23. Audit and Validation Issues for “Cloud” Services: IaaS, PaaS, SaaS

A third emerging option is to subscribe to an internet-based cloud service which provides large scale services for computation, backup storage, and software as a service (SaaS)… PQ can still be performed by users as usual using their work process to validate the ability of the cloud-hosted software application to perform as expected. (p.160)


Infrastructure as a Service (IaaS) is provided by cloud services with the customer having little view into the installation qualification (IQ) and ongoing configuration management (CM) practices of the supplier UNLESS some level of IQ and CM reporting is agreed to in the contract for specific GXP systems. Platform as a Service (PaaS) for software developers and Software as a Service (SaaS) for end users share the same concerns for documented IQ and CM. The following table describes some of the validation and audit concerns for cloud services.

1.       Risk profile of data What is the degree of damage if this data is lost or corrupted? High/Med/Low
2.       Location of data Does this data have regulatory or privacy requirements for its residency in a specific geography, e.g. country, state?
3.       Secure & uninterrupted access to data What guarantees and provisions exist for secure & uninterrupted access to data? What is the compensation for interruptions of service?
4.       Provider cannot deny access to data Contract provision to prevent provider from denying access to data for any reason – business, legal, or financial.
5.       Breach notification & Remedies How is customer notified of security breaches at cloud provider? What remediation report will be provided under configuration management/change control? Does provider have cyber-liability insurance to compensate customers for data loss?
6.       Data redundancy & Backup procedures What is data backup strategy and where is data stored? Can provider guarantee that de-duplication removal of meta data is prevented for GXP data, so that full and complete meta data records are maintained? What is process and priority of Disaster Recovery for GXP systems? How is this tested for GXP cloud systems?
7.       Return of all data to customer at contract end or provider bankruptcy How is customer’s data to be returned or transferred at end of contract? What is the provision in case of provider bankruptcy?
8.       Provider Contract allows documented compliance practices that show vendor’s control of GXP software application, platform configuration, and infrastructure in the cloud. Ø  Hosted Onsite initial Due Diligence & Ongoing Monitoring Audits performed

Ø  Audits as appropriate of Provider’s Subcontractor & Third Party Suppliers

Ø  Logs & records of performance to contract for CM and change control

Ø  Contracted IQ records for IaaS, PaaS, and SaaS

Ø  Customer test environment for change control testing by customer prior to identified major changes to GXP application, operating system, & database

Ø  Cyber-liability insurance policy relevant content

Ø  No de-duplication removal of meta data for GXP data


Next Month: Corporate Role for Electronic Records Quality

The Chief Information Officer (CIO) is responsible for providing the IT infrastructure that delivers software applications to end users, but end user management is responsible to authorities for the accuracy and integrity of the electronic records produced. The selection, validation, and use of software applications appropriate to a regulated work process and retention of the e-records produced are the responsibility of the work process owners and ultimately the corporate executives to whom they report. (p.311)