Control Freak Ver 1.0

The Control Freak Cometh!
Applying Best Practice for Infrastructure
Compliance

Agenda

 Why Do We Need A Compliant Infrastructure?
 How High Is That Hill?
 Where Do I Start?
 What Do I Need?
 How Do I Get There?
 Best Practice Or Controls?

D. K. Stephenson Regulatory Compliance SME

Why Do We Need A
Compliant Infrastructure?

3

Compliance with What??
 ISO 27001
 ITIL
 CoBIT
 ISO 20000
 Sarbanes Oxley
 Basel II
 FDA & MHRA Regulations
 21 CFR 11 etc

 Personal Identifiable Data (Caldicott Rule)
 ISO 9001-2008
 PCI DSS


Why Do We Need Compliance?

 Is it because:
 Everyone in my industry is doing it
 Fear of an upcoming regulatory inspection
 We want to get control over our Infrastructure

 There is probably a little of all these in our
reasoning, but we must also consider the question:

“How can we consider a system to be validated if
we are not confident that we have control of the
infrastructure on which it runs?”
GAMP GPG IT Infrastructure Control & Compliance


What does “Under Compliance” mean?

It means that the:
 Planning
 Organisation
 Installation
 Use
 Maintenance

of the I.T. infrastructure is Controlled and Documented


Compliance, Regulatory Viewpoint

 In the regulated industries (Life Sciences etc),
Infrastructure Compliance is achieved by the
process of “Qualification”
 Where Qualification is defined as:

 “The process of demonstrating whether an entity is
capable of fulfilling specified requirements. It implies
adherence to strict documentation requirements,
reviews and approvals”
GAMP GPG IT Infrastructure Control & Compliance


Qualification the I.T. Viewpoint!

 A methodology designed to stop me from doing my
work!
 An unnecessary overhead on already overworked
resource!
 Something that we write to keep QA quiet (but do
not follow!)
 A waste of ******* time!
 A pain in the *****!
 The best thing since sliced bread ????


In Short!


The Business Viewpoint!

 Difficult to get support from the top!
 I.T. seen as draconian and inhibitive
 Stops the business from doing it’s business
 “I.T. do not understand what we need!”
 “This is MY computer, I should be able to do what I
want with it!”


10 Requirements of Compliance
 Compliance Exercise Planning & Execution
 Procedures
 Compliance Documentation
 Security (Logical & Physical)
 Acceptance Testing
 Training of Support Personnel
 Network Recovery
 Support Documentation
 Change Control
 Periodic Review


Benefits of a Compliant Infrastructure
 Demonstrable Control over processes
 Increased Integrity of data
 Confidence in being Audit Ready
 Transparent view of the infrastructure and how it
functions
 Easier in-life management and upgrade planning
 Procedures available to all IT staff
 I.T. and business working together
 Adherence to best practice
 Reduction in duplication of duties


Business Expectations
 Cost Effective Solution
 Pragmatic Qualification (how much is enough?)
 Control Over Processes
 Control Over Procedures
 Control Over people

 Increased Control Of Data
 Confidentiality
 Integrity
 Availability

 Confidence In Being Audit Ready
 Adherence To Best Practice


How High?


“Top Ten” Deficiencies (Audited)
 Security (Logical & Physical)
 Testing (Compliance Exercise)
 Change Management/Configuration Management
 Operating Procedures
 Hardware, Equipment Records, and Maintenance
 Training Education, and Experience
 Development Methodology
 Compliance Methodology and Planning
 Quality Assurance and Auditing
 Electronic Records, Electronic Signatures


Why So Many?

 In general, the majority of IT departments are
doing what is right, they are following all or many
of the necessary processes, but with ONE MAJOR
EXCEPTION!

THEY DO NOT WRITE IT
DOWN!!!!!!!!


The Auditors Viewpoint!

IF IT IS NOT WRITTEN DOWN IT
DID NOT HAPPEN!

IF IT IS NOT SIGNED IT’S
GRAFFITI!

ANYTHING THAT ISN’T
DOCUMENTED IS JUST
RUMOUR!

At The Beginning!

 Step 1, DO NOT throw the baby out with the bath
water!!!


1st Steps

 Draw up a plan:
 What do you want to achieve?
 By when?
 What resource is available?
 What budget is available?
 Do not cut corners!
 Stick to it!!!!!!


