Ref-Proj/Dossier

Ref-Sub
Date

RP2200/1 – Criteria of evaluation concerning services for the pharmaceutical

industry, provided through Cloud Technologies -
Part 1 Infrastructure as a service (IaaS)

Table of Contents
Introduction 2

Scope 2

Field of Application 2

Definitions 3

Regulatory framework 3

Other references 3

Concepts 3

Item under evaluation identification 6

Evaluation Criteria /Application 6

Locality 6
Data Integrity 6
Availability 6
Incident management 7
Monitoring 7
Confidentiality 8
Security 8
Physical security 8
Inside a data center 8
Between data centers 9
Cryptographic security 9
Cryptographic security at rest 9
Codema Pharma - RP2200 - Part 1 Rev 01
Codema’s protocols may not be copied, edited, scanned, or duplicated, in whole or in part 1
 Cryptographic security in transit 9
Access security 9
Isolation 10
Conformities 10

Bibliography 10

Introduction
The pharmaceutical industry, as a complex and structured environment requires performing a large amount
of activity in transparency: the quality of each ingredient, the on-time product shipping, the storage and
transport conditions should be performed in accordance to high quality standards and to the official
pharmaceutical requirements.

The attainment of this quality objective is the responsibility of the entire personnel in many different
departments and at all levels within the company, including the company’s suppliers and its distributors. To
achieve this quality objective reliably there must be a fully documented system continuously monitored on
its effectiveness by the Pharmaceutical Quality System on the basis of Good Manufacturing Practice (GMP)
and Quality Risk Management (QRM) principles.

In the context of Infrastructure as a Service, there are many providers of public and private infrastructures.
These providers differ in terms of the types and quality of the provided infrastructures. In the pharmaceutical
industry, there is much concern about the availability, reliability, security, and confidentiality of the data. It
is important to evaluate how those properties are ensured by the cloud provider at any level of the
infrastructure.

Assuring data integrity is an essential part of the technology for guaranteeing the safety, quality, identity,
purity and effectiveness of the pharmaceutical products and processes with the aim to protect the health
and safety of patients.

Scope
The present protocol is the first of a series of protocols which aim at providing evaluation criteria in order
to assess suitability of IT architectures used for providing services based on application of Cloud
technologies.

It is recommended the application of the present protocol to be addressed to providers of services applying
Cloud technologies. The evaluation issued by Codema on the grounds of the information collected through
the protocol will serve pharma companies in better assessing the providers (and the relevant services).

Competent auditors duly acknowledged by Codema shall apply the present protocols and carry out relevant
verifications and testing according to the criteria and requirements provided here in.

Field of Application
The present general protocol applies to all providers and relevant IT architectures concerning services
provided (or to be provided) within the pharmaceutical industry, by using cloud technologies.

Codema Pharma - RP2200 - Part 1 Rev 01

Codema’s protocols may not be copied, edited, scanned, or duplicated, in whole or in part 2
Definitions
Unless explicitly mentioned, in this protocol we use the definitions of ISO/IEC 17788:2014 Information
technology — Cloud computing — Overview and vocabulary.

Regulatory framework
- Eudralex, Volume 4 “Good Manufacturing Practice Medicinal Products for Human and Veterinary Use”,
Annex 11 “Computerised Systems” (effective since 30 June 2011)

- Eudralex, Volume 4 “Good Manufacturing Practice Medicinal Products for Human and Veterinary Use”,
Annex 15 “Qualification and Validation” (effective since 1 October 2015)

- Eudralex, Volume 4 “Good Manufacturing Practice Medicinal Products for Human and Veterinary Use”, Part
III “GMP related documents”, Document “Q9 Quality Risk Management” (effective since January 2006)

- Draft document for comments WHO Guideline on Validation. Working document “QAS/16.667/Rev.2”,
Appendix 5 “Validation of Computerized Systems” (written on August 2018)

- PICS “Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments”. Document
“PI 041-1 (Draft 3)” (written on 30 November 2018)

Other references:
The nomenclature used in this protocol is fully compatible with ISO/IEC 17788:2014. The architecture used
for the analysis of IaaS platforms is fully compatible with ISO/IEC 17789:2014

Disclaimer
The present protocol shall be implemented under the direction of an expert.

