and data integrity;

Data Backup, Restore, Disaster Recovery, Archiving.

Due to the nature of the cloud environment, there is a shift in certain responsibilities surrounding the

qualification and management of the underlying cloud infrastructure, which are summarized in Section

3.2. Qualification is defined as a process of demonstrating the ability of an entity to fulfill specified

requirements. In the context of an IT Infrastructure, this means demonstrating the ability of components

such as servers, clients, and peripherals to fulfill the specified requirements for the various platforms

regardless of whether they are specific or of a generic nature (Ref. [9]). In order to ensure the

infrastructure components are capable of meeting the requirements, the cloud provider must put in

place controlled processes, illustrated in Figure 2, to ensure the Service Level Agreements are met. Since

the Azure platform is not built for specific requirements of the Customers GxP computerized systems, it

is the responsibility of the regulated user (customer) to verify that the system, as it is configured, is

capable of meeting the requirements.

Figure 2 Qualification of Infrastructure vs. Validation of Applications


Montrium Inc.

Page 26 of 79


Validation consists of demonstrating, with objective evidence, that a system meets the requirements of

the users and their processes. As such, validation is performed by the regulated users (customer) of the

GxP computerized systems that reside on the Azure platform.

In the context of a public IaaS and PaaS cloud service model, the cloud service provider is responsible for

managing and maintaining the infrastructure components and ensuring that they meet the terms

defined within the governing Service Level Agreement(s). Microsoft has implemented controls (see

Section 2.7) which encompass the critical aspects of compliance.


Montrium Inc.

Page 27 of 79


3.1 GAMP Qualification Phases

The following are the primary qualification phases as defined within the ISPE, GAMP Good Practice

Guide: IT Infrastructure Control and Compliance (Ref. [9]), and the recommended activities performed

within each phase as they relate to the Azure platform.

Prepare Qualification Plan

Identify SOPs which need to be created / updated as a result of using Azure

Planning

Identify system requirements needed to support the GxP application

Determine appropriate server architecture and configuration for high availability

Determine system backup and restoration requirements

Specification and Design

Perform regulatory impact assessment to identify which GxP regulations apply based on the intended use

Perform hazard analysis to determine risks associated with hosting the GxP application in an off-premise cloud

Define scope of qualification, test specifications and acceptance criteria

Risk Assessment and Qualification Test Planning

Installation and configuration verification tests

Verification that approrpiate SLAs are in place

Procurement, Installation and IQ

Verify backup and restore process

Verify data archiving process

Perform operational and user acceptance tests and verification of GxP applications are fit for intended purpose

OQ and Acceptance

Summary Reports

Implement Governance Plan for Azure

Reporting and Handover


Montrium Inc.

Page 28 of 79


Additional information for GxP computerized system validation can be found within the following

guidance documents:

PIC/S - Good Practices for Computerised Systems in Regulated GxP Environments (Ref. [14]);

ISPE, GAMP 5 - A Risk-Based Approach to Compliant GxP computerized systems (Ref. [8]).

3.2 Qualification Activities and Responsibilities

By utilizing the Azure platform, the customer is effectively outsourcing the management and

operations of their IT infrastructure to Microsoft. However, it is important to note that, the

regulated company remains responsible for the regulatory compliance of their IT operations

regardless of whether they choose to outsource/offshore some or all of their IT Infrastructure

processes to external service provider(s). Compliance oversight and approvals cannot be

delegated to the outsource partner. (Ref. [9])

A summary of the Customers and Microsofts responsibilities, as they relate to the qualification

and validation activities is provided below. A detailed description of each partys responsibilities,

as they relate to the applicable regulatory requirements, is provided in Section 3.2.2 (21 CFR Part

11) and Section 3.4 (Annex 11).

3.2.1 Summary of Customer Responsibilities

The customer is responsible for performing the following activities for each GxP computerized

system requiring qualification and validation within the Azure platform:

Perform high level risk assessment to identify specific risk associated with hosting the

GxP computerized system in a cloud environment and mitigation strategies;

Develop or identify procedural controls governing the use of the GxP computerized

system. These procedural controls should cover the topics as described in Appendix A,

as well as any other controlled processes which are impacted by the GxP computerized

system including the following:

o Use of Microsoft IDs and passwords;

o Account access to Virtual Machines applications;

o Compliance management with applicable laws and regulations;

o Planning and implementation of customer data encryption requirements ;

o Securing Azure SMAPI access certificates;

o Data access method (public or signed access) for data contained with the Azure Platform;

o Configuration of Virtual Machines deployed within Azure;

o Data backup and retrieval upon Azure subscription termination;

o Protection of secrets associated with accounts;

o Application software development using a Security Development Lifecycle on Azure;


Montrium Inc.

