control freak ver 1.0

The Control Freak Cometh!

Applying Best Practice for Infrastructure Compliance

Agenda

Why Do We Need A Compliant Infrastructure?

How High Is That Hill?

Where Do I Start?

What Do I Need?

How Do I Get There?

Best Practice Or Controls?

D. K. Stephenson Regulatory Compliance SME

http://www.nysscpa.org/committees/emergingtech/cobit.jpg

http://images.google.co.uk/imgres?imgurl=http://www.ispe.org/galleries/pubispe-gallery/GAMP_5BOUNDUS.gif&imgrefurl=http://www.ispe.org/cs/gamp_publications_section/gamp_publications_overview&h=129&w=100&sz=7&hl=en&start=1&um=1&usg=__Vb3-2ufrbATVwjeijZs7znZw1dY=&tbnid=P4iQonHG8o4tYM:&tbnh=91&tbnw=71&prev=/images%3Fq%3Dgamp%2B5%26um%3D1%26hl%3Den

3

Why Do We Need A

Compliant Infrastructure?

Compliance with What??

ISO 27001

ITIL

CoBIT

ISO 20000

Sarbanes Oxley

Basel II

FDA & MHRA Regulations 21 CFR 11 etc

Personal Identifiable Data (Caldicott Rule)

ISO 9001-2008

PCI DSS


Why Do We Need Compliance?

Is it because: Everyone in my industry is doing it Fear of an upcoming regulatory inspection We want to get control over our Infrastructure

There is probably a little of all these in our reasoning, but we must also consider the question:

“How can we consider a system to be validated if we are not confident that we have control of the infrastructure on which it runs?”

GAMP GPG IT Infrastructure Control & Compliance


What does “Under Compliance” mean?

It means that the: Planning Organisation Installation Use Maintenance

of the I.T. infrastructure is Controlled and Documented




Compliance, Regulatory Viewpoint

In the regulated industries (Life Sciences etc), Infrastructure Compliance is achieved by the process of “Qualification”

Where Qualification is defined as:

“The process of demonstrating whether an entity is capable of fulfilling specified requirements. It implies adherence to strict documentation requirements, reviews and approvals”

GAMP GPG IT Infrastructure Control & Compliance


Qualification the I.T. Viewpoint!

A methodology designed to stop me from doing my work!

An unnecessary overhead on already overworked resource!

Something that we write to keep QA quiet (but do not follow!)

A waste of ******* time!

A pain in the *****!

The best thing since sliced bread ????


In Short!


The Business Viewpoint!

Difficult to get support from the top! I.T. seen as draconian and inhibitive Stops the business from doing it’s business “I.T. do not understand what we need!” “This is MY computer, I should be able to do what I

want with it!”


10 Requirements of Compliance

Compliance Exercise Planning & Execution

Procedures

Compliance Documentation

Security (Logical & Physical)

Acceptance Testing

Training of Support Personnel

Network Recovery

Support Documentation

Change Control

Periodic Review


Benefits of a Compliant Infrastructure

Demonstrable Control over processes

Increased Integrity of data

Confidence in being Audit Ready

Transparent view of the infrastructure and how it functions

Easier in-life management and upgrade planning

Procedures available to all IT staff

I.T. and business working together

Adherence to best practice

Reduction in duplication of duties


Business Expectations

Cost Effective Solution Pragmatic Qualification (how much is enough?) Control Over Processes Control Over Procedures Control Over people

Increased Control Of Data Confidentiality Integrity Availability

Confidence In Being Audit Ready

Adherence To Best Practice


14

How High Is That Hill?

How High?


“Top Ten” Deficiencies (Audited)

Security (Logical & Physical)

Testing (Compliance Exercise)

Change Management/Configuration Management

Operating Procedures

Hardware, Equipment Records, and Maintenance

Training Education, and Experience

Development Methodology

Compliance Methodology and Planning

Quality Assurance and Auditing

Electronic Records, Electronic Signatures


Why So Many?

In general, the majority of IT departments are doing what is right, they are following all or many of the necessary processes, but with ONE MAJOR EXCEPTION!

THEY DO NOT WRITE IT DOWN!!!!!!!!


The Auditors Viewpoint!

IF IT IS NOT WRITTEN DOWN IT DID NOT HAPPEN!

IF IT IS NOT SIGNED IT’S GRAFFITI!

ANYTHING THAT ISN’T DOCUMENTED IS JUST

RUMOUR!D. K. Stephenson Regulatory Compliance SME

19

Where Do I Start?