Each specific case needs to be properly addressed. Codema shall not be responsible and/or accountable for
any issue arising from application of the present protocol.

Codema is not responsible for inaccurate or false information provided by the manufacturer to the qualified
CAE (Codema Acknowledged Expert) auditor during the audit, which may affect the reliability of the final
evaluation.

The structure of the evaluation system and organization of contents, method of procedures of protocols of
evaluation constitute exclusive intellectual property of Codema Pharma S.A. (Codema). Codema Cloud
Technologies Project has been entirely developed by Codema and exclusively belongs to Codema. Codema’s
protocols may not be copied, edited, scanned, or duplicated, in whole or in part.

Concepts
Unless explicitly mentioned in the following chapter, in this protocol we use the definitions provided by
ISO/IEC 17788:2014 Information technology — Cloud computing — Overview and vocabulary.

Availability

Property of being accessible and usable upon demand by an authorized entity.

Confidentiality

Codema Pharma - RP2200 - Part 1 Rev 01

Codema’s protocols may not be copied, edited, scanned, or duplicated, in whole or in part 3
Property that information is not made available or disclosed to unauthorized individuals, entities, or
processes.

Information security

Preservation of confidentiality (3.1.2), integrity (3.1.4) and availability (3.1.1) of information.

Integrity

Property of accuracy and completeness.

Party

Natural person or legal person, whether or not incorporated, or a group of either.

Service level agreement (SLA)

Documented agreement between the service provider and customer that identifies services and service
targets.

Cloud auditor

Cloud service partner with the responsibility to conduct an audit of the provision and use of cloud services.

Cloud capabilities type

Classification of the functionality provided by a cloud service to the cloud service customer, based on
resources used.

Cloud computing

Paradigm for enabling network access to a scalable and elastic pool of shareable physical or virtual resources
with self-service provisioning and administration on-demand.

Cloud deployment model

Way in which cloud computing can be organized based on the control and sharing of physical or virtual
resources.

Cloud service

One or more capabilities offered via cloud computing invoked using a defined interface.

Cloud service customer

Party which is in a business relationship for the purpose of using cloud services.

Cloud service customer data

Class of data objects under the control, by legal or other reasons, of the cloud service customer that were
input to the cloud service, or resulted from exercising the capabilities of the cloud service by or on behalf of
the cloud service customer via the published interface of the cloud service.

Cloud service derived data

Class of data objects under cloud service provider control that are derived as a result of interaction with the
cloud service by the cloud service customer.

Cloud service partner

Codema Pharma - RP2200 - Part 1 Rev 01

Codema’s protocols may not be copied, edited, scanned, or duplicated, in whole or in part 4
Party which is engaged in support of, or auxiliary to, activities of either the cloud service provider or the cloud
service customer, or both.

Cloud service provider

Party which makes cloud services available.

Cloud service provider data

Class of data objects, specific to the operation of the cloud service, under the control of the cloud service
provider.

Cloud service user

Natural person, or entity acting on their behalf, associated with a cloud service customer that uses cloud
services.

Data portability

Ability to easily transfer data from one system to another without being required to re-enter data.

Infrastructure as a Service (IaaS)

Cloud service category in which the cloud capabilities type provided to the cloud service customer is an
infrastructure capabilities type.

Infrastructure capabilities type

Cloud capabilities type in which the cloud service customer can provision and use processing, storage or
networking resources.

Measured service

Metered delivery of cloud services such that usage can be monitored, controlled, reported and billed.

Multi-tenancy

Allocation of physical or virtual resources such that multiple tenants and their computations and data are
isolated from and inaccessible to one another.

Private cloud:

Cloud deployment model where cloud services are used exclusively by a single cloud service customer and
resources are controlled by that cloud service customer.

Public cloud

Cloud deployment model where cloud services are potentially available to any cloud service customer and
resources are controlled by the cloud service provider.