Top Tips!
 Get buy in from the top, need a Sponsor
 Assess the situation (Business & I.T)
 Apply a “RISK BASED METHODOLOGY”
 What do we actually need?
 Is what we want and what we need different?
 Base testing on criticality & use
 Base risk on
– The affect on quality and data
– The likelihood of failure
– The likelihood of detection
 Use this to focus on the most critical areas


What Do I Need?

 A fully tested Infrastructure
 A fully documented Infrastructure
 A full set of “workable” processes and procedures
 An ongoing compliance maintenance framework
 Buy in from senior management


Documentation: A Warning!

 As with everything else in the Compliance world,
documentation is key
 Attaining a compliant Infrastructure can simply be
considered as documented Good IT Practice
 ITIL
 CoBIT
 MOF

 Most organisations know the right things to do
 Most organisations are doing them (to some
extent)
 Not all organisations have documented them


ITSM Areas for Process and Procedure

 General Management
 Data Centre Management
 Platform Management
 Server Management
 Network Management
 Client Management
 Security Management
 Data Management
 Quality Management
 Continuity Management


Best Practice Or Controls?

28

What Do Control Frameworks Have In
Common?
 They possess Business Focus
 Aligning IT with the business needs
 They have Process Orientation
 Thus ensuring ownership and organisation of processes

 There is General Acceptability
 Backed up by proven best practices (through
frameworks)
 They possess a Common Language
 An accepted terminology used by business & suppliers
 They help meet Regulatory Requirements
 By meeting compliance with an accepted framework


Why Do We Use Control Frameworks?

 They already exist, thus no need to reinvent the
wheel
 They are structured and easy to apply
 They are derived from best practice
 They are the result of knowledge sharing
 They are ultimately auditable


CoBIT
 CoBIT supports IT Compliance by providing a
framework, which can ensure that:
 The IT strategy is aligned with the business
 IT acts as an enabler for the business and maximises its
benefits
 IT resources are utilised both responsibly and
effectively
 IT risks are managed and mitigated appropriately


IT Infrastructure Library (Ver 3)
 ITIL is a Best Practice Framework
 ITIL Philosophy – Scalable Process driven approach
 ITIL provides “best practice” guidelines and
architectures to ensure that IT processes are closely
aligned to business processes and that IT delivers the
correct and appropriate business solution
 Infrastructure and Service are not separate entities


Which Do I Use??


How Does CoBIT & ITIL Fit In?

 CoBIT focuses on getting the “what is needed”
right, without touching on the “how will we do it”
 CoBIT helps to introduce a management
perspective of Controls, as it operates at a level
above the IT technology and possesses business
focus
 ITIL is the next level down, determining “how will
we do it”
 ITIL is the operational perspective of controls,
operating at the Technology level, and possesses
service focus


How It All Fits Together
CONFORMANCE
Drivers PERFORMANCE: FDA Reg’s, MHRA,
Business Goals SOX etc.

IT Governance COBIT

ISO ISO ISO
Best Practice Standards 9001:2000 27001 20000

Processes and Procedures QA Security ITIL
Procedures Principles


How do I Keep it Compliant??


Periodic Review And Critical Processes
 All critical activities should be included in a Periodic
Review Strategy
 Initial Qualification Activities
 On-going maintenance and support activities

 Periodic Reviews can be conducted internally, but
inspection observations have set an expectation that
the independent quality group should play an
appropriate oversight role


Periodic Review And Critical Processes cont

 Policies should define appropriate roles for IT and
Quality
 Processes and Procedures should be interlinked,
with defined roles
 i.e. Disaster Recovery relies on Configuration
Management, which is related to Change Management
 There should be a consistent set of processes

There Must be Evidence of
Control & Adherence to
These Processes!!


Conclusions
 We can achieve and maintain a pragmatic
qualification of IT Infrastructure, which meets both
Regulatory and Business requirements by:
 Adopting a Risk Based Approach to Compliance
 Adopting and implementing a best practice framework
– CoBIT
– ITIL
 Introducing a systematic approach to the initial testing
of components, based on their use and criticality
 Introducing an ongoing approach to the testing of
components, based on the previous testing of their type
 Introducing an ongoing compliance program


Thank You!

 Questions/Comments
David.Stephenson@CTG.com

+44(0)7891 343814
+44(0)118 931 0249


Control Freak Ver 1.0

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Control Freak Ver 1.0

Similar to Control Freak Ver 1.0 (20)

Control Freak Ver 1.0