At The Beginning!

Step 1, DO NOT throw the baby out with the bath water!!!


1st Steps

Draw up a plan: What do you want to achieve? By when? What resource is available? What budget is available? Do not cut corners! Stick to it!!!!!!


Top Tips!

Get buy in from the top, need a Sponsor

Assess the situation (Business & I.T)

Apply a “RISK BASED METHODOLOGY” What do we actually need? Is what we want and what we need different? Base testing on criticality & use Base risk on

– The affect on quality and data– The likelihood of failure– The likelihood of detection

Use this to focus on the most critical areas


23

What Do I Need?

What Do I Need?

A fully tested Infrastructure

A fully documented Infrastructure

A full set of “workable” processes and procedures

An ongoing compliance maintenance framework

Buy in from senior management


25

How Do I Get There?

Documentation: A Warning!

As with everything else in the Compliance world, documentation is key

Attaining a compliant Infrastructure can simply be considered as documented Good IT Practice ITIL CoBIT MOF

Most organisations know the right things to do

Most organisations are doing them (to some extent)

Not all organisations have documented them


ITSM Areas for Process and Procedure

General Management Data Centre Management Platform Management Server Management Network Management Client Management Security Management Data Management Quality Management Continuity Management


28

Best Practice Or Controls?

What Do Control Frameworks Have In

Common?

They possess Business Focus Aligning IT with the business needs

They have Process Orientation Thus ensuring ownership and organisation of processes

There is General Acceptability Backed up by proven best practices (through

frameworks)

They possess a Common Language An accepted terminology used by business & suppliers

They help meet Regulatory Requirements By meeting compliance with an accepted framework


Why Do We Use Control Frameworks?

They already exist, thus no need to reinvent the wheel

They are structured and easy to apply

They are derived from best practice

They are the result of knowledge sharing

They are ultimately auditable



CoBIT

CoBIT supports IT Compliance by providing a framework, which can ensure that: The IT strategy is aligned with the business IT acts as an enabler for the business and maximises its

benefits IT resources are utilised both responsibly and

effectively IT risks are managed and mitigated appropriately



IT Infrastructure Library (Ver 3)

ITIL is a Best Practice Framework ITIL Philosophy – Scalable Process driven approach ITIL provides “best practice” guidelines and

architectures to ensure that IT processes are closely aligned to business processes and that IT delivers the correct and appropriate business solution

Infrastructure and Service are not separate entities

Which Do I Use??



How Does CoBIT & ITIL Fit In?

CoBIT focuses on getting the “what is needed” right, without touching on the “how will we do it”

CoBIT helps to introduce a management perspective of Controls, as it operates at a level above the IT technology and possesses business focus

ITIL is the next level down, determining “how will we do it”

ITIL is the operational perspective of controls, operating at the Technology level, and possesses service focus


How It All Fits Together

PERFORMANCE:

Business Goals

CONFORMANCE

FDA Reg’s, MHRA,

SOX etc.

IT Governance

ISO

9001:2000

ISO

27001

ISO

20000Best Practice Standards

QA

ProceduresProcesses and Procedures

Drivers

COBIT

Security

PrinciplesITIL



How do I Keep it Compliant??



Periodic Review And Critical Processes

All critical activities should be included in a Periodic Review Strategy Initial Qualification Activities On-going maintenance and support activities

Periodic Reviews can be conducted internally, but inspection observations have set an expectation that the independent quality group should play an appropriate oversight role


Policies should define appropriate roles for IT and Quality

Processes and Procedures should be interlinked, with defined roles i.e. Disaster Recovery relies on Configuration

Management, which is related to Change Management There should be a consistent set of processes

There Must be Evidence of Control & Adherence to These Processes!!

Periodic Review And Critical Processes cont

39

Conclusions


Conclusions

We can achieve and maintain a pragmatic qualification of IT Infrastructure, which meets both Regulatory and Business requirements by: Adopting a Risk Based Approach to Compliance Adopting and implementing a best practice framework

– CoBIT– ITIL

Introducing a systematic approach to the initial testing of components, based on their use and criticality

Introducing an ongoing approach to the testing of components, based on the previous testing of their type

Introducing an ongoing compliance program

Thank You!

Questions/Comments

[email protected]

+44(0)7891 343814

+44(0)118 931 0249


mailto:[email protected]

control freak ver 1.0

Documents

infrastructure compliance

compliance mean

regulatory viewpoint

procedures control

upcoming regulatory

processes control

control of theinfrastructure

acompliant infrastructure