ARCC’s Qualified and Validated Disaster Recovery solution:
- Provides an FDA 21 CFR Part 11 validated disaster recovery of existing customer systems within the Audit Ready Compliant Cloud environment.
- Ensures FDA compliance even when an emergency is declared and there is a need to fail over to the disaster recovery site.
- Maintains the integrity of customer data even when the validated applications creating the data are in the disaster recovery location, instead of the primary site.
Disaster recovery challenges in a regulated environment:
- The FDA will rely on increased scrutiny during the time of a disaster to ensure that the validated environment in a Disaster Recovery state maintains the strict qualification and validated nature while in the primary computing environment.
- Most organizations rely on simple backups and restorations at the time of a disaster to bring their computing environment back to a compliant state.
- Ensuring application level Integrity during times of disaster remains difficult for most organizations.
Disaster recovery solutions in a regulated environment:
- ARCC’s qualified cloud replication technology ensures regulatory compliance. At the time of a disaster customers can have the same confidence that their disaster recovery environment maintains the validated state that their primary systems maintained prior to the event.
- The near real-time nature of the ARCC’s disaster recovery solution combined with the qualified environment and validated systems approach ensures that the environment will maintain the qualified state even after a disaster is declared.
- The ARCC Disaster Recovery solution provides customers with the ability to replicate back to the primary site, immediately after the issue has been resolved at the primary site.
ARCC ’s Audit Ready Compliant Cloud Suite
A suite of Qualified and Validated solutions that provide Life Science companies an FDA 21 CFR Part 11 qualified environment that includes:
- Qualified Hosting of validated applications to “CREATE” your data.
- Qualified Disaster Recovery – a validated Disaster Recovery solution to “PROTECT” your data.
- Qualified Long Term Archiving – a validated long-term archiving to “RETAIN” your data.
Requirements and Risk
FDA Approach to Specific Part 11 Requirements
The Agency intends to exercise enforcement discretion regarding specific Part 11 requirements for:
- Audit Trail
- Legacy Systems
- Copied of Records
- Record Retention
FDA.GOV statistics on 483 letters.
In the event the FDA inspectors request information during an approved retention period, they will hold the company accountable for producing those records and if those records cannot be produced then the companies will be issued with a 483 letter.
Audit Ready Qualified and Validated Disaster Recovery
Granular Protection and Recovery
Protect and recover files, VMs, and applications from any point in time
Always-on block-level replication for VMware vSphere and Microsoft Hyper
Continuous Data Protection
Protect and recover files, VMs, and applications from any point in time
Automate failover, failback, reverse protection and disaster recovery testingr
Complete Data Protection
Centralized management for multiple sites
One solution for BC/DR across storage & hypervisors
Aggressive Service Levels
Realize faster RPOs and RTOs
Protect Production Workloads
Scalable protection and recovery of multi-VM applications together with consistency groupings
Support for Public Cloud
Remove storage lock-in, replicate from anything to anything enabling choice
Install in minutes, no application or storage changes required
Storage Agnostic Replication
Remove barriers to entry with storage independent replication
Zerto Virtual Replication Appliance
Scale-out architecture, replicates the VMs adn VMDKs/VHDs; one per ESXi/Hyper VC host required
Zerto Virtual Manager
Manages disaster recovery, business continuity and offsite backup functionality at the site level; plugs into VMware vCenter and/or System Center Virtual Machine Manager or browser-based option
Good System Practice for Life Science
Safe and Secure – Messages, documents & intellectual properties are stored in a safe & secure environment. (SSAE16 collocation facility)
Back Up & Restore – Files, documents, & messages are backed up daily.
Scalable – We grow with your company.
Regulatory Compliant Qualified Infrastructure – Meets
regulatory requirements for qualification while providing ascalable platform to host multiple applications for FDA 21 CFR Part 11 compliance validation.
Flexible – Ability to host multiple applications in the same environment.
Audit Support – We ensure your compliance and ensure the audit is passed with ease.
Security Policy and Procedure Samples
- CS-POL-020 Master Security Plan
- SE-POL-001 Network Logging
- SE-POL-002 Intrusion Detection
- SE-POL-003 Web Services Security
- SE-POL-004 Security Risk Acceptance
- SE-POL-005 Network Log Review
- SE-POL-007 Privileged Accounts
- SE-POL-008 Cisco Network Device Compliance Policy
- SE-POL-011 Firewall Security Policy
- SE-SOP-014 Network Intrusion Detection System (IDS)
- SE-SOP-015 Microsoft Server Vulnerability Assessment
Network Security Fabric … FDA 21 CFR Part 11
ARCC’s “Network Security Fabric” protects clients’ regulated environments and provides greater flexibility, mitigation capability and reporting throughout the lifecycle.
Continuous Visibility – Passive Vulnerability Scanning and Log Correlation Engines built into ARCC’s security fabric discern possible threats to customers’ computing security and provide the context necessary to make informed decisions on application protection.
Site Isolation – By leveraging the micro-segmentation ARCC provides logical isolation between individual clients, client studies, and DEV/TST/PRD environments. The basis of this isolation will rely on metadata attached to each workload for classification purposes. (i.e. VM tags)
- Study Separation
- Dev Test and Production
- Separation Client Separation
Network Anomaly Detection – ARCC “Analytics Insights” are used for risk mitigation by providing anomaly and heuristics based threat detection for all workloads hosted within ARCC.
- Risk Mitigation
Secure Protocol Enforcement – By leveraging ARCC’s policy engine, insecure protocols will be blocked within a client’s internal and external network traffic.
- Guaranteed PHI Encryption
Network Compliance Reporting (Optional) – The ARCC “Analytics Reporting Engine” provides custom network affinity reports on a per-client basis. Reports will run on a scheduled interval and automatically upload the results (file format TBD) to a dedicated repository for each client.
- Audit Readiness
ARCC Data Centers for Life Science powered by HOSTING
With SOC audited and PCI compliant data centers in Dallas, Denver, Irvine, Louisville, Newark and San Francisco, HOSTING delivers geographically diverse solutions with unmatched support:
Multiple Datacenters – SOC 2 & 3 Audited, 24-inch raised floor, organized overhead cable management, Fire Detection, Fire Suppression, incorporates Hosting’s Green Design Standards
Data Center Power – N+1 Redundant UPS Power and multiple power feeds, Automatic transfer switches and 14megawatts of building power capacity
Customer Power – 120V & 208V single and three phase circuits available in 20a, 30a or 60a redundant power via divergent power panels and PDUs
Configuration & Support – Multiple cabinet and cage configurations, private cage space available, cabinets are lockable, fire rated, perforated and/or venteddoors for sufficient airflow
Cooling – N+1 HVAC redundant Cooling system, Trane and Liebert Cooling systems, Temperature maintained at 74 degrees F, Humidity maintained at 40%
Bandwidth – Redundancy and automatic failover ensures continual connectivity, Redundant network carriers: Century Link, XO, Time Warner Telecom, Fully meshed routing and switching architecture, Multiple points of entry and diverse paths, 100 Mbps standard network connectivity to cabinets and cages
Security – Seven levels of physical security including keycard access, biometrics, man-trap and on-site security personnel, video monitoring via strategically located interior and exterior cameras providing 90days of video retention for critical areas, 24 x 7 x 365 customer access, Fully staffed, 24 x 7 x 365 NOC and remote hands assistance