Page 29 of 79


o Quality assurance of applications before moving to Azure;

o Security monitoring for applications developed on Azure;

o Assessing public Azure security and patch updates;

o Patch application when not subscribed to auto-upgrade;

o Incident and alert reporting to Microsoft when those are specific to customer systems and Azure and support Azure team when responding to incidents by providing appropriate and timely information;

Determine the requirements that apply to the GxP computerized system based on its

intended use. Configure the Azure environment to meet the requirements, including

high availability (if required);

Follow internal procedures governing Qualification and/or Validation processes,

expected deliverables would include but are not limited to:

o Qualification / Validation plan describing the activities, responsibilities and

deliverables to be produced for each GxP computerized system installed within

the Azure platform;

o Specification documentation describing the GxP computerized systems

requirements, functionality and intended use;

o Risk Assessments covering the high level intended used of the GxP

computerized system and a functional risk assessment of the GxP computerized

system features, if required. The assessments should include mitigation actions

required to address identified risks;

o Adaptation and verification of VM configuration to meet the specific resource

requirements of the GxP computerized system which will be installed on the

VM;

o Verification documentation providing evidence that the GxP computerized

system meets its intended use as defined within relevant specification

documents;

Maintain and operate the GxP computerized system in a secure and controlled manner

according to internally developed procedures as defined above.

Periodic reviews should be performed to demonstrate continuous control of the

environment and effectiveness of the configuration management process. Periodic

verification of the Backup and Restore process should be performed to ensure data can

be retrieved in the event of data corruption or disaster at the data center.


Montrium Inc.

Page 30 of 79


3.2.2 Summary of Microsoft Responsibilities

Microsofts primary responsibilities as an outsourced cloud service provider are to ensure the

Azure platform is managed in a controlled and secured manner, so as to provide the following

key elements:

Confidentiality - ensuring that information is secure and accessible only to those

authorized to have access;

Integrity - safeguarding the accuracy and completeness of information and processing

methods;

Availability - ensuring that authorized users have access to information and associated

assets when required.

Microsofts specific contractual obligations towards their Azure customers are defined within

the governing Service Level Agreements (see Section 2.7.9). The controls identified in Section

2.7are audited periodically and certified to demonstrate that the above key requirements can

be met.

When new services are deployed within the Azure Platform, they are created using the default

configuration established by Microsoft. Microsoft is responsible for ensuring the deployed

services are capable of meeting the specifications and the terms of the SLA(s).

3.3 US FDA 21 CFR Part 11 Electronic Records; Electronic Signatures Compliance Assessment

The following table outlines the assessment that was performed on each regulatory requirement

of US FDA 21 CFR Part 11 which were identified as in scope in Section 1.2 of this document. The

primary objective of the assessment is to identify the procedural and technical controls that are

required to satisfy the different regulatory requirements.

In conjunction with the responsibilities identified in Section 3.2, we further identify which controls

fall within the responsibility of Microsoft versus the controls that are considered the responsibility

of the customer when using the Azure platform for regulated GxP computerized systems.


Montrium Inc.

Page 31 of 79


Sec. 11.10 Controls for closed syste ms.

11.10 (a)

SEC. 11.10 CONTROLS FOR CLOSED SYSTEMS. Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following:

11.10 (a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records.

Customer Regulated User

The customer is responsible for ensuring any GxP computerized system used to produce and/or manage

electronic records is validated according to an approved and effective procedure. This procedure should

ensure that the validation verifies accuracy, reliability, consistent intended performance, and the ability to

discern invalid or altered records. Additional details regarding the qualification / validation activities are

provided in Section 3.2.1.

Description of activities, documentation and controls:

Perform computer system validation activities for GxP computerized systems as defined within the governing the computer system validation procedure to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records;

Verify the software and virtual hardware requirements of the GxP computerized system have been correctly provisioned by the Azure platform;

Document the qualification/validation activities performed prior to and during the deployment of the GxP computerized systems on the Azure Platform;

Establish appropriate system performance monitoring to ensure consistent availability and performance of GxP computerized system.

Microsoft Cloud service provider

Microsoft is not responsible for validation of the GxP computerized systems installed within the Azure

platform, as this is the responsibility of the customer. Microsoft is responsible for ensuring the Azure

platform performs consistently and reliably by implementing adequate controls over the development,

deployment and testing of the software applications which make up the Azure platform.

Microsoft meets these requirements through the following controls:

System Monitoring and Maintenance (see Section 2.7.4)

Software Development / Change Management (see Section 2.7.7)


Montrium Inc.

