If you can't read please download the document
Upload
lamkhue
View
634
Download
117
Embed Size (px)
Citation preview
Merck Managed Cloud (MMC)GxP Systems Assurance GuideFor Amazon Web Services (AWS)
An enterprise-wide framework for hosting GxP Computerized systems in theMerck Managed Cloud
Version No: 1.1
Document ID: R-Amazon Web Services-GD-29028
Date Issued: 20-SEP-2016
Document ID: Merck Managed Cloud GxP Systems Assurance GuideVersion #: 1.1
Page 2 of 28
Document Signatures
Approvers
Christi Van horn
Exec. Dir, Compliance & Risk
Management
IT Risk Mgmt & Security
___________________________________________________
Signature/Date Captured Electronically
Approval above signifies that the approver representing IT Risk Management & Information Security approves this deliverable as acceptable, accurate, and complete in accordance with procedures and also supports this Merck Managed Cloud GxP Systems Assurance Guide.
Randie Schlamowitz
Exec. Director, Global Operations
Management
Global Technology Operations
___________________________________________________
Signature/Date Captured Electronically
Approval above signifies that the approver representing Cloud Services approves this deliverable as acceptable, accurate, and complete in accordance with procedures and also supports this Merck Managed Cloud GxP Systems Assurance Guide.
Document ID: Merck Managed Cloud GxP Systems Assurance GuideVersion #: 1.1
Page 3 of 28
Revision History
Revision Issue Date Authors Description of Change
1.0 20-Jul-2016 Vishwas GadgilDaniel DziadiwSujatha GuruswamyVern HeneryAllan UmandapJeffrey Feist
First Issuance
1.1 20-Sep-2016 Daniel DziadiwSujatha Guruswamy
No changes to the content,
classification label changed to public
with OSTIC (Office of Scientific &
Technical Information Clearance)
Public Clearance approval -
Submission ID: 2016-ms-4206
Document ID: Merck Managed Cloud GxP Systems Assurance GuideVersion #: 1.1
Page 4 of 28
Table of ContentsIntroduction.................................................................................................................................................. 7
Purpose.................................................................................................................................................... 7
Business Drivers..................................................................................................................................... 7
Document Summary .............................................................................................................................. 7
Scope ....................................................................................................................................................... 7
Document Maintenance ........................................................................................................................ 8
Acronyms/Abbreviations/Terms ........................................................................................................... 8
Roles and Responsibilities.................................................................................................................... 8
Background on Cloud Computing and the MMC ................................................................................. 10
Cloud Computing Types...................................................................................................................... 10
Description of the MMC-AWS Architectural Layers ............................................................................ 11
Layer 0 - Data Center & Physical Hardware ................................................................................ 12
Layer 1 - Cloud Infrastructure & Platform Services.....................................................................12
Layer 2 - Cloud Management ......................................................................................................... 12
Layer 3 - Infrastructure & Platform Management ........................................................................ 12
Layer 4 Specific Build/Instance for Commissioning a Service ............................................... 13
Layer 5 - Business Application Layer ............................................................................................ 13
Merck Managed Cloud (MMC) Accounts on AWS .............................................................................. 13
MMC Virtual Private Clouds (MMC-VPC)......................................................................................... 14
Systems Assurance for MMC-AWS GxP Computerized systems .................................................... 16
Layer 0 and 1 - Datacenter & Physical Hardware Layer (Global Infrastructure), Virtual
Infrastructure & Platform Services Layer (Foundational Layer) .................................................... 16
AWS Information Requests to Support Audits and Regulatory Inspections ........................... 17
Layer 0/1 Controls ............................................................................................................................ 18
Layer 2 - Cloud Management Layer..................................................................................................19
Layer 2 Controls ............................................................................................................................... 20
Layer 3 - Infrastructure & Platform Management Layer .................................................................20
Layer 3 Controls ............................................................................................................................... 21
Layer 4 Specific Build/Instance for Commissioning a Service ................................................... 21
Layer 4 Controls ............................................................................................................................... 22
Document ID: Merck Managed Cloud GxP Systems Assurance GuideVersion #: 1.1
Page 5 of 28
Layer 5 - Business Application Layer................................................................................................ 23
Layer 5 Controls ............................................................................................................................... 24
Conclusion................................................................................................................................................. 27
Appendix A Information Requests for Audits and Inspections ....................................................... 28
Information Requests to Support Audits and Regulatory Inspections ......................................... 28
Appendix B AWS Product SLA information ...................................................................................... 28
Document ID: Merck Managed Cloud GxP Systems Assurance GuideVersion #: 1.1
Page 6 of 28
Table of Figures
Figure 1 - Shared Responsibility Model for various cloud offerings ................................................. 11
Figure 2 Cloud Technology IT Resource Layers ............................................................................. 12
Figure 3 - Merck Managed Cloud Accounts......................................................................................... 14
Figure 4 - Implementation & VPCs for GxP Applications ...................................................................15
Figure 5 - MMC-AWS Architectural Overview ..................................................................................... 16
Document ID: Merck Managed Cloud GxP Systems Assurance GuideVersion #: 1.1
Page 7 of 28
Introduction
Purpose
This document describes the approved approach, and required controls, in order to utilize the
Merck Managed Cloud-AWS (MMC-AWS) for GxP, and other higher-risk Systems. The
approach described in this document will enable usage of these cloud technologies with risk that
is similar, or even reduced, compared to system implementations in traditional Merck
Datacenters, or other on-premises installations based on previous generation technologies.
Business Drivers
The Merck Managed Cloud (MMC) is being made available to Merck Business Unit System
Owners and Merck Technical Unit System Owners so that they can take advantage of the
business, technical, and security benefits that the MMC-AWS cloud technology offers. Chief
among these benefits are the following business drivers for MMC:
Trading capital expenses of IT fixed assets and facilities for variable expenses of pay-
per-use IT resources.
Increasing organization efficiency by reducing undifferentiated IT tasks and allowing
Merck to focus on meeting core business, quality and security objectives.
Increase speed and agility in developing, operating and securing computer-related
systems and IT infrastructure through use of cloud services as modular building blocks.
Increased reliability, repeatability and scalability of IT infrastructure through creation of
dynamic, software-defined virtual infrastructure with high availability and fault tolerance
capabilities.
Document Summary
This document provides an overall strategy and approach for implementation of GxP on the
Merck Managed Cloud-AWS (MMC-AWS) to Merck Teams. This includes the key controls
nece