ARCC’s Qualified and Validated Disaster Recovery solution:

  • Provides an FDA 21 CFR Part 11 validated disaster recovery of existing customer systems within the Audit Ready Compliant Cloud environment.
  • Ensures FDA compliance even when an emergency is declared and there is a need to fail over to the disaster recovery site.
  • Maintains the integrity of customer data even when the validated applications creating the data are in the disaster recovery location, instead of the primary site.

Disaster recovery challenges in a regulated environment:

  • The FDA will rely on increased scrutiny during the time of a disaster to ensure that the validated environment in a Disaster Recovery state maintains the strict qualification and validated nature while in the primary computing environment.
  • Most organizations rely on simple backups and restorations at the time of a disaster to bring their computing environment back to a compliant state.
  • Ensuring application level Integrity during times of disaster remains difficult for most organizations.

Disaster recovery solutions in a regulated environment:

  • ARCC’s qualified cloud replication technology ensures regulatory compliance. At the time of a disaster customers can have the same confidence that their disaster recovery environment maintains the validated state that their primary systems maintained prior to the event.
  • The near real-time nature of the ARCC’s disaster recovery solution combined with the qualified environment and validated systems approach ensures that the environment will maintain the qualified state even after a disaster is declared.
  • The ARCC Disaster Recovery solution provides customers with the ability to replicate back to the primary site, immediately after the issue has been resolved at the primary site.

ARCC ’s Audit Ready Compliant Cloud Suite

A suite of Qualified and Validated solutions that provide Life Science companies an FDA 21 CFR Part 11 qualified environment that includes:

  • Qualified Hosting of validated applications to “CREATE” your data.
  • Qualified Disaster Recovery – a validated Disaster Recovery solution to “PROTECT” your data.
  • Qualified Long Term Archiving – a validated long-term archiving to “RETAIN” your data.

Requirements and Risk

FDA Approach to Specific Part 11 Requirements

The Agency intends to exercise enforcement discretion regarding specific Part 11 requirements for:

  1. Validation
  2. Audit Trail
  3. Legacy Systems
  4. Copied of Records
  5. Record Retention

FDA.GOV statistics on 483 letters.

In the event the FDA inspectors request information during an approved retention period, they will hold the company accountable for producing those records and if those records cannot be produced then the companies will be issued with a 483 letter.


Audit Ready Qualified and Validated Disaster Recovery

Granular Protection and Recovery

Hypervisor-based Replication

hypervisor.png

Protect and recover files, VMs, and applications from any point in time

Always-on block-level replication for VMware vSphere and Microsoft Hyper

 

Continuous Data Protection

Full Orchestration

Protect and recover files, VMs, and applications from any point in time

Automate failover, failback, reverse protection and disaster recovery testingr

 

Simple Management

Complete Data Protection

Centralized management for multiple sites

One solution for BC/DR across storage & hypervisors

 

Simple Installation

Aggressive Service Levels

Realize faster RPOs and RTOs

 

Protect Production Workloads

Scalable protection and recovery of multi-VM applications together with consistency groupings

 

Support for Public Cloud

Remove storage lock-in, replicate from anything to anything enabling choice

Install in minutes, no application or storage changes required

 

Storage Agnostic Replication

Remove barriers to entry with storage independent replication

 

Zerto Virtual Replication Appliance

Scale-out architecture, replicates the VMs adn VMDKs/VHDs; one per ESXi/Hyper VC host required

 

Zerto Virtual Manager

Manages disaster recovery, business continuity and offsite backup functionality at the site level; plugs into VMware vCenter and/or System Center Virtual Machine Manager or browser-based option

 

Good System Practice for Life Science

Safe and Secure – Messages, documents & intellectual properties are stored in a safe & secure environment. (SSAE16 collocation facility)

Back Up & Restore – Files, documents, & messages are backed up daily.

Scalable – We grow with your company.

Regulatory Compliant Qualified Infrastructure – Meets

regulatory requirements for qualification while providing ascalable platform to host multiple applications for FDA 21 CFR Part 11 compliance validation.

Flexible – Ability to host multiple applications in the same environment.

Audit Support – We ensure your compliance and ensure the audit is passed with ease.

Security Policy and Procedure Samples

  • CS-POL-020 Master Security Plan
  • SE-POL-001 Network Logging
  • SE-POL-002 Intrusion Detection
  • SE-POL-003 Web Services Security
  • SE-POL-004 Security Risk Acceptance
  • SE-POL-005 Network Log Review
  • SE-POL-007 Privileged Accounts
  • SE-POL-008 Cisco Network Device Compliance Policy
  • SE-POL-011 Firewall Security Policy
  • SE-SOP-014 Network Intrusion Detection System (IDS)
  • SE-SOP-015 Microsoft Server Vulnerability Assessment

Network Security Fabric … FDA 21 CFR Part 11

ARCC’s “Network Security Fabric” protects clients’ regulated environments and provides greater flexibility, mitigation capability and reporting throughout the lifecycle.

Continuous Visibility – Passive Vulnerability Scanning and Log Correlation Engines built into ARCC’s security fabric discern possible threats to customers’ computing security and provide the context necessary to make informed decisions on application protection.

Site Isolation – By leveraging the micro-segmentation ARCC provides logical isolation between individual clients, client studies, and DEV/TST/PRD environments. The basis of this isolation will rely on metadata attached to each workload for classification purposes. (i.e. VM tags)

  • Study Separation
  • Dev Test and Production
  • Separation Client Separation

Network Anomaly Detection – ARCC “Analytics Insights” are used for risk mitigation by providing anomaly and heuristics based threat detection for all workloads hosted within ARCC.

  • Risk Mitigation

Secure Protocol Enforcement – By leveraging ARCC’s policy engine, insecure protocols will be blocked within a client’s internal and external network traffic.

  • Guaranteed PHI Encryption

Network Compliance Reporting (Optional) – The ARCC “Analytics Reporting Engine” provides custom network affinity reports on a per-client basis. Reports will run on a scheduled interval and automatically upload the results (file format TBD) to a dedicated repository for each client.

  • Audit Readiness

ARCC Data Centers for Life Science powered by HOSTING

With SOC audited and PCI compliant data centers in Dallas, Denver, Irvine, Louisville, Newark and San Francisco, HOSTING delivers geographically diverse solutions with unmatched support:

Multiple Datacenters – SOC 2 & 3 Audited, 24-inch raised floor, organized overhead cable management, Fire Detection, Fire Suppression, incorporates Hosting’s Green Design Standards

Data Center Power – N+1 Redundant UPS Power and multiple power feeds, Automatic transfer switches and 14megawatts of building power capacity

Customer Power – 120V & 208V single and three phase circuits available in 20a, 30a or 60a redundant power via divergent power panels and PDUs

Configuration & Support – Multiple cabinet and cage configurations, private cage space available, cabinets are lockable, fire rated, perforated and/or venteddoors for sufficient airflow

Cooling – N+1 HVAC redundant Cooling system, Trane and Liebert Cooling systems, Temperature maintained at 74 degrees F, Humidity maintained at 40%

Bandwidth – Redundancy and automatic failover ensures continual connectivity, Redundant network carriers: Century Link, XO, Time Warner Telecom, Fully meshed routing and switching architecture, Multiple points of entry and diverse paths, 100 Mbps standard network connectivity to cabinets and cages

Security – Seven levels of physical security including keycard access, biometrics, man-trap and on-site security personnel, video monitoring via strategically located interior and exterior cameras providing 90days of video retention for critical areas, 24 x 7 x 365 customer access, Fully staffed, 24 x 7 x 365 NOC and remote hands assistance