Page 32 of 79


11.10 (b)

11.10 (b) The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. Persons should contact the agency if there are any questions regarding the ability of the agency to perform such review and copying of the electronic records.


The customer is responsible for implementing adequate controls to secure the GxP computerized systems

which contain electronic records and provide appropriate system monitoring. These controls should

ensure that the electronic records which are stored within the GxP computerized systems on the Azure

platform are protected to prevent corruption or loss of information. The customer is also responsible for

ensuring that GxP computerized systems installed on the Azure platform are capable of generating

accurate and complete copies of records in both human readable and electronic form suitable for

inspection, review, and copying by the agency.


Establish Procedure(s) to govern the protection of records to ensure accurate and complete copies are readily available including:

o Documentation Management to define who is responsible for managing documentation within the organization;

o Records Retention and Archiving to ensure adequate record retention policies and archive management processes are in place;

o Backup and Restoration to ensure proper protection of records through backup mechanisms with regular restoration tests;

o Disaster recovery to ensure that electronic records can be retrieved properly in the event of a disaster and that this retrieval is tested periodically;

o System Monitoring to ensure consistent availability and performance of GxP computerized system;

Verify accurate and complete copies of electronic records can be retrieved from the GxP computerized systems;

Verify that data transfer from GxP computerized systems which store electronic records on the Azure Platform does not impact data integrity;

Ensure that record retention procedures establish long term archiving controls so that electronic records can be retrieved throughout the required retention period from the Azure platform (or until they are moved to another long term archiving environment outside of the Azure platform).


Montrium Inc.

Page 33 of 79


11.10 (b) The ability to generate accurate and complete copies of records in both human readable and electronic form suitable for inspection, review, and copying by the agency. Persons should contact the agency if there are any questions regarding the ability of the agency to perform such review and copying of the electronic records.


Microsoft is responsible for implementing adequate controls to secure the Azure platform and provide

appropriate system monitoring. By protecting and monitoring the Azure platform, these controls help to

satisfy the above regulatory requirement, such that the GxP computerized systems are protected and are

continually available.


Security Policies and Procedures (see Section 2.7.1)

Physical Security (see Section 2.7.2)

Logical Security (see Section 2.7.3)



Montrium Inc.

Page 34 of 79


11.10 (c)

11.10 (c) Protection of records to enable their accurate and ready retrieval throughout the records retention period.


The customer is responsible for ensuring that appropriate controls are established to protect records

pertaining to GxP activities performed within GxP computerized systems which are deployed on the Azure

platform and to ensure the records are readily available throughout their retention period.


Establish procedure(s) that govern the following topics:

o Logical security - describing the security controls which are required in order to prevent unauthorized access to the application;

o Records Retention and Archiving to ensure adequate record retention policies and archive management processes are in place;

o Backup and Restoration to ensure proper protection of records through backup mechanisms with regular restoration tests;

o System Monitoring to ensure consistent availability and performance of GxP computerized system;

Data repatriation plans are established and tested in the case of contract termination with Microsoft for Azure services.


Microsoft is responsible for implementing adequate controls to secure the Azure platform, provide

appropriate system backup and data retention policies. Data backup and retention policies/procedures are

defined and maintained in accordance to regulatory, statutory, contractual or business requirements.

These controls help to satisfy the above regulatory requirement, such that Microsoft backs up Azure

infrastructure data regularly and validates restoration of data periodically for disaster recovery purposes.






Data Backup, Recovery and Retention (see Section 2.7.5)


Montrium Inc.

Page 35 of 79


11.10 (d)

11.10 (d) Limiting system access to authorized individuals.


The customer is responsible for ensuring that an individual must have a valid user account in order to

access both the Azure platform and any relevant GxP computerized system. Within the Azure platform and

GxP computerized system, user permissions must be managed by the System Administrator to specify

what areas of the computerized system are accessible to authorized users.


Azure customers register for the service by creating a subscription through the Azure Portal web site. Customers manage applications and storage through their subscription using the Azure management portal;

Ensure proper procedures are established to govern logical and physical security over the terminal devices (e.g. workstations, laptops, etc.) used to access the Azure platform. The procedure should clearly describe how access to the system is managed, as well as how user system access is documented;

Appropriate System Administration practices are followed for GxP computerized systems installed on the Azure platform based on predefined system administration procedures.


Microsoft is responsible for ensuring adequate controls are established to ensure access to the Azure

platform is restricted to authorized individuals.






Montrium Inc.

Page 36 of 79


11.10 (e)

11.10 (e) Use of secure, computer-generated time-stamped audit trails to independently record the date and time of operator entries and actions that create, modify, or delete electronic records. Record changes shall not obscure previously recorded information. Such audit trail documentation shall be retained for a period at least as long as that required for the subject electronic records and shall be available for agency review and copying.