Resource pooling

Aggregation of a cloud service provider's physical or virtual resources to serve one or more cloud service
customers.

Codema Pharma - RP2200 - Part 1 Rev 01

Codema’s protocols may not be copied, edited, scanned, or duplicated, in whole or in part 5
Item under evaluation identification
This protocol is implemented by the expert to evaluate a specific instance of the IaaS. This section identifies
the item under evaluation. Please note that the results of this evaluation are only valid for the exact item
identified by the following information. The change of any of the following will require a new evaluation.

Full name / Short description Value

IaaS product’s name
IaaS provider’s company
IaaS provider’s company legal address
Evaluation quarter

Evaluation Criteria /Application

1. Locality

A cloud infrastructure is composed of several data centers connected together.

Where data centers are located and how they are distributed have a significant impact on data integrity.
Please complete the following section including the numeric value of the parameter at the time of
the writing and optionally the identifier of an attachment that describes the strategy to optimize
its value in future.

Sub- Documentation Value Attachment Nr °

Section
1.1 List of countries where data centers are located
1.2 Total number of data centers
1.3 Number of data centers per country
1.4 List the locations with less than 3 data centers

2. Data Integrity

The integrity of the data stored in the data centers is a critical requirement for an IaaS provider.
At any time the cloud provider must ensure the data to be available, accessible and uncorrupted.

2.1. Availability
Data availability and reliability are ensured by replication, checksum and regeneration strategies. Please
complete the following section describing the strategies adopted to ensure data integrity.

Sub- Documentation Value Attachment Nr °

Section
2.1.1 Frequently accessed storage
2.1.1/A Describe the adopted replication strategies
2.1.1/B Data durability SLA (percentage)

Codema Pharma - RP2200 - Part 1 Rev 01

Codema’s protocols may not be copied, edited, scanned, or duplicated, in whole or in part 6
 2.1.1/C Data availability SLA (percentage)
2.1.2 Long term storage
2.1.2/A Describe the adopted corruption avoidance strategies
2.1.2/B Data durability SLA (percentage)
2.1.2/C Data availability SLA (percentage)

2.2. Incident management

A data center can be subject to incidents and system failures at any level, from the damage of a single
hardware component to the crash of the whole data center. Any incident should be identified and reported.
For the known typologies of incidents, a procedure should be clearly documented and understood by the
responsible parties.

Each document should describe how the issue is mitigated and which recovery actions are planned in case of
incident.

Sub- Documentation Mitigation plan Recovery plan Attachments

Section available available
2.2.1 Physical hardware running customer
applications
2.2.1/A Failure in a physical computing node
2.2.1/B Failure in a physical storage node
2.2.1/C Failure of a physical network
2.2.1/D Outage of power
2.2.2 Virtual hardware running customer
applications
2.2.2/A Failure of the hypervisor layer
2.2.3 Whole data center
2.2.3/A Outage of power in the whole area
2.2.3/B Partial or total disruption of a data
center
2.2.3/C Where are the long-term storage
(backups) warehouses located with
respect to the data centers

3. Monitoring
Each of the users should always be allowed to determine the state of the system through dedicated metrics.
Those metrics should be offered through easy-to-use portals so that their usage is not restricted to technical
users. Access to those portals should be granted to all users to enhance transparency.
Users should be promptly notified of any incident or failure regarding the infrastructure running their
applications.

Sub- Documentation Availability Reporting Attachment Nr°

Section times/freq. (optional)
3/A Availability of metrics about the physical
state of the infrastructure

Codema Pharma - RP2200 - Part 1 Rev 01

Codema’s protocols may not be copied, edited, scanned, or duplicated, in whole or in part 7
 3/B Availability of metrics about the state of
running applications
3/C Notifications about incidents or failures
3/D Notifications about intrusion detection
3/E Notifications about hacking attacks

4. Confidentiality
Most of the data handled by the cloud infrastructure is confidential. Cloud providers must ensure that no
one can access the user’s data unless explicitly authorized.

For each entry in the following table describe who can access the related data and which privacy techniques
are in place to ensure confidentiality.

Section Documentation Detailed description available Attachment Nr.

