Merck Managed Cloud (MMC)GxP Systems Assurance GuideFor Amazon Web Services (AWS)

An enterprise-wide framework for hosting GxP Computerized systems in theMerck Managed Cloud

Version No: 1.1

Document ID: R-Amazon Web Services-GD-29028

Date Issued: 20-SEP-2016

Document ID: Merck Managed Cloud GxP Systems Assurance GuideVersion #: 1.1

Page 2 of 28

Document Signatures

Approvers

Christi Van horn

Exec. Dir, Compliance & Risk

Management

IT Risk Mgmt & Security

___________________________________________________

Signature/Date Captured Electronically

Approval above signifies that the approver representing IT Risk Management & Information Security approves this deliverable as acceptable, accurate, and complete in accordance with procedures and also supports this Merck Managed Cloud GxP Systems Assurance Guide.

Randie Schlamowitz

Exec. Director, Global Operations

Management

Global Technology Operations

___________________________________________________

Signature/Date Captured Electronically

Approval above signifies that the approver representing Cloud Services approves this deliverable as acceptable, accurate, and complete in accordance with procedures and also supports this Merck Managed Cloud GxP Systems Assurance Guide.

Document ID: Merck Managed Cloud GxP Systems Assurance GuideVersion #: 1.1

Page 3 of 28

Revision History

Revision Issue Date Authors Description of Change

1.0 20-Jul-2016 Vishwas GadgilDaniel DziadiwSujatha GuruswamyVern HeneryAllan UmandapJeffrey Feist

First Issuance

1.1 20-Sep-2016 Daniel DziadiwSujatha Guruswamy

No changes to the content,

classification label changed to public

with OSTIC (Office of Scientific &

Technical Information Clearance)

Public Clearance approval -

Submission ID: 2016-ms-4206

Document ID: Merck Managed Cloud GxP Systems Assurance GuideVersion #: 1.1

Page 4 of 28

Table of ContentsIntroduction.................................................................................................................................................. 7

Purpose.................................................................................................................................................... 7

Business Drivers..................................................................................................................................... 7

Document Summary .............................................................................................................................. 7

Scope ....................................................................................................................................................... 7

Document Maintenance ........................................................................................................................ 8

Acronyms/Abbreviations/Terms ........................................................................................................... 8

Roles and Responsibilities.................................................................................................................... 8

Background on Cloud Computing and the MMC ................................................................................. 10

Cloud Computing Types...................................................................................................................... 10

Description of the MMC-AWS Architectural Layers ............................................................................ 11

Layer 0 - Data Center & Physical Hardware ................................................................................ 12

Layer 1 - Cloud Infrastructure & Platform Services.....................................................................12

Layer 2 - Cloud Management ......................................................................................................... 12

Layer 3 - Infrastructure & Platform Management ........................................................................ 12

Layer 4 Specific Build/Instance for Commissioning a Service ............................................... 13

Layer 5 - Business Application Layer ............................................................................................ 13

Merck Managed Cloud (MMC) Accounts on AWS .............................................................................. 13

MMC Virtual Private Clouds (MMC-VPC)......................................................................................... 14

Systems Assurance for MMC-AWS GxP Computerized systems .................................................... 16

Layer 0 and 1 - Datacenter & Physical Hardware Layer (Global Infrastructure), Virtual

Infrastructure & Platform Services Layer (Foundational Layer) .................................................... 16

AWS Information Requests to Support Audits and Regulatory Inspections ........................... 17

Layer 0/1 Controls ............................................................................................................................ 18

Layer 2 - Cloud Management Layer..................................................................................................19

Layer 2 Controls ............................................................................................................................... 20

Layer 3 - Infrastructure & Platform Management Layer .................................................................20

Layer 3 Controls ............................................................................................................................... 21

Layer 4 Specific Build/Instance for Commissioning a Service ................................................... 21

Layer 4 Controls ............................................................................................................................... 22

Document ID: Merck Managed Cloud GxP Systems Assurance GuideVersion #: 1.1

Page 5 of 28

Layer 5 - Business Application Layer................................................................................................ 23

Layer 5 Controls ............................................................................................................................... 24

Conclusion................................................................................................................................................. 27

Appendix A Information Requests for Audits and Inspections ....................................................... 28

Information Requests to Support Audits and Regulatory Inspections ......................................... 28

Appendix B AWS Product SLA information ...................................................................................... 28

Document ID: Merck Managed Cloud GxP Systems Assurance GuideVersion #: 1.1

Page 6 of 28

Table of Figures

Figure 1 - Shared Responsibility Model for various cloud offerings ................................................. 11

Figure 2 Cloud Technology IT Resource Layers ............................................................................. 12

Figure 3 - Merck Managed Cloud Accounts......................................................................................... 14

Figure 4 - Implementation & VPCs for GxP Applications ...................................................................15

Figure 5 - MMC-AWS Architectural Overview ..................................................................................... 16

Document ID: Merck Managed Cloud GxP Systems Assurance GuideVersion #: 1.1

Page 7 of 28

Introduction

Purpose

This document describes the approved approach, and required controls, in order to utilize the

Merck Managed Cloud-AWS (MMC-AWS) for GxP, and other higher-risk Systems. The

approach described in this document will enable usage of these cloud technologies with risk that

is similar, or even reduced, compared to system implementations in traditional Merck

Datacenters, or other on-premises installations based on previous generation technologies.

Business Drivers

The Merck Managed Cloud (MMC) is being made available to Merck Business Unit System

Owners and Merck Technical Unit System Owners so that they can take advantage of the

business, technical, and security benefits that the MMC-AWS cloud technology offers. Chief

among these benefits are the following business drivers for MMC:

Trading capital expenses of IT fixed assets and facilities for variable expenses of pay-

per-use IT resources.

Increasing organization efficiency by reducing undifferentiated IT tasks and allowing

Merck to focus on meeting core business, quality and security objectives.

Increase speed and agility in developing, operating and securing computer-related

systems and IT infrastructure through use of cloud services as modular building blocks.

Increased reliability, repeatability and scalability of IT infrastructure through creation of

dynamic, software-defined virtual infrastructure with high availability and fault tolerance

capabilities.

Document Summary

This document provides an overall strategy and approach for implementation of GxP on the

Merck Managed Cloud-AWS (MMC-AWS) to Merck Teams. This includes the key controls

nece