Validating The Cloud – Top 25 Questions You Need To Ask!

With the advent of internet technologies and the fast growing popularity in cloud computing, it won’t be long before most regulated organisations adopt cloud computing and use it as the de-facto standard across their day to day activities.

With the multitude of cloud applications coming online almost every month now, what questions do you need to ask in order to discover if these applications can be used in a regulated environment.

We’ve put a list together of the top 25 questions that need to be asked as part of the SLA service level agreement.

Question 1

What level of security both physical and electronic will exist?

Question 2

Will the cloud be public, private or a combo of both?

Question 3

Who has privileged access to data?

Question 4

Where is the location of the data? (Different laws for different countries)

Question 5

How is the data segregated?

Question 6

What are the data recovery procedures?

Question 7

What is the data availability?

Question 8

What happens to the data at service termination?

Question 9

How is patch and bug fix management handled?

Question 10

What are your software configuration procedures?

Question 11

How do you manage change control?

Question 12

Is the cloud/application on a validated server?

Question 13

Does the cloud/application have a full audit trail

Question 14

Does the cloud/application have the functionality to become 21 CFR Part 11 compliant

Question 15

Has the cloud being audited to SAS70 or SSAE16?

Question 16

Will the cloud support existing client business processes?

Question 17

Have workflows been established between client and vendor (cloud)?

Question 18

Will a in-house support team need to be established for configuration and maintenance issues?

Question 19

Access to data/records/archives/back-ups who, when, how?

Question 20

Does the vendor have a robust QMS?

Question 21

Does it have guidance affecting change management and how will this be handled from vendor to client?

Question 22

Hardware maintenance and management who is responsible?

Question 23

Does the solution allow for different environments (e.g Sandbox, Development, QA, Production) ?

Question 24

How are these environments different?

Question 25

How is data maintained across environments?

Answers to these questions may assist in appropriately scoping/defining the level-of-effort for validation. The verification methods and objective evidence will most-likely be quite different from anything anyone has seen to-date.

Software Validation Forum

If you would like to learn more about validating the cloud visit our software validation forum for more great posts.

Contributors

  • Russel Regan
  • WGutierrez
  • Bruce Neagle
  • Jason Demmi
  • Bill Becker
  • Carl Miller MeD

Author

Graham O'Keeffe

General Manager - Veeva LearnGxP