The GxP computerized system installed on the Azure platform should have an auditing feature which

captures an audit trail of actions performed on electronic records.


The audit trail feature of the GxP Computerized System deployed on the Azure platform should:

o Record the information required for audit trails as defined in 21 CFR Part 11.10(e);

o Store read-only audit trail entries in a secure database and ensure the audit trail remains linked to its respective record throughout its retention period;

o Ensure that Audit trail information can be accessed and exported from the GxP Computerized System as human readable records;

Procedure(s) are established governing the following activities:

o Record retention and archiving - should define how audit trails will be protected throughout their corresponding records lifetime;

o Logical security to ensure adequate protection and integrity of audit trails as electronic records in their own right;

o System Administration procedures for the GxP computerized systems deployed on the Azure platform to ensure the proper management of audit trails;

o System Monitoring to ensure consistent availability and performance of GxP computerized system.


Microsoft does not provide GxP computerized systems as the part Azure platform and therefore do not

need to implement audit trails. Microsoft is however responsible for implementing adequate controls to

secure the Azure platform and provide appropriate system monitoring. By securing and monitoring the

Azure platform, these controls help to satisfy the above regulatory requirement, such that the GxP

computerized systems are protected and are continually available.






Data Backup, Recovery and Retention (see Section 2.7.5)


Montrium Inc.

Page 37 of 79


11.10 (f)

11.10 (f)

Use of operational system checks to enforce permitted sequencing of steps and events as appropriate.


Operational checks are typically present in the process control mechanisms of GxP computerized systems

to ensure that operations are not executed outside of the predefined order established by the operating

group.

The customer should ensure that GxP computerized system installed on the Azure platform have been

assessed and are capable of fulfilling this requirement.


Within the context of the Azure platform, Microsoft does not have control over operational checks, as

these would be implemented within the GxP computerized system installed and managed by the

customer.


Montrium Inc.

Page 38 of 79


11.10 (g)

11.10 (g) Use of authority checks to ensure that only authorized individuals can use the system, electronically sign a record, access the operation or computer system input or output device, alter a record, or perform the operation at hand


The customer is responsible for ensuring that adequate authority checks are implemented where

necessary through the application of security policies and the centralized management of user permissions

within the GxP computerized system. The customer is responsible for managing the access mechanism to

the GxP computerized system on the Azure platform (see Section 3.2.1).


Establish a procedure describing the process for managing user accounts and user permissions for the GxP Computerized System;

The verification that only authorized users are able to access and alter records contained within the GxP computerized system and Azure platform should be performed as part of the validation effort.


The customer is primarily responsible for implementing and verifying the proper application of authority

checks in order to fulfill this regulatory requirement. Microsoft may maintain the system which

authenticates users of the GxP computerized system, and must also manage authentication and security

for the Azure platform. Microsoft is therefore responsible for ensuring proper controls are established to

securely manage the user access control system.






Montrium Inc.

Page 39 of 79


11.10 (h)

11.10 (h)

Use of device (e.g. terminal) checks to determine, as appropriate, the validity of the source of data input or operational instruction.


The customer must determine whether the implementation of device checks is required based on the

intended use of the GxP computerized system and the associated risks. Device checks are warranted in an

environment where only certain devices have been selected as legitimate sources of data input or

commands. In such cases, the device checks would be used to determine if the data or command source

was authorized. If required, the customer is responsible for defining which devices are authorized to

provide data or operational instructions and implement the necessary controls within the GxP

computerized system installed on the Azure platform.


Within the context of the Azure cloud services, Microsoft does not have control over device checks, as

these would be implemented within the GxP computerized system installed and managed by the

customer.

11.10 (i)

11.10 (i) Determination that persons who develop, maintain, or use electronic record/electronic signature systems have the education, training, and experience to perform their assigned tasks.


The customer is responsible for establishing procedural controls that which define the employee training

process and requirements which ensuring that adequate training is provided to an end user prior to using

the GxP computerized system. The customer is also responsible for ensuring that the adequate education

and experience requirement is met for persons who develop, maintain or use the GxP computerized

system(s).


Ensure that appropriate training policies are established and that training and personnel qualification are documented (i.e. training records, CV).


Microsoft is responsible for maintaining the Azure infrastructure and services that which store electronic

records, therefore must ensure appropriate training policies are established and that training and

personnel qualification are documented (i.e. training records, CV) for personnel managing and monitoring

the Azure services.


Training Management (see Section 2.5.12)


Montrium

Qualification Guideline - Microsoft Azure

Documents

Transcript of Qualification Guideline - Microsoft Azure