4/A Access to the physical hardware

4/B Access to the data at rest

4/C Access to the data on transit

4/D Disposal of used storage hardware

5. Security
Security is crucial to prevent unauthorized access to confidential data. In a cloud infrastructure, security must
be granted at different levels, from physical access to the hardware to remote access to the virtual
infrastructure.

5.1. Physical security

Starting from the physical layer the cloud provider must apply policies to ensure security constraints to the
access of physical infrastructure.

5.1.1. Inside a data center

This section will examine how security is ensured inside the physical location of a data center.

For each entry in the following table describe who can perform the described action and which privacy
policies are in place to ensure security.

Section Documentation Detailed description available Attachment Nr.

5.1.1/A Access the data center

5.1.1/B Access the physical hardware

5.1.1/C Prevent confidential data from

leaving the data center
5.1.1/D Managing technical vulnerabilities

Codema Pharma - RP2200 - Part 1 Rev 01

Codema’s protocols may not be copied, edited, scanned, or duplicated, in whole or in part 8
5.1.2. Between data centers
This section will examine how security is ensured while data is moving from one data center to another.

Please describe in detail how the following operations are performed.

Section Documentation Detailed description available Attachment Nr.

5.1.1/A How are communications

between data centers performed
5.1.2/B How is confidentiality ensured
while data is moving between
data centers

5.2. Cryptographic security

Encryption is widely used to ensure access constraints to confidential data. Data must be protected both
while stored on the cloud infrastructure (at rest) and while moving (in transit).

5.2.1. Cryptographic security at rest

Section Documentation Detailed description available Attachment Nr.

5.2.1/A What types of encryptions are

supported
5.2.2/B Who has access to the encryption
keys
5.2.3/C What support is available for user
defined encryption keys

5.2.2. Cryptographic security in transit

Section Documentation Detailed description available Attachment Nr.

5.2.1/A What types of encryptions are

supported
5.2.2/B Who has access to the encryption
keys
5.2.3/C What support is available for user
defined encryption keys

5.3. Access security

Remote access between customers and the cloud infrastructure must also be secure. Customers may
transfer confidential data between the cloud infrastructure and their on-premise infrastructure. It is the
responsibility of the cloud provider to ensure data to be transferred securely and uncorrupted and to avoid
data to be lost or intercepted by unauthorized third parties.

Provide, in the following table, a description of the measures adopted to secure the customers access to
the cloud infrastructure.

Codema Pharma - RP2200 - Part 1 Rev 01

Codema’s protocols may not be copied, edited, scanned, or duplicated, in whole or in part 9
 Section Documentation Detailed description available Attachment Nr.

5.3/A How is the remote access to the

cloud infrastructure performed
5.3/B How is the remote access to the
cloud infrastructure secured
5.3/C How is unauthorized access
prevented
5.3/D How are hacking attacks
prevented
5.4/E Type and frequency of
penetration tests performed

6. Isolation
In a cloud infrastructure many users share the same hardware. This section will explore the policies
adopted to ensure isolation of a user environment inside the cloud infrastructure.

Please give a detailed description of each topic in the following table.

Section Documentation Detailed description available Attachment Nr.

6/A What strategies are in place to

isolate data in a shared storage
6/B What strategies are in place to
isolate computations on a shared
hardware
6/C What strategies are in place to
isolate network traffic

7. Conformities

Section Documentation Value Attachment Nr°

(optional)
Certifications
Previous evaluations
Previous inspections or audits
List of third-party companies involved in the
management of confidential data

Bibliography

[1] ISO/IEC 17788:2014 Information technology — Cloud computing — Overview and vocabulary

[2] ISO/IEC 17789:2014 Information technology — Cloud computing — Reference architecture

Codema Pharma - RP2200 - Part 1 Rev 01

Codema’s protocols may not be copied, edited, scanned, or duplicated, in whole or in part 10
Codema Pharma, July 2021

RP2200 Rev 01-2021

Codema Pharma - RP2200 - Part 1 Rev 01

Codema’s protocols may not be copied, edited, scanned, or duplicated, in whole